# Autre ## Mots de passe par défaut

https://github.com/ihebski/DefaultCreds-cheat-sheet
https://www.routerpasswords.com/
https://cirt.net/passwords
https://default-password.info/
http://defaultpassword.us/
http://www.passwordsdatabase.com/
http://open-sez.me/
https://www.cleancss.com/router-default/
https://many-passwords.github.io/
#SCADA default passwords
https://www.hackers-arise.com/post/2016/09/21/Scada-Hacking-Default-Passwords-for-Nearly-Every-SCADA-System

### Cheat-sheet ### Apache Tomcat ``` admin : admin ADMIN : ADMIN admin : j5Brn9 admin : None admin : tomcat cxsdk : kdsxc j2deployer : j2deployer ovwebusr : OvW*busr1 QCC : QLogic66 role : changethis role1 : role1 role1 : tomcat root : root tomcat : changethis tomcat : s3cret tomcat : tomcat xampp : xampp ``` ## CSS Keylogger ```css ``` ## Burp Extensions * Active Scan++ * AutoRepeater * HTTP Request Smuggler * Backslash Powered Scanner * Collaborator Everywhere * Log4shell everywhere * JSON Beautifier * Sitemap Extractor * Param-miner * JSON WEB Tokens * Java Deserialization Scanner * Web Cache Deception Scanner * Autorize * BurpJSLinkFinder * JS Miner * BurpBounty * domain\_hunter * Turbo Intruder * Server-side prototype pollution scanner * Upload Scanner * IP rotate * HUNT scanner * Software Vulneribility scanner * IIS Tilde * Graphquail * Content Type Converter * NoWAFpls * APIKit (de API-Security) * Distribute Damage * Auth Analyzer ### Regex pour AutoRepeater #### URL ``` https?://(www.)?[-a-zA-Z0–9@:%.+~#=]{1,256}.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%+.~#?&//=]*) ``` ### Regex pour filtrage des requêtes interessantes dans burp history ``` (?i)([a-z0-9]+){0,}((_|-){0,}(\\s){0,})(key|pass|credentials|auth|cred|creds|secret|password|access|token|api)(\\s){0,}(=|:|is|>){1,} ``` ## Information disclosure information disclosure à partir d'une manipulation d'en-tête: ``` Accept: application/json, text/javascript, */*, p=0.01 ```