0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

Update README.md

Browse source
This commit is contained in:
Carlos Polop 2021-10-20 10:31:07 +01:00 committed by GitHub
parent beeac837b5
commit 02f967777d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pentesting/pentesting-web/README.md
View file

@ -268,7 +268,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
* _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
* **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**.
* If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** (using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [keyhacks](https://github.com/streaak/keyhacks), [**zile**](https://github.com/xyele/zile.git)**,** [truffleHog](https://github.com/trufflesecurity/truffleHog), [SecretFinder](https://github.com/m4ll0k/SecretFinder), [RegHex](https://github.com/l4yton/RegHex\)/)
* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [keyhacks](https://github.com/streaak/keyhacks), [**zile**](https://github.com/xyele/zile.git)**,** [truffleHog](https://github.com/trufflesecurity/truffleHog), [SecretFinder](https://github.com/m4ll0k/SecretFinder), [RegHex](https://github.com/l4yton/RegHex\)/), [DumpsterDive](https://github.com/securing/DumpsterDiver), [EarlyBird](https://github.com/americanexpress/earlybird)
* Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) to check which apis the key can access.
* **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/).