Hey Everyone i hope you all are doing great. Nowadays, every other college or school student wants to be a hacker. Due to media hype, the term hacker is considered both cool and criminal at the same time. Now, since This Note is basically about my journey into hacking, I receive many emails on how to become a hacker. “I’m a beginner in hacking, how should I start?” or “I want to be able to hack my friend’s Facebook account” are some of the more frequent queries. In this article I will attempt to answer these and more. I will give detailed technical instructions on how to get started as a beginner and how to evolve as you gain more knowledge and expertise in the domain. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend’s Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems.
Introduction!
Where It All Began!?



- Using site:.in index.php?id=1 ‘
- Going to a Mirror Website Like Zone-h and take a Website from their and Scanning it finding the existing shell or Finding the Vulnerability in it and Exploit it



I’ve had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have. -MakMan
Changing The Color of my HAT!















From Time to Time I was receiving Bounties and I was happy with It. and I made an Account on Hackerone.com on and started to hunt Their as well and got some Good Bounties From Their To….

LEARN ETHICAL HACKING
“Being a hacker is lots of fun, but it’s a kind of fun that takes lots of effort. The effort takes motivation.”

To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won’t make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work.Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won’t let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is valued. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best.If you revere competence, you’ll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.
Resources!

BOOKS:


BLOGS!
- https://blog.it-securityguard.com/
- https://blog.innerht.ml/
- http://brutelogic.com.br/blog/
- https://klikki.fi/
- http://philippeharewood.com/
- https://seanmelia.wordpress.com/
- https://respectxss.blogspot.com/
- https://www.gracefulsecurity.com/
- https://whitton.io/
- https://tisiphone.net/
- http://archive.nahamsec.com/
- https://www.hackerscreed.org/
- http://danlec.com/blog
- https://wehackpeople.tumblr.com/
- https://bitquark.co.uk/blog/
- https://www.arneswinnen.net/
- http://bugbountypoc.com/
- https://medium.com/@arbazhussain/
- http://www.shawarkhan.com/
- https://blog.detectify.com/
- http://www.rafayhackingarticles.net/…
- https://forum.bugcrowd.com/
- https://securitywall.co/
- https://www.hackerone.com/blog
- http://www.securitytube.net/
- https://hackasia.org/
- http://www.gangte.net/
- https://mukarramkhalid.com/
- https://securitytraning.com/
- https://jubaeralnaziwhitehat.wordpress.com/…
- http://hackaday.com/
- http://www.securityfocus.com/
- https://packetstormsecurity.com/
- http://www.blackhat.com/
- https://www.metasploit.com/
- http://sectools.org/
- https://labs.detectify.com/
- https://blog.rubidus.com/
- http://www.securityidiots.com/
- https://hackernoon.com/
- https://sqli-basic.blogspot.com/
- https://bugbaba.blogspot.in/
- https://vulnerability-lab.com/
- https://medium.com/@know.0nix/
- https://medium.com/@codingkarma/

YouTube Channels!

Also You should Consider practicing Your Skills on
HackerOne Public Reports!
Bug Bounty Reference
A list of bug bounty write-up that is categorized by the bug nature, Written by ngalongc this is inspired by https://github.com/djadmin/awesome-bug-bounty
My intention is to make a full and complete list of common vulnerability that are publicly disclosed bug bounty write-up, and let Bug Bounty Hunter to use this page as a reference when they want to gain some insight for a particular kind of vulnerability during Bug Hunting, feel free to submit pull request. Okay, enough for chit-chatting, let’s get started.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cross-Site Scripting (XSS)
- Sleeping stored Google XSS Awakens a $5000 Bounty by Patrik Fehrenbach
- RPO that lead to information leakage in Google by filedescriptor
- God-like XSS, Log-in, Log-out, Log-in in Uber by Jack Whitton
- Three Stored XSS in Facebook by Nirgoldshlager
- Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen
- An XSS on Facebook via PNGs & Wonky Content Types by Jack Whitton
- he is able to make stored XSS from a irrelevant domain to main facebook domain
- Stored XSS in *.ebay.com by Jack Whitton
- Complicated, Best Report of Google XSS by Ramzes
- Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com by secgeek
- Command Injection in Google Console by Venkat S
- Facebook’s Moves – OAuth XSS by PAULOS YIBELO
- Stored XSS in Google Docs (Bug Bounty) by Harry M Gertos
- Stored XSS on developer.uber.com via admin account compromise in Uber by James Kettle (albinowax)
- Yahoo Mail stored XSS by Klikki Oy
- Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) by Masato Kinugawa
- Youtube XSS by fransrosen
- Best Google XSS again – by Krzysztof Kotowicz
- IE & Edge URL parsin Problem – by detectify
- Google XSS subdomain Clickjacking
- Microsoft XSS and Twitter XSS
- Google Japan Book XSS
- Flash XSS mega nz – by frans
- Flash XSS in multiple libraries – by Olivier Beg
- xss in google IE, Host Header Reflection
- Years ago Google xss
- xss in google by IE weird behavior
- xss in Yahoo Fantasy Sport
- xss in Yahoo Mail Again, worth $10000 by Klikki Oy
- Sleeping XSS in Google by securityguard
- Decoding a .htpasswd to earn a payload of money by securityguard
- Google Account Takeover
- AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 by geekboy
- Uber Self XSS to Global XSS
- How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin MoulinierFollow
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities by Brett
- XSSI, Client Side Brute Force
- postMessage XSS Bypass
- XSS in Uber via Cookie by zhchbin
- Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP by frans
- XSS due to improper regex in third party js Uber 7k XSS
- XSS in TinyMCE 2.4.0 by Jelmer de Hen
- Pass uncoded URL in IE11 to cause XSS
- Twitter XSS by stopping redirection and javascript scheme by Sergey Bobrov
Brute Force
- Web Authentication Endpoint Credentials Brute-Force Vulnerability by Arne Swinnen
- InstaBrute: Two Ways to Brute-force Instagram Account Credentials by Arne Swinnen
- How I Could Compromise 4% (Locked) Instagram Accounts by Arne Swinnen
- Possibility to brute force invite codes in riders.uber.com by r0t
- Brute-Forcing invite codes in partners.uber.com by Efkan Gökbaş (mefkan)
- How I could have hacked all Facebook accounts by Anand Prakash
- Facebook Account Take Over by using SMS verification code, not accessible by now, may get update from author later by Arun Sureshkumar
SQL Injection
- SQL injection in WordPress Plugin Huge IT Video Gallery in Uber by glc
- SQL Injection on sctrack.email.uber.com.cn by Orange Tsai
- Yahoo – Root Access SQL Injection – tw.yahoo.com by Brett Buerhaus
- Multiple vulnerabilities in a WordPress plugin at drive.uber.com by Abood Nour (syndr0me)
- GitHub Enterprise SQL Injection by Orange
Stealing Access Token
- Facebook Access Token Stolen by Jack Whitton –
- Obtaining Login Tokens for an Outlook, Office or Azure Account by Jack Whitton
- Bypassing Digits web authentication’s host validation with HPP by filedescriptor
- Bypass of redirect_uri validation with /../ in GitHub by Egor Homakov
- Bypassing callback_url validation on Digits by filedescriptor
- Stealing livechat token and using it to chat as the user – user information disclosure by Mahmoud G. (zombiehelp54)
- Change any Uber user’s password through /rt/users/passwordless-signup – Account Takeover (critical) by mongo (mongo)
- Internet Explorer has a URL problem, on GitHub by filedescriptor.
- How I made LastPass give me all your passwords by labsdetectify
- Steal Google Oauth in Microsoft
- Steal FB Access Token
- Paypal Access Token Leaked
- Steal FB Access Token
- Appengine Cool Bug
- Slack post message real life experience
- Bypass redirect_uri by nbsriharsha
- Stealing Facebook Messenger nonce worth 15k
Google oauth bypass
CSRF
- Messenger.com CSRF that show you the steps when you check for CSRF by Jack Whitton
- Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) by Florian Courtial
- Hacking PayPal Accounts with one click (Patched) by Yasser Ali
- Add tweet to collection CSRF by vijay kumar
- Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun by phwd
- How i Hacked your Beats account ? Apple Bug Bounty by @aaditya_purani
Remote Code Execution
- JDWP Remote Code Execution in PayPal by Milan A Solanki
- XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook’s servers by Reginaldo Silva
- How I Hacked Facebook, and Found Someone’s Backdoor Script by Orange Tsai
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! by Orange Tsai
- uber.com may RCE by Flask Jinja2 Template Injection by Orange Tsai
- Yahoo Bug Bounty – *.login.yahoo.com Remote Code Execution by Orange Tsai (Sorry its in Chinese Only)
- How we broke PHP, hacked Pornhub and earned $20,000 by Ruslan Habalov
- Alert, God-like Write-up, make sure you know what is ROP before clicking, which I don’t =(
- RCE deal to tricky file upload by secgeek
- WordPress SOME bug in plupload.flash.swf leading to RCE in Automatic by Cure53 (cure53)
- Read-Only user can execute arbitraty shell commands on AirOS by 93c08539 (93c08539)
- Remote Code Execution by impage upload! by Raz0r (ru_raz0r)
- Popping a shell on the Oculus developer portal by Bitquark
- Crazy! PornHub RCE AGAIN!!! How I hacked Pornhub for fun and profit – 10,000$ by 5haked
- PayPal Node.js code injection (RCE) by Michael Stepankin
- eBay PHP Parameter Injection lead to RCE
- Yahoo Acqusition RCE
- Command Injection Vulnerability in Hostinger by @alberto__segura
- RCE in Airbnb by Ruby Injection by buerRCE
- RCE in Imgur by Command Line
- RCE in git.imgur.com by abusing out dated software by Orange Tsai
- RCE in Disclosure
- Remote Code Execution by struct2 Yahoo Server
- Command Injection in Yahoo Acquisition
- Paypal RCE
- $50k RCE in JetBrains IDE
- $20k RCE in Jenkin Instance by @nahamsec
Deserialization
- Java Deserialization in manager.paypal.com by Michael Stepankin
- Instagram’s Million Dollar Bug by Wesley Wineberg
- (Ruby Cookie Deserialization RCE on facebooksearch.algolia.com by Michiel Prins (michiel)
- Java deserialization by meals
Image Tragick
- Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition) by NaHamSec
- Exploting ImageMagick to get RCE on HackerOne by c666a323be94d57
- Trello bug bounty: Access server’s files using ImageTragick by Florian Courtial
- 40k fb rce
- Yahoo Bleed 1
- Yahoo Bleed 2
Insecure Direct Object Reference (IDOR)
- Trello bug bounty: The websocket receives data when a public company creates a team visible board by Florian Courtial
- Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility by Florian Courtial
- Change any user’s password in Uber by mongo
- Vulnerability in Youtube allowed moving comments from any video to another by secgeek
- It’s Google Vulnerability, so it’s worth reading, as generally it is more difficult to find Google vulnerability
- Twitter Vulnerability Could Credit Cards from Any Twitter Account by secgeek
- One Vulnerability allowed deleting comments of any user in all Yahoo sites by secgeek
- Microsoft-careers.com Remote Password Reset by Yaaser Ali
- How I could change your eBay password by Yaaser Ali
- Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication by Duo Labs
- Hacking Facebook.com/thanks Posting on behalf of your friends! by Anand Prakash
- How I got access to millions of [redacted] accounts
- All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description by Enguerran Gillier (opnsec)
- Urgent: attacker can access every data source on Bime by Jobert Abma (jobert)
- Downloading password protected / restricted videos on Vimeo by Gazza (gazza)
- Get organization info base on uuid in Uber by Severus (severus)
- How I Exposed your Primary Facebook Email Address (Bug worth $4500) by Roy Castillo
- DOB disclosed using “Facebook Graph API Reverse Engineering” by Raja Sekar Durairaj
- Change the description of a video without publish_actions permission in Facebook by phwd
- Response To Request Injection (RTRI) by ?, be honest, thanks to this article, I have found quite a few bugs because of using his method, respect to the author!
- Leak of all project names and all user names , even across applications on Harvest by Edgar Boda-Majer (eboda)
- Changing paymentProfileUuid when booking a trip allows free rides at Uber by Matthew Temmy (temmyscript)
- View private tweet
- Uber Enum UUID
- Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User by Stephen Sclafani
- Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions by Stephen Sclafani
- Delete FB Video
- Delete FB Video
- Facebook Page Takeover by Manipulating the Parameter by arunsureshkumar
- Viewing private Airbnb Messages
- IDOR tweet as any user by kedrisec
- Classic IDOR endpoints in Twitter
- Mass Assignment, Response to Request Injection, Admin Escalation by sean
XXE
- How we got read access on Google’s production servers by detectify
- Blind OOB XXE At UBER 26+ Domains Hacked by Raghav Bisht
- XXE through SAML
- XXE in Uber to read local files
- XXE by SVG in community.lithium.com
Unrestricted File Upload
- File Upload XSS in image uploading of App in mopub by vijay kumar
- RCE deal to tricky file upload by secgeek
- File Upload XSS in image uploading of App in mopub in Twitter by vijay kumar (vijay_kumar1110)
Server Side Request Forgery (SSRF)
- ESEA Server-Side Request Forgery and Querying AWS Meta Data by Brett Buerhaus
- SSRF to pivot internal network
- SSRF to LFI
- SSRF to query google internal server
- SSRF by using third party Open redirect by Brett BUERHAUS
- SSRF tips from BugBountyHQ of Images
- SSRF to RCE
- XXE at Twitter
- Blog post: Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface
Race Condition
- Race conditions on Facebook, DigitalOcean and others (fixed) by Josip Franjković
- Race Conditions in Popular reports feature in HackerOne by Fábio Pires (shmoo)
Business Logic Flaw
- Facebook simple technical hack to see the timeline by Ashish Padelkar
- How I Could Steal Money from Instagram, Google and Microsoft by Arne Swinnen
- How I could have removed all your Facebook notes
- Facebook – bypass ads account’s roles vulnerability 2015 by POUYA DARABI
- Uber Ride for Free by anand praka
- Uber Eat for Free by
Authentication Bypass
- OneLogin authentication bypass on WordPress sites via XMLRPC in Uber by Jouko Pynnönen (jouko)
- 2FA PayPal Bypass by henryhoggard
- SAML Bug in Github worth 15000
- Authentication bypass on Airbnb via OAuth tokens theft
- Uber Login CSRF + Open Redirect -> Account Takeover at Uber
- [http://c0rni3sm.blogspot.hk/2017/08/accidentally-typo-to-bypass.html?m=1](Administrative Panel Access) by c0rni3sm
- Uber Bug Bounty: Gaining Access To An Internal Chat System by mishre
HTTP Header Injection
- Twitter Overflow Trilogy in Twitter by filedescriptor
- Twitter CRLF by filedescriptor
- Adblock Plus and (a little) more in Google
- $10k host header by Ezequiel Pereira
Subdomain Takeover
- Hijacking tons of Instapage expired users Domains & Subdomains by geekboy
- Reading Emails in Uber Subdomains
- Slack Bug Journey – by David Vieira-Kurz
- Subdomain takeover and chain it to perform authentication bypass by Arne Swinnen
Author Write Up
- Payment Flaw in Yahoo
- Bypassing Google Email Domain Check to Deliver Spam Email on Google’s Behalf
- When Server Side Request Forgery combine with Cross Site Scripting
XSSI
- Plain Text Reading by XSSI
- JSON hijacking
- OWASP XSSI
- Japan Identifier based XSSI attacks
- JSON Hijack Slide
Email Related
- This domain is my domain – G Suite A record vulnerability
- I got emails – G Suite Vulnerability
- How I snooped into your private Slack messages [Slack Bug bounty worth $2,500]
- Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000]
- Slack Yammer Takeover by using TicketTrick by Inti De Ceukelaire
- How I could have mass uploaded from every Flickr account!
Money Stealing
2017 Local File Inclusion
- Disclosure Local File Inclusion by Symlink
- Facebook Symlink Local File Inclusion
- Gitlab Symlink Local File Inclusion
- Gitlab Symlink Local File Inclusion Part II
- Multiple Company LFI
- LFI by video conversion, excited about this trick!
Miscellaneous
- SAML Pen Test Good Paper
- A list of FB writeup collected by phwd by phwd
- NoSQL Injection by websecurify
- CORS in action
- CORS in Fb messenger
- Web App Methodologies
- XXE Cheatsheet
- The road to hell is paved with SAML Assertions, Microsoft Vulnerability
- Study this if you like to learn Mongo SQL Injection by cirw
- Mongo DB Injection again by websecrify
- w3af speech about modern vulnerability by w3af
- Web cache attack that lead to account takeover
- A talk to teach you how to use SAML Raider
- XSS Checklist when you have no idea how to exploit the bug
- CTF write up, Great for Bug Bounty
- It turns out every site uses jquery mobile with Open Redirect is vulnerable to XSS by sirdarckcat
- Bypass CSP by using google-analytics
- Payment Issue with Paypal
- Browser Exploitation in Chinese
- XSS bypass filter
- Markup Impropose Sanitization
- Breaking XSS mitigations via Script Gadget
- X41 Browser Security White Paper
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[+] Sql Injection Attack
[+] Hibernate Query Language Injection
[+] Direct OS Code Injection
[+] XML Entity Injection
[+] Broken Authentication and Session Management
[+] Cross-Site Scripting (XSS)
[+] Insecure Direct Object References
[+] Missing Function Level Access Control
[+] Cross-Site Request Forgery (CSRF)
[+] Using Components with Known Vulnerabilities
[+] Unvalidated Redirects and Forwards
[+] ClickJacking Attacks
[+] DNS Cache Poisoning
[+] Symlinking – An Insider Attack
[+] Remote Code Execution Attacks
[+] Remote File inclusion
[+] Local file inclusion
[+] EverCookie
[+] Denial oF Service Attack
[+] Cookie Eviction
[+] PHPwn
[+] NAT Pinning
[+] XSHM
[+] MitM DNS Rebinding SSL/TLS Wildcards and
[+] Quick Proxy Detection
[+] Improving HTTPS Side Channel Attacks
[+] Side Channel Attacks in SSL
[+] Turning XSS into Clickjacking
[+] Bypassing CSRF protections with Click
Jacking and
[+] HTTP Parameter Pollution
[+] URL Hijacking
[+] Stroke Jacking
[+] Fooling B64_Encode(Payload) on WAFs And
[+] MySQL Stacked Queries with SQL Injection.
[+] Posting Raw XML cross-domain
[+] Generic Cross-Browser Cross-Domain theft
[+] Attacking HTTPS with Cache Injection
[+] Tap Jacking
[+] XSS – Track
[+] Next Generation Click Jacking
[+] XSSing Client-Side Dynamic HTML.
[+] Stroke triggered XSS and Stroke Jacking
[+] Lost iN Translation
[+] Persistent Cross Interface Attacks
[+] Chronofeit Phishing
[+] SQLi Filter Evasion Cheat Sheet (MySQL)
[+] Tabnabbing
[+] UI Redressing
[+] Cookie Poisoning
[+] SSRF
[+] Bruteforce of PHPSESSID
[+] Blended Threats and JavaScript
[+] Cross-Site Port Attacks
[+] CAPTCHA Re-Riding Attack
*Web Application Attacks List :*
[+] Arbitrary file access
[+] Binary planting
[+] Blind SQL Injection
[+] Blind XPath Injection
[+] Brute force attack
[+] Buffer overflow attack
[+] Cache Poisoning
[+] Cash Overflow
[+] Clickjacking
[+] Command injection attacks
[+] Comment Injection Attack
[+] Content Security Policy
[+] Content Spoofing
[+] Credential stuffing
[+] Cross Frame Scripting
[+] Cross Site History Manipulation (XSHM)
[+] Cross Site Tracing
[+] Cross-Site Request Forgery (CSRF)
[+] Cross Site Port Attack (XSPA)
[+] Cross-Site Scripting (XSS)
[+] Cross-User Defacement
[+] Custom Special Character Injection
[+] Denial of Service
[+] Direct Dynamic Code Evaluation (‘Eval Injection’)
[+] Execution After Redirect (EAR)
[+] Exploitation of CORS
[+] Forced browsing
[+] Form action hijacking
[+] Format string attack
[+] Full Path Disclosure
[+] Function Injection
[+] Host Header injection
[+] HTTP Response Splitting
[+] HTTP verb tampering
[+] HTML injection
[+] LDAP injection
[+] Log Injection
[+] Man-in-the-browser attack
[+] Man-in-the-middle attack
[+] Mobile code: invoking untrusted mobile code
[+] Mobile code: non-final public field
[+] Mobile code: object hijack
[+] One-Click Attack
[+] Parameter Delimiter
[+] Page takeover
[+] Path Traversal
[+] Reflected DOM Injection
[+] Regular expression Denial of Service – ReDoS
[+] Repudiation Attack
[+] Resource Injection
[+] Server-Side Includes (SSI) Injection
[+] Session fixation
[+] Session hijacking attack
[+] Session Prediction
[+] Setting Manipulation
[+] Special Element Injection
[+] SMTP injection
[+] SQL Injection
[+] SSI injection
[+] Traffic flood
[+] Web Parameter Tampering
[+] XPATH Injection
[+] XSRF or SSRF
- Targeting the Bug Bounty Program
- How do you Approach the Target ?
- Don’t Expect Anything !
- Less Knowledge about Vulnerabilities and Testing Methodologies :
- Surround yourself with Bug Bounty Community to keep yourself Updated.
- AUTOMATION
- GET BOUNTY or GET EXPERIENCE:
- FIND THE “BUG” or FIND A “BUG’S CHAIN”:
- FOLLOW MASTER’S PATH:
- RELAX & ENJOY LIFE:
Tools to Focus and Learn about their Uses!
dnscan https://github.com/rbsec/dnscan Knockpy https://github.com/guelfoweb/knock Sublist3r https://github.com/aboul3la/Sublist3r massdns https://github.com/blechschmidt/massdns nmap https://nmap.org masscan https://github.com/robertdavidgraham/masscan EyeWitness https://github.com/ChrisTruncer/EyeWitness DirBuster https://sourceforge.net/projects/dirbuster/ dirsearch https://github.com/maurosoria/dirsearch Gitrob https://github.com/michenriksen/gitrob git-secrets https://github.com/awslabs/git-secrets sandcastle https://github.com/yasinS/sandcastle bucket_finder https://digi.ninja/projects/bucket_finder.php GoogD0rker https://github.com/ZephrFish/GoogD0rker/ Wayback Machine https://web.archive.org waybackurls https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050 Sn1per https://github.com/1N3/Sn1per/ XRay https://github.com/evilsocket/xray wfuzz https://github.com/xmendez/wfuzz/ patator https://github.com/lanjelot/patator datasploit https://github.com/DataSploit/datasploit hydra https://github.com/vanhauser-thc/thc-hydra changeme https://github.com/ztgrace/changeme MobSF https://github.com/MobSF/Mobile-Security-Framework-MobSF/ Apktool https://github.com/iBotPeaches/Apktool dex2jar https://sourceforge.net/projects/dex2jar/ sqlmap http://sqlmap.org/ oxml_xxe https://github.com/BuffaloWill/oxml_xxe/ XXE Injector https://github.com/enjoiz/XXEinjector The JSON Web Token Toolkit https://github.com/ticarpi/jwt_tool ground-control https://github.com/jobertabma/ground-control ssrfDetector https://github.com/JacobReynolds/ssrfDetector LFISuit https://github.com/D35m0nd142/LFISuite GitTools https://github.com/internetwache/GitTools dvcs-ripper https://github.com/kost/dvcs-ripper tko-subs https://github.com/anshumanbh/tko-subs HostileSubBruteforcer https://github.com/nahamsec/HostileSubBruteforcer Race the Web https://github.com/insp3ctre/race-the-web ysoserial https://github.com/GoSecure/ysoserial PHPGGC https://github.com/ambionics/phpggc CORStest https://github.com/RUB-NDS/CORStest retire-js https://github.com/RetireJS/retire.js getsploit https://github.com/vulnersCom/getsploit Findsploit https://github.com/1N3/Findsploit bfac https://github.com/mazen160/bfac WPScan https://wpscan.org/ CMSMap https://github.com/Dionach/CMSmap
Final Note!

wtf ? b***** you never told me you teach hacking -_-
Hahahahaha Bro This is Just a Guide For people to follow if they are confused 😂
Good to know more about you
Thanks