Update Documentation.
This commit is contained in:
Ciaran
parent
1529ec1095
commit
0430dec54f
28
README.md
28
README.md
|
|
@ -4,6 +4,18 @@ Wordlists I use for recon and content discovery on programs from hackerone and b
|
||||||
|
|
||||||
# How I use these lists?
|
# How I use these lists?
|
||||||
|
|
||||||
|
## android.txt
|
||||||
|
|
||||||
|
This is just the command I use to launch an android VM to use with MobileSecurityFramework as Geny motion is having issues with the GPU drivers I have on Linux.
|
||||||
|
|
||||||
|
## breakpoints.txt
|
||||||
|
|
||||||
|
These are commands that can be run the dev tools console of Chromium based browsers.
|
||||||
|
|
||||||
|
## burp-plugins.txt
|
||||||
|
|
||||||
|
These are some of the plugins for Burp I have installed but does not mean I have turned on at all times. I try not to rely on plugins too much as they distract you from looking at the core application.
|
||||||
|
|
||||||
## http.txt
|
## http.txt
|
||||||
|
|
||||||
I use this as my initial discovery list.
|
I use this as my initial discovery list.
|
||||||
|
|
@ -23,3 +35,19 @@ I generally use this if I find some sort of API/RPC type endpoint like /api to d
|
||||||
I use this this after discovery API objects to try map out what actions are supported.
|
I use this this after discovery API objects to try map out what actions are supported.
|
||||||
|
|
||||||
For example say you found /api, then you found /api/account and then you run this wordlist and you find /api/account/auth
|
For example say you found /api, then you found /api/account and then you run this wordlist and you find /api/account/auth
|
||||||
|
|
||||||
|
## regex.txt
|
||||||
|
|
||||||
|
You can use these in the burp suite search function, Logger++ or Highlight and Extract plugin.
|
||||||
|
|
||||||
|
## xss.txt
|
||||||
|
|
||||||
|
This is just a basic taint query I use to then trace through the application so I can easily search for "taint" and then see where it is located and which characters are escaped.
|
||||||
|
|
||||||
|
## secrets.txt
|
||||||
|
|
||||||
|
These were triggering WAFs too frequently so I split them out into their own file. Generally you are likely better off using Burps built in interesting files but this wordlist is nice and small.
|
||||||
|
|
||||||
|
## *.vmoptions files
|
||||||
|
|
||||||
|
These tune the JVM for the JRE that ships with BurpSuite. I have modified the garbage collection algorithm to use a more efficient algorithm and I have applied several graphics related tweaks.
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,7 @@
|
||||||
Turbo Intruder
|
Turbo Intruder
|
||||||
HTTP Request Smuggler
|
HTTP Request Smuggler
|
||||||
Collaborator Everywhere
|
|
||||||
JWT Editor
|
JWT Editor
|
||||||
Param Miner
|
Param Miner
|
||||||
UUID Detector
|
UUID Detector
|
||||||
JS Miner
|
JS Miner
|
||||||
CSRF Scanner
|
OAUTH Scan
|
||||||
OAUTH Scan
|
|
||||||
InQL
|
|
||||||
Loading…
Reference in New Issue