HackTricks Without Ads

Java jsf viewstate .faces deserialization

Initializing search

HackTricks Without Ads

HackTricks
1911 - Pentesting fox
6881 udp pentesting bittorrent
LICENSE
SUMMARY.md
Android Forensics
Burp suite
Emails Vulnerabilities
Interesting http
Online platforms with api
Other Web Tricks
Pentesting dns
Post exploitation
Stealing Sensitive Information Disclosure from a Web
Backdoors
Backdoors
- Icmpsh
- Salseo
Banners
Banners
- Hacktricks training
Binary exploitation
Binary exploitation
- Array Indexing
- Common Exploiting Problems
- Integer Overflow
- iOS Exploiting
- Windows Exploiting (Basic Guide - OSCP lvl)
- Arbitrary write 2 exec
  Arbitrary write 2 exec
- Basic stack binary exploitation methodology
  Basic stack binary exploitation methodology
  - Basic Binary Exploitation Methodology
  - ELF Basic Information
  - Tools
    Tools
    
    Exploiting Tools
    
    PwnTools
- Common binary protections and bypasses
  Common binary protections and bypasses
  - Common Binary Exploitation Protections & Bypasses
  - CET & Shadow Stack
  - Libc Protections
  - Memory Tagging Extension (MTE)
  - No-exec / NX
  - Relro
  - Aslr
    Aslr
    
    ASLR
    
    Ret2plt
    
    Ret2ret & Reo2pop
  - Pie
    Pie
    
    PIE
    
    BF Addresses in the Stack
  - Stack canaries
    Stack canaries
    
    Stack Canaries
    
    BF Forked & Threaded Stack Canaries
    
    Print Stack Canary
- Format strings
  Format strings
- Libc heap
  Libc heap
  - Libc Heap
  - Bins & Memory Allocations
  - Double Free
  - Fast Bin Attack
  - Heap Overflow
  - House of Einherjar
  - House of Force
  - House of Lore | Small bin Attack
  - House of Orange
  - House of Rabbit
  - House of Roman
  - House of Spirit
  - Large Bin Attack
  - Off by one overflow
  - Overwriting a freed chunk
  - Tcache Bin Attack
  - Unlink Attack
  - Unsorted Bin Attack
  - Heap memory functions
    Heap memory functions
    
    Heap Memory Functions
    
    free
    
    Heap Functions Security Checks
    
    malloc & sysmalloc
    
    unlink
  - Use after free
    Use after free
    
    Use After Free
    
    First Fit
- Rop return oriented programing
  Rop return oriented programing
  - ROP - Return Oriented Programing
  - BROP - Blind Return Oriented Programming
  - Ret2csu
  - Ret2dlresolve
  - Ret2esp / Ret2reg
  - Ret2vDSO
  - Ret2lib
    Ret2lib
    
    Ret2lib
    
    One Gadget
    
    Ret2lib + Printf leak - arm64
    
    Rop leaking libc address
    Rop leaking libc address
    
    Leaking libc address with ROP
    
    Leaking libc - template
  - Rop syscall execv
    Rop syscall execv
    
    Ret2syscall
    
    Ret2syscall - ARM64
  - Srop sigreturn oriented programming
    Srop sigreturn oriented programming
    
    SROP - Sigreturn-Oriented Programming
    
    SROP - ARM64
- Stack overflow
  Stack overflow
  - Stack Overflow
  - Pointer Redirecting
  - Stack Pivoting - EBP2Ret - EBP chaining
  - Uninitialized Variables
  - Ret2win
    Ret2win
    
    Ret2win
    
    Ret2win - arm64
  - Stack shellcode
    Stack shellcode
    
    Stack Shellcode
    
    Stack Shellcode - arm64
Blockchain
Blockchain
- Blockchain and crypto currencies
  Blockchain and crypto currencies
  - Index
Crypto and stego
Crypto and stego
- Blockchain and crypto currencies
- Certificates
- Cipher block chaining cbc mac priv
- Crypto CTFs Tricks
- Electronic code book ecb
- Esoteric languages
- Hash Length Extension Attack
- Padding Oracle
- Rc4 encrypt and decrypt
- Stego Tricks
- Cryptographic algorithms
  Cryptographic algorithms
  - Cryptographic/Compression Algorithms
  - Unpacking binaries
Cryptography
Cryptography
Exploiting
Exploiting
- Windows Exploiting (Basic Guide - OSCP lvl)
- Linux exploiting basic esp
  Linux exploiting basic esp
  - Linux Exploiting (Basic) (SPA)
  - Fusion
- Tools
  Tools
  - Exploiting Tools
  - Pwntools
Forensics
Forensics
- Basic forensic methodology
  Basic forensic methodology
  - Basic Forensic Methodology
  - Anti forensic techniques
  - Docker Forensics
  - File integrity monitoring
  - Linux Forensics
  - Malware Analysis
  - Memory dump analysis
    Memory dump analysis
    
    Memory dump analysis
  - Partitions file systems carving
    Partitions file systems carving
    
    Partitions/File Systems/Carving
    
    File/Data Carving & Recovery Tools
    
    File data carving tools
  - Pcap inspection
    Pcap inspection
    
    Pcap Inspection
    
    Usb keyboard pcap analysis
    
    Usb keystrokes
    
    Wifi pcap analysis
  - Specific software file type tricks
    Specific software file type tricks
    
    Index
    
    Browser Artifacts
    
    Desofuscation vbs cscript.exe
    
    Local Cloud Storage
    
    Office file analysis
    
    PDF File analysis
    
    Png tricks
    
    Video and audio file analysis
    
    ZIPs tricks
  - Windows forensics
    Windows forensics
    
    Windows Artifacts
    
    Interesting Windows Registry Keys
    
    Windows processes
Generic hacking
Generic hacking
- Brute Force - CheatSheet
- Exfiltration
- Search Exploits
- Tunneling and Port Forwarding
- Reverse shells
  Reverse shells
Generic methodologies and resources
Generic methodologies and resources
- Pentesting Methodology
- Threat Modeling
- Basic forensic methodology
  Basic forensic methodology
  - Basic Forensic Methodology
  - Anti-Forensic Techniques
  - Docker Forensics
  - File integrity monitoring
  - Image Acquisition & Mount
  - Linux Forensics
  - Malware Analysis
  - Memory dump analysis
    Memory dump analysis
    
    Memory dump analysis
    
    Volatility - CheatSheet
  - Partitions file systems carving
    Partitions file systems carving
    
    Partitions/File Systems/Carving
    
    File/Data Carving & Recovery Tools
  - Pcap inspection
    Pcap inspection
    
    Pcap Inspection
    
    DNSCat pcap analysis
    
    Suricata & Iptables cheatsheet
    
    USB Keystrokes
    
    Wifi Pcap Analysis
    
    Wireshark tricks
  - Specific software file type tricks
    Specific software file type tricks
    
    Index
    
    Browser Artifacts
    
    Desofuscation vbs cscript.exe
    
    Local Cloud Storage
    
    Office file analysis
    
    PDF File analysis
    
    Png tricks
    
    Video and audio file analysis
    
    ZIPs tricks
  - Windows forensics
    Windows forensics
    
    Windows Artifacts
    
    Interesting Windows Registry Keys
- External recon methodology
  External recon methodology
- Pentesting network
  Pentesting network
- Pentesting wifi
  Pentesting wifi
  - Pentesting Wifi
  - Evil Twin EAP-TLS
- Phishing methodology
  Phishing methodology
- Python
  Python
  - Python Sandbox Escape & Pyscript
  - Basic Python
  - Bruteforce hash few chars
  - Class Pollution (Python's Prototype Pollution)
  - Pyscript
  - Python Internal Read Gadgets
  - venv
  - Web Requests
  - Bypass python sandboxes
    Bypass python sandboxes
    
    Bypass Python sandboxes
    
    LOAD_NAME / LOAD_CONST opcode OOB Read
Hardware physical access
Hardware physical access
- Escaping from KIOSKs
- Physical Attacks
- Firmware analysis
  Firmware analysis
Linux hardening
Linux hardening
- FreeIPA Pentesting
- Linux Environment Variables
- Checklist - Linux Privilege Escalation
- Useful Linux Commands
- Bypass bash restrictions
  Bypass bash restrictions
  - Bypass Linux Restrictions
  - Bypass fs protections read only no exec distroless
    Bypass fs protections read only no exec distroless
    
    Bypass FS protections: read-only / no-exec / Distroless
    
    DDexec / EverythingExec
- Linux post exploitation
  Linux post exploitation
  - Linux Post-Exploitation
  - PAM - Pluggable Authentication Modules
- Privilege escalation
  Privilege escalation
  - Linux Privilege Escalation
  - Cisco - vmanage
  - Containerd (ctr) Privilege Escalation
  - D-Bus Enumeration & Command Injection Privilege Escalation
  - Node inspector/CEF debug abuse
  - Escaping from Jails
  - euid, ruid, suid
  - ld.so privesc exploit example
  - Linux Active Directory
  - Linux Capabilities
  - Logstash
  - Nfs no root squash misconfiguration pe
  - Payloads to execute
  - RunC Privilege Escalation
  - Selinux
  - Socket command injection
  - Splunk LPE and Persistence
  - Ssh forward agent exploitation
  - Wildcards spare tricks
  - Arbitrary File Write to Root
  - Docker security
    Docker security
    
    Docker Security
    
    Abusing Docker Socket for Privilege Escalation
    
    AppArmor
    
    Authz and authn docker access authorization plugin
    
    CGroups
    
    Docker --privileged
    
    Seccomp
    
    Weaponizing Distroless
    
    Docker breakout privilege escalation
    Docker breakout privilege escalation
    
    Docker Breakout / Privilege Escalation
    
    Docker release_agent cgroups escape
    
    Release agent exploit relative paths to pids
    
    Sensitive Mounts
    
    Namespaces
    Namespaces
    
    Namespaces
    
    CGroup Namespace
    
    IPC Namespace
    
    Mount Namespace
    
    Network Namespace
    
    PID Namespace
    
    Time Namespace
    
    User Namespace
    
    UTS Namespace
  - Interesting groups linux pe
    Interesting groups linux pe
    
    Interesting Groups - Linux Privesc
    
    lxd/lxc Group - Privilege escalation
- Useful linux commands
  Useful linux commands
  - Useful Linux Commands
  - Bypass Linux Restrictions
Linux unix
Linux unix
- Privilege escalation
  Privilege escalation
  - Exploiting yum
  - Interesting groups linux pe
Macos hardening
Macos hardening
- macOS Auto Start
- macOS Useful Commands
- Macos red teaming
  Macos red teaming
  - macOS Red Teaming
  - macOS Keychain
  - Macos mdm
    Macos mdm
    
    macOS MDM
    
    Enrolling Devices in Other Organisations
    
    macOS Serial Number
- Macos security and privilege escalation
  Macos security and privilege escalation
  - macOS Security & Privilege Escalation
  - macOS AppleFS
  - macOS Objective-C
  - macOS Bypassing Firewalls
  - macOS Defensive Apps
  - macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
  - macOS File Extension & URL scheme app handlers
  - macOS GCD - Grand Central Dispatch
  - macOS Privilege Escalation
  - macOS Network Services & Protocols
  - macOS Users & External Accounts
  - Mac os architecture
    Mac os architecture
    
    macOS Kernel & System Extensions
    
    macOS Function Hooking
    
    macOS IOKit
    
    macOS Kernel Extensions & Debugging
    
    macOS Kernel Vulnerabilities
    
    macOS System Extensions
    
    Macos ipc inter process communication
    Macos ipc inter process communication
    
    macOS IPC - Inter Process Communication
  - Macos apps inspecting debugging and fuzzing
    Macos apps inspecting debugging and fuzzing
    
    macOS Apps - Inspecting, debugging and Fuzzing
    
    Introduction to ARM64v8
    
    Introduction to x64
    
    Objects in memory
  - Macos files folders and binaries
    Macos files folders and binaries
    
    macOS Files, Folders, Binaries & Memory
    
    macOS Bundles
    
    macOS Installers Abuse
    
    macOS Memory Dumping
    
    macOS Sensitive Locations & Interesting Daemons
    
    macOS Universal binaries & Mach-O Format
  - Macos proces abuse
    Macos proces abuse
    
    macOS Process Abuse
    
    macOS .Net Applications Injection
    
    macOS Chromium Injection
    
    macOS Dirty NIB
    
    macOS Electron Applications Injection
    
    macOS Function Hooking
    
    macOS Java Applications Injection
    
    macOS Perl Applications Injection
    
    macOS Python Applications Injection
    
    macOS Ruby Applications Injection
    
    Macos ipc inter process communication
    Macos ipc inter process communication
    
    macOS IPC - Inter Process Communication
    
    macOS MIG - Mach Interface Generator
    
    macOS Thread Injection via Task port
    
    Macos xpc
    Macos xpc
    
    macOS XPC
    
    macOS XPC Authorization
    
    Macos xpc connecting process check
    Macos xpc connecting process check
    
    macOS XPC Connecting Process Check
    
    macOS PID Reuse
    
    macOS xpc_connection_get_audit_token Attack
    
    Macos library injection
    Macos library injection
    
    macOS Library Injection
    
    macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
    
    macOS Dyld Process
  - Macos security protections
    Macos security protections
    
    macOS Security Protections
    
    macOS - AMFI - AppleMobileFileIntegrity
    
    macOS Authorizations DB & Authd
    
    macOS Code Signing
    
    macOS Dangerous Entitlements & TCC perms
    
    macOS Gatekeeper / Quarantine / XProtect
    
    macOS Launch/Environment Constraints & Trust Cache
    
    macOS MACF
    
    macOS SIP
    
    Macos fs tricks
    Macos fs tricks
    
    macOS FS Tricks
    
    macOS xattr-acls extra stuff
    
    Macos sandbox
    Macos sandbox
    
    macOS Sandbox
    
    macOS Default Sandbox Debug
    
    Macos sandbox debug and bypass
    Macos sandbox debug and bypass
    
    macOS Sandbox Debug & Bypass
    
    macOS Office Sandbox Bypasses
    
    Macos tcc
    Macos tcc
    
    macOS TCC
    
    macOS Apple Events
    
    macOS TCC Payloads
    
    Macos tcc bypasses
    Macos tcc bypasses
    
    macOS TCC Bypasses
    
    macOS Apple Scripts
Misc
Misc
- References
Mobile pentesting
Mobile pentesting
- Android APK Checklist
- Cordova Apps
- iOS Pentesting Checklist
- Xamarin Apps
- Android app pentesting
  Android app pentesting
  - Android Applications Pentesting
  - Adb commands
  - Android Applications Basics
  - Android Task Hijacking
  - APK decompilers
  - AVD - Android Virtual Device
  - Bypass Biometric Authentication (Android)
  - Content protocol
  - Exploiting a debuggeable application
  - Google CTF 2018 - Shall We Play a Game?
  - Install Burp Certificate
  - Intent injection
  - Make apk accept ca certificate
  - Manual deobfuscation
  - React native application
  - Reversing Native Libraries
  - Smali - Decompiling/[Modifying]/Compiling
  - Spoofing your location in play store
  - Tapjacking
  - Webview Attacks
  - Drozer tutorial
    Drozer tutorial
    
    Drozer Tutorial
    
    Exploiting Content Providers
  - Frida tutorial
    Frida tutorial
    
    Frida Tutorial
    
    Frida Tutorial 1
    
    Frida Tutorial 2
    
    Objection Tutorial
    
    Frida Tutorial 3
- Ios pentesting
  Ios pentesting
Network services pentesting
Network services pentesting
- 10000 network data management protocol ndmp
- 1026 - Pentesting Rusersd
- 1080 - Pentesting Socks
- 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
- 113 - Pentesting Ident
- 135, 593 - Pentesting MSRPC
- 137,138,139 - Pentesting NetBios
- 1414 - Pentesting IBM MQ
- 1521,1522-1529 - Pentesting Oracle TNS Listener
- 15672 - Pentesting RabbitMQ Management
- 1723 - Pentesting PPTP
- 1883 - Pentesting MQTT (Mosquitto)
- 2375, 2376 Pentesting Docker
- 24007 24008 24009 49152 pentesting glusterfs
- 27017,27018 - Pentesting MongoDB
- 3128 pentesting squid
- 3260 - Pentesting ISCSI
- 3299 pentesting saprouter
- 3632 pentesting distcc
- 3690 pentesting subversion svn server
- 3702/UDP - Pentesting WS-Discovery
- 43 - Pentesting WHOIS
- 4369 pentesting erlang port mapper daemon epmd
- 44134 pentesting tiller helm
- 44818 ethernetip
- 47808 udp bacnet
- 4786 - Cisco Smart Install
- 4840 - Pentesting OPC UA
- 49 - Pentesting TACACS+
- 5000 - Pentesting Docker Registry
- 50030 50060 50070 50075 50090 pentesting hadoop
- 512 - Pentesting Rexec
- 515 pentesting line printer daemon lpd
- 5353/UDP Multicast DNS (mDNS) and DNS-SD
- 5439 - Pentesting Redshift
- 554,8554 - Pentesting RTSP
- 5555 - Android Debug Bridge
- 5601 pentesting kibana
- 5671,5672 - Pentesting AMQP
- 548 - Pentesting Apple Filing Protocol (AFP)
- 5984,6984 - Pentesting CouchDB
- 5985,5986 - Pentesting OMI
- 5985,5986 - Pentesting WinRM
- 6000 - Pentesting X11
- 623/UDP/TCP - IPMI
- 6379 - Pentesting Redis
- 69 udp tftp
- 7 tcp udp pentesting echo
- 700 - Pentesting EPP
- 8009 - Pentesting Apache JServ Protocol (AJP)
- 8086 - Pentesting InfluxDB
- 8089 - Pentesting Splunkd
- 8333,18333,38333,18444 - Pentesting Bitcoin
- 873 - Pentesting Rsync
- 9000 pentesting fastcgi
- 9001 pentesting hsqldb
- 9100 pjl
- 9200 - Pentesting Elasticsearch
- 9042/9160 - Pentesting Cassandra
- 500/udp - Pentesting IPsec/IKE VPN
- 2049 - Pentesting NFS Service
- Pentesting 264 check point firewall 1
- Pentesting 631 internet printing protocol ipp
- Pentesting compaq hp insight manager
- 53 - Pentesting DNS
- 79 - Pentesting Finger
- 143,993 - Pentesting IMAP
- 194,6667,6660-7000 - Pentesting IRC
- Pentesting JDWP - Java Debug Wire Protocol
- 389, 636, 3268, 3269 - Pentesting LDAP
- Pentesting modbus
- 3306 - Pentesting Mysql
- 123/udp - Pentesting NTP
- 110,995 - Pentesting POP
- 5432,5433 - Pentesting Postgresql
- 3389 - Pentesting RDP
- Pentesting Remote GdbServer
- 513 - Pentesting Rlogin
- 111/TCP/UDP - Pentesting Portmapper
- 514 - Pentesting Rsh
- Pentesting sap
- 139,445 - Pentesting SMB
- 22 - Pentesting SSH/SFTP
- 23 - Pentesting Telnet
- 5800,5801,5900,5901 - Pentesting VNC
- 11211 memcache
  11211 memcache
  - 11211 - Pentesting Memcache
  - Memcache Commands
- 1521 1522 1529 pentesting oracle listener
  1521 1522 1529 pentesting oracle listener
  - 1521,1522-1529 - Pentesting Oracle TNS Listener
- Pentesting ftp
  Pentesting ftp
- Pentesting kerberos 88
  Pentesting kerberos 88
- Pentesting mssql microsoft sql server
  Pentesting mssql microsoft sql server
  - 1433 - Pentesting MSSQL - Microsoft SQL Server
  - Types of MSSQL Users
- Pentesting smb
  Pentesting smb
  - 139,445 - Pentesting SMB
  - rpcclient enumeration
- Pentesting smtp
  Pentesting smtp
- Pentesting snmp
  Pentesting snmp
- Pentesting voip
  Pentesting voip
  - Pentesting VoIP
  - Basic voip protocols
    Basic voip protocols
    
    Basic VoIP Protocols
    
    SIP (Session Initiation Protocol)
- Pentesting web
  Pentesting web
  - 80,443 - Pentesting Web Methodology
  - 403 & 401 Bypasses
  - Aem adobe experience cloud
  - Angular
  - Apache
  - Artifactory hacking guide
  - Bolt CMS
  - Cgi
  - Source code Review / SAST Tools
  - Django
  - DotNetNuke (DNN)
  - Flask
  - Git
  - Golang
  - Grafana
  - GraphQL
  - GWT - Google Web Toolkit
  - H2 - Java SQL database
  - IIS - Internet Information Services
  - ImageMagick Security
  - JBOSS
  - Jira & Confluence
  - Joomla
  - JSP
  - Laravel
  - Moodle
  - NextJS
  - NextJS
  - Nginx
  - NodeJS Express
  - PrestaShop
  - WebDav
  - Python
  - Rocket Chat
  - Special HTTP headers
  - Spring Actuators
  - Symfony
  - Uncovering CloudFlare
  - Vmware esx vcenter...
  - Web API Pentesting
  - Werkzeug / Flask Debug
  - Wordpress
  - Buckets
    Buckets
    
    Buckets
    
    Firebase Database
  - Drupal
    Drupal
    
    Drupal
    
    Drupal RCE
  - Electron desktop apps
    Electron desktop apps
    
    Electron Desktop Apps
    
    Electron contextIsolation RCE via Electron internal code
    
    Electron contextIsolation RCE via IPC
    
    Electron contextIsolation RCE via preload code
  - Php tricks esp
    Php tricks esp
    
    PHP Tricks
    
    PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
    
    PHP SSRF
    
    Php useful functions disable functions open basedir bypass
    Php useful functions disable functions open basedir bypass
    
    PHP - Useful Functions & disable_functions/open_basedir bypass
    
    Disable functions bypass dl function
    
    Disable functions bypass imagick less than 3.3.0 php greater than 5.4 exploit
    
    Disable functions bypass mod cgi
    
    Disable functions bypass php 4 greater than 4.2.0 php 5 pcntl exec
    
    Disable functions bypass php 5.2 fopen exploit
    
    Disable functions bypass php 5.2.3 win32std ext protections bypass
    
    Disable functions bypass php 5.2.4 and 5.2.5 php curl
    
    disable_functions bypass - PHP 7.0-7.4 (*nix only)
    
    disable_functions bypass - php-fpm/FastCGI
    
    Disable functions bypass php less than 5.2.9 on windows
    
    Disable functions bypass php perl extension safe mode bypass exploit
    
    Disable functions bypass php safe mode bypass via proc open and custom environment exploit
    
    Disable functions bypass via mem
    
    Disable functions php 5.2.4 ioncube extension exploit
    
    Disable functions php 5.x shellshock exploit
  - Tomcat
    Tomcat
    
    Tomcat
Pentesting web
Pentesting web
- 2FA/MFA/OTP Bypass
- hop-by-hop headers
- Account Takeover
- Bypass Payment Process
- Captcha Bypass
- Clickjacking
- Client Side Path Traversal
- Client Side Template Injection (CSTI)
- Command Injection
- CORS - Misconfigurations & Bypass
- CRLF (%0D%0A) Injection
- CSRF (Cross Site Request Forgery)
- Dependency Confusion
- Domain/Subdomain takeover
- Email Injections
- Formula/CSV/Doc/LaTeX/GhostScript Injection
- Pentesting gRPC-Web
- Upgrade Header Smuggling
- JWT Vulnerabilities (Json Web Tokens)
- HTTP Connection Contamination
- HTTP Connection Request Smuggling
- HTTP Response Smuggling / Desync
- Idor
- Iframe Traps
- LDAP Injection
- NoSQL injection
- OAuth to Account takeover
- Open Redirect
- ORM Injection
- Parameter Pollution | JSON Injection
- Phone Number Injections
- Proxy / WAF Protections Bypass
- Race Condition
- Rate Limit Bypass
- Registration & Takeover Vulnerabilities
- Regular expression Denial of Service - ReDoS
- Reset/Forgotten Password Bypass
- Reverse tab nabbing
- Server Side Inclusion/Edge Side Inclusion Injection
- Timing Attacks
- UUID Insecurities
- Web Tool - WFuzz
- Web Vulnerabilities Methodology
- WebSocket Attacks
- XPATH injection
- XS-Search/XS-Leaks
- XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
- XSSI (Cross-Site Script Inclusion)
- XXE - XEE - XML External Entity
- Browser extension pentesting methodology
  Browser extension pentesting methodology
- Cache deception
  Cache deception
- Content security policy csp bypass
  Content security policy csp bypass
  - Content Security Policy (CSP) Bypass
  - Csp bypass self + unsafe inline with iframes
- Dangling markup html scriptless injection
  Dangling markup html scriptless injection
  - Dangling Markup - HTML scriptless injection
  - SS-Leaks
- Deserialization
  Deserialization
- File inclusion
  File inclusion
- File upload
  File upload
  - File Upload
  - PDF Upload - XXE and CORS bypass
- Hacking with cookies
  Hacking with cookies
- Http request smuggling
  Http request smuggling
- Login bypass
  Login bypass
  - Login Bypass
  - Sql login bypass
- Pocs and polygloths cheatsheet
  Pocs and polygloths cheatsheet
  - Reflecting Techniques - PoCs and Polygloths CheatSheet
  - Web Vulns List
- Postmessage vulnerabilities
  Postmessage vulnerabilities
- Saml attacks
  Saml attacks
  - SAML Attacks
  - Saml basics
- Sql injection
  Sql injection
  - SQL Injection
  - Cypher Injection (neo4j)
  - MS Access SQL Injection
  - MSSQL Injection
  - Oracle injection
  - Sqlmap
  - Mysql injection
    Mysql injection
    
    MySQL injection
    
    MySQL File priv to SSRF/RCE
  - Postgresql injection
    Postgresql injection
    
    PostgreSQL injection
    
    Big binary files upload postgresql
    
    dblink/lo_import data exfiltration
    
    Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
    
    PL/pgSQL Password Bruteforce
    
    RCE with PostgreSQL Extensions
    
    RCE with PostgreSQL Languages
  - Sqlmap
    Sqlmap
    
    SQLMap - Cheatsheet
    
    Second order injection sqlmap
- Ssrf server side request forgery
  Ssrf server side request forgery
- Ssti server side template injection
  Ssti server side template injection
- Unicode injection
  Unicode injection
  - Unicode Injection
  - Unicode Normalization
- Web vulnerabilities methodology
  Web vulnerabilities methodology
  - Web Vulnerabilities Methodology
- Xs search
  Xs search
- Xss cross site scripting
  Xss cross site scripting
Physical attacks
Physical attacks
- Physical Attacks
- Escaping from gui applications
  Escaping from gui applications
  - Index
- Firmware analysis
  Firmware analysis
Radio hacking
Radio hacking
Reversing
Reversing
- Common API used in Malware
- Word Macros
- Cryptographic algorithms
  Cryptographic algorithms
  - Cryptographic/Compression Algorithms
  - Unpacking binaries
- Reversing tools
  Reversing tools
  - Index
  - Blobrunner
- Reversing tools basic methods
  Reversing tools basic methods
  - Reversing Tools & Basic Methods
  - Blobrunner
  - Cheat Engine
  - Satisfiability modulo theories smt z3
  - Angr
    Angr
    
    Index
    
    Angr - Examples
Reversing and exploiting
Reversing and exploiting
- Linux exploiting basic esp
  Linux exploiting basic esp
  - Common Exploiting Problems
  - ELF Tricks
  - One Gadget
  - Arbitrary write 2 exec
    Arbitrary write 2 exec
    
    Arbitrary Write 2 Exec
    
    AW2Exec - __malloc_hook
    
    AW2Exec - GOT/PLT
    
    AWS2Exec - .dtors & .fini_array
  - Common binary protections and bypasses
    Common binary protections and bypasses
    
    Common Binary Protections
    
    No-exec / NX
    
    Relro
    
    Aslr
    Aslr
    
    ASLR
    
    Ret2plt
    
    Pie
    Pie
    
    PIE
    
    BF Addresses in the Stack
    
    Stack canaries
    Stack canaries
    
    Stack Canaries
    
    BF Forked & Threaded Stack Canaries
    
    Print Stack Canary
  - Format strings
    Format strings
    
    Format Strings
    
    Format strings template
  - Stack overflow
    Stack overflow
    
    Stack Overflow
    
    Pointer Redirecting
    
    Ret2csu
    
    Ret2dlresolve
    
    Ret2esp / Ret2reg
    
    Ret2ret & Reo2pop
    
    Ret2win
    
    ROP - Return Oriented Programing
    
    Ret2syscall
    
    SROP - Sigreturn-Oriented Programming
    
    Stack Pivoting - EBP2Ret - EBP chaining
    
    Stack Shellcode
    
    Ret2lib
    Ret2lib
    
    Ret2lib
    
    Rop leaking libc address
    Rop leaking libc address
    
    Leaking libc address with ROP
    
    Rop leaking libc template
Stego
Stego
- Esoteric languages
- Stego Tricks
Todo
Todo
- 6881 udp pentesting bittorrent
- Android Forensics
- Burp suite
- Cookies Policy
- Interesting http
- Investment Terms
- Misc
- More tools
- Online Platforms with API
- Other Web Tricks
- Pentesting dns
- Post exploitation
- References
- Rust Basics
- Stealing Sensitive Information Disclosure from a Web
- Test LLMs
- TR-069
- Hardware hacking
  Hardware hacking
- Industrial control systems hacking
  Industrial control systems hacking
  - Industrial Control Systems Hacking
  - The Modbus Protocol
- Llm training data preparation
  Llm training data preparation
- Radio hacking
  Radio hacking
  - Radio Hacking
  - FISSURE - The RF Framework
  - iButton
  - Infrared
  - Low-Power Wide Area Network
  - Pentesting BLE - Bluetooth Low Energy
  - Pentesting RFID
  - Proxmark 3
  - Sub-GHz RF
  - Flipper zero
    Flipper zero
    
    Flipper Zero
    
    FZ - 125kHz RFID
    
    FZ - iButton
    
    FZ - Infrared
    
    FZ - NFC
    
    FZ - Sub-GHz
Welcome
Welcome
- About the author
- HackTricks Values & FAQ
Windows hardening
Windows hardening
- Windows Security Controls
- Antivirus (AV) Bypass
- Basic Win CMD for Pentesters
- Checklist - Local Windows Privilege Escalation
- Cobalt Strike
- Active directory methodology
  Active directory methodology
  - Active Directory Methodology
  - MSSQL AD Abuse
  - AD Certificates
  - AD DNS Records
  - Ad information in printers
  - ASREPRoast
  - BloodHound & Other AD Enum Tools
  - Constrained Delegation
  - Custom SSP
  - Dcshadow
  - DCSync
  - Diamond Ticket
  - Dsrm credentials
  - External Forest Domain - One-Way (Outbound)
  - External Forest Domain - OneWay (Inbound) or bidirectional
  - Golden Ticket
  - Kerberoast
  - Kerberos Authentication
  - Kerberos Double Hop Problem
  - LAPS
  - Over Pass the Hash/Pass the Key
  - Pass the Ticket
  - Password Spraying / Brute Force
  - Force NTLM Privileged Authentication
  - PrintNightmare
  - Privileged Groups
  - RDP Sessions Abuse
  - Resource-based Constrained Delegation
  - Security Descriptors
  - SID-History Injection
  - Silver Ticket
  - Skeleton Key
  - Unconstrained Delegation
  - Acl persistence abuse
    Acl persistence abuse
    
    Abusing Active Directory ACLs/ACEs
    
    Shadow Credentials
  - Ad certificates
    Ad certificates
    
    AD Certificates
    
    AD CS Account Persistence
    
    AD CS Certificate Theft
    
    AD CS Domain Escalation
    
    AD CS Domain Persistence
- Authentication credentials uac and efs
  Authentication credentials uac and efs
  - Windows Security Controls
  - UAC - User Account Control
- Basic powershell for pentesters
  Basic powershell for pentesters
  - Basic PowerShell for Pentesters
  - PowerView/SharpView
- Lateral movement
  Lateral movement
- Ntlm
  Ntlm
- Stealing credentials
  Stealing credentials
- Windows local privilege escalation
  Windows local privilege escalation
  - Windows Local Privilege Escalation
  - Access Tokens
  - ACLs - DACLs/SACLs/ACEs
  - Appenddata addsubdirectory permission over service registry
  - COM Hijacking
  - Create msi with wix
  - Dll Hijacking
  - DPAPI - Extracting Passwords
  - From high integrity to system with name pipes
  - Integrity Levels
  - JuicyPotato
  - Leaked Handle Exploitation
  - MSI Wrapper
  - Named Pipe Client Impersonation
  - Abusing Tokens
  - Privilege Escalation with Autoruns
  - RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
  - Sedebug + seimpersonate copy token
  - SeImpersonate from High To System
  - Windows c payloads
  - Dll hijacking
    Dll hijacking
    
    Dll Hijacking
    
    Writable Sys Path +Dll Hijacking Privesc
  - Privilege escalation abusing tokens
    Privilege escalation abusing tokens
    
    Abusing Tokens
- Windows security controls
  Windows security controls
  - UAC - User Account Control

Java jsf viewstate .faces deserialization

[AD REMOVED]

Check the posts:

https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html
https://0xrick.github.io/hack-the-box/arkham/

[AD REMOVED]

All content on this page is from HackTricks, which belongs to Carlos Polop and is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license unless otherwise specified. This page is generated from the HackTricks wiki and just has the ads removed.