bughra.dev

bughra.devOffensive Security Bloghttps://bughra.dev/Generators in Pythonhttps://bughra.dev/posts/generators-in-python/https://bughra.dev/posts/generators-in-python/Generators are special functions in Python that allow you to declare a function that behaves like an iterator. They enable you to iterate over a potentially ...Wed, 23 Apr 2025 00:00:00 GMTSession Management and Cookie Securityhttps://bughra.dev/posts/session-management/https://bughra.dev/posts/session-management/Session management is the process of securely maintaining a user's state and identity across multiple requests in web applications. Since HTTP is stateless b...Fri, 11 Apr 2025 00:00:00 GMTSession Fixation Attackhttps://bughra.dev/posts/session-fixation/https://bughra.dev/posts/session-fixation/Session fixation is a web security vulnerability that allows an attacker to force a user to use a specific session identifier (session ID). The attack exploi...Fri, 11 Apr 2025 00:00:00 GMTActive Directory Basicshttps://bughra.dev/posts/active-directory-basics/https://bughra.dev/posts/active-directory-basics/1. Follow the principle of least privilege 2. Implement proper account tiering 3. Use Protected Users security group for privileged accounts 4. Enable Advanc...Thu, 10 Apr 2025 00:00:00 GMTAuthentication Bypasshttps://bughra.dev/posts/authentication-bypass/https://bughra.dev/posts/authentication-bypass/Authentication bypass vulnerabilities allow attackers to gain unauthorized access to systems by circumventing authentication mechanisms. This cheatsheet cove...Thu, 10 Apr 2025 00:00:00 GMTCommand Injectionhttps://bughra.dev/posts/command-injection/https://bughra.dev/posts/command-injection/Command injection is a web security vulnerability that allows an attacker to execute arbitrary commands on the host operating system via a vulnerable applica...Thu, 10 Apr 2025 00:00:00 GMTCryptography Basicshttps://bughra.dev/posts/cryptography-basics/https://bughra.dev/posts/cryptography-basics/Introduction to cryptography fundamentals including encryption, decryption, hashing, and key managementThu, 10 Apr 2025 00:00:00 GMTBrute Forcing with Hydrahttps://bughra.dev/posts/brute-forcing-with-hydra/https://bughra.dev/posts/brute-forcing-with-hydra/Hydra is a fast and flexible online password cracking tool that supports numerous protocols including SSH, FTP, HTTP, SMB, and many others. This cheatsheet p...Thu, 10 Apr 2025 00:00:00 GMTActive Directory Enumerationhttps://bughra.dev/posts/active-directory-enumeration/https://bughra.dev/posts/active-directory-enumeration/Active Directory (AD) enumeration is a crucial phase during penetration testing that involves gathering information about the AD infrastructure, including do...Thu, 10 Apr 2025 00:00:00 GMTContent Discoveryhttps://bughra.dev/posts/content-discovery/https://bughra.dev/posts/content-discovery/Web content discovery techniques using tools like ffuf, gobuster, nikto, and wpscan for enumerationThu, 10 Apr 2025 00:00:00 GMTAccess Controlhttps://bughra.dev/posts/access-control/https://bughra.dev/posts/access-control/Access control is the process of granting or denying specific requests to obtain and use information and related information processing services. It is a fun...Thu, 10 Apr 2025 00:00:00 GMTAttacking Common Serviceshttps://bughra.dev/posts/attacking-common-services/https://bughra.dev/posts/attacking-common-services/This document provides a comprehensive guide for assessing and exploiting common network services during penetration testing. For each service, we'll cover e...Thu, 10 Apr 2025 00:00:00 GMTLinux Privilege Escalationhttps://bughra.dev/posts/linux-privilege-escalation/https://bughra.dev/posts/linux-privilege-escalation/Linux privilege escalation techniques including SUID binaries, sudo misconfigurations, and kernel exploitsThu, 10 Apr 2025 00:00:00 GMTNmap Firewall & IDS Evasionhttps://bughra.dev/posts/nmap-firewall-ids-evasion/https://bughra.dev/posts/nmap-firewall-ids-evasion/Nmap techniques for evading firewalls and intrusion detection systems during network scanningThu, 10 Apr 2025 00:00:00 GMTRace Conditionhttps://bughra.dev/posts/race-condition/https://bughra.dev/posts/race-condition/Race conditions are security vulnerabilities that occur when the timing of events affects the correct operation of a system or application. They happen when ...Thu, 10 Apr 2025 00:00:00 GMTSQL Injectionhttps://bughra.dev/posts/sql-injection/https://bughra.dev/posts/sql-injection/SQL injection attack vectors and exploitation techniques for database compromise' UNION SELECT 1,2,3 -- - ' UNION SELECT username,password,3 FROM us...Thu, 10 Apr 2025 00:00:00 GMTWindows Privilege Escalationhttps://bughra.dev/posts/windows-privilege-escalation/https://bughra.dev/posts/windows-privilege-escalation/This cheatsheet provides a structured methodology for identifying and exploiting Windows privilege escalation vectors. It includes commands, explanations, an...Thu, 10 Apr 2025 00:00:00 GMTCommand and Control (C2) Frameworkshttps://bughra.dev/posts/c2/https://bughra.dev/posts/c2/Command and Control (C2) frameworks are software platforms used during red team operations and penetration testing to maintain communication with compromised...Thu, 10 Apr 2025 00:00:00 GMTActive Directory Breaching Techniqueshttps://bughra.dev/posts/active-directory-breaching/https://bughra.dev/posts/active-directory-breaching/This cheatsheet focuses on initial access vectors for breaching Active Directory environments. These techniques target the perimeter of an AD forest, allowin...Thu, 10 Apr 2025 00:00:00 GMTHash Cracking and Password Attack Techniqueshttps://bughra.dev/posts/hash-cracking/https://bughra.dev/posts/hash-cracking/Comprehensive guide to hash cracking and password attack techniques including John the Ripper, Hashcat, and HydraThu, 10 Apr 2025 00:00:00 GMTCSP & Same-Origin Policy Bypasshttps://bughra.dev/posts/csp-same-origin/https://bughra.dev/posts/csp-same-origin/Content Security Policy (CSP) and Same-Origin Policy (SOP) are critical web security mechanisms designed to prevent various attacks including Cross-Site Scri...Thu, 10 Apr 2025 00:00:00 GMTInsecure Direct Object References (IDOR)https://bughra.dev/posts/idor/https://bughra.dev/posts/idor/Insecure Direct Object References (IDOR) is a critical web security vulnerability that occurs when an application exposes a reference to an internal implemen...Thu, 10 Apr 2025 00:00:00 GMTCross-Site Request Forgery (CSRF)https://bughra.dev/posts/csrf/https://bughra.dev/posts/csrf/Cross-Site Request Forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions they did not intend to perform. ...Thu, 10 Apr 2025 00:00:00 GMTJSON Web Token (JWT) Securityhttps://bughra.dev/posts/jwt/https://bughra.dev/posts/jwt/JSON Web Tokens (JWTs) are an open standard (RFC 7519) for securely transmitting information between parties as a compact, self-contained JSON object. JWTs a...Thu, 10 Apr 2025 00:00:00 GMTLocal File Inclusion (LFI) & Path Traversalhttps://bughra.dev/posts/lfi/https://bughra.dev/posts/lfi/Local File Inclusion (LFI) and path traversal vulnerabilities for reading sensitive files and remote code executionThu, 10 Apr 2025 00:00:00 GMTFile Upload Vulnerabilitieshttps://bughra.dev/posts/file-upload/https://bughra.dev/posts/file-upload/File upload vulnerabilities occur when web applications allow users to upload files without properly validating their type, content, size, or name. Successfu...Thu, 10 Apr 2025 00:00:00 GMTLinux File Transfer Cheatsheethttps://bughra.dev/posts/linux-file-transfer/https://bughra.dev/posts/linux-file-transfer/Comprehensive guide to Linux file transfer techniques including wget, curl, netcat, and Python HTTP serversThu, 10 Apr 2025 00:00:00 GMTMetasploit Framework and Meterpreterhttps://bughra.dev/posts/metasploit/https://bughra.dev/posts/metasploit/Metasploit Framework and Meterpreter payload usage for penetration testing and exploitationThu, 10 Apr 2025 00:00:00 GMTNoSQL Injectionhttps://bughra.dev/posts/no-sql/https://bughra.dev/posts/no-sql/NoSQL injection is a security vulnerability that occurs when untrusted data is sent to a NoSQL database interpreter as part of a command or query. Unlike SQL...Thu, 10 Apr 2025 00:00:00 GMTEssential OSINT Tools and Frameworkshttps://bughra.dev/posts/osint/https://bughra.dev/posts/osint/Open Source Intelligence (OSINT) tools and techniques for information gathering and reconnaissanceThu, 10 Apr 2025 00:00:00 GMTLog Poisoning via User-Agenthttps://bughra.dev/posts/log-poison/https://bughra.dev/posts/log-poison/Log poisoning is an attack technique where malicious code is injected into server log files which are then executed when the log file is viewed or processed....Thu, 10 Apr 2025 00:00:00 GMTNetwork Enumeration with Nmaphttps://bughra.dev/posts/port-scanning/https://bughra.dev/posts/port-scanning/Network port scanning techniques and methodologies using Nmap and other toolsThu, 10 Apr 2025 00:00:00 GMTPassive and Active Reconnaissancehttps://bughra.dev/posts/passive-and-active-recon/https://bughra.dev/posts/passive-and-active-recon/Reconnaissance (recon) is the first phase in a penetration test and involves collecting information about the target systems, networks, and organizations. Th...Thu, 10 Apr 2025 00:00:00 GMTRed Team Fundamentals and Methodologieshttps://bughra.dev/posts/red-teaming/https://bughra.dev/posts/red-teaming/Red teaming is an advanced form of security assessment that simulates real-world attacks against an organization's people, processes, and technology to ident...Thu, 10 Apr 2025 00:00:00 GMTShell Upgrade Techniqueshttps://bughra.dev/posts/shell/https://bughra.dev/posts/shell/During penetration testing, the initial shell you receive after exploitation is often limited in functionality (non-interactive). This document covers techni...Thu, 10 Apr 2025 00:00:00 GMTSSI (Server-Side Includes) Injectionhttps://bughra.dev/posts/ssi/https://bughra.dev/posts/ssi/Server-Side Includes (SSI) are directives in HTML pages that are evaluated on the server before the page is delivered to the client. SSI injection occurs whe...Thu, 10 Apr 2025 00:00:00 GMTServer-Side Request Forgery (SSRF)https://bughra.dev/posts/ssrf/https://bughra.dev/posts/ssrf/Server-Side Request Forgery (SSRF) is a web security vulnerability that allows attackers to induce the server-side application to make requests to an uninten...Thu, 10 Apr 2025 00:00:00 GMTWeaponization Techniques for Red Team Operationshttps://bughra.dev/posts/weaponization/https://bughra.dev/posts/weaponization/Weaponization is a critical phase in red team operations where offensive tools, payloads, and exploits are prepared for deployment against target environment...Thu, 10 Apr 2025 00:00:00 GMTSSTI (Server-Side Template Injection)https://bughra.dev/posts/ssti/https://bughra.dev/posts/ssti/Server-Side Template Injection (SSTI) is a vulnerability that occurs when user input is embedded directly into a template in an unsafe manner. When a web app...Thu, 10 Apr 2025 00:00:00 GMTWindows File Transfer Cheatsheethttps://bughra.dev/posts/windows-file-transfer/https://bughra.dev/posts/windows-file-transfer/Comprehensive guide to file transfer techniques on Windows systems including PowerShell, certutil, and SMB methodsThu, 10 Apr 2025 00:00:00 GMTXXE (XML External Entity) Injectionhttps://bughra.dev/posts/xml/https://bughra.dev/posts/xml/XML External Entity (XXE) injection vulnerabilities and exploitation techniques for reading files and SSRF attacksThu, 10 Apr 2025 00:00:00 GMTXSLT Injectionhttps://bughra.dev/posts/xslt/https://bughra.dev/posts/xslt/XSLT (Extensible Stylesheet Language Transformations) injection occurs when an attacker can control or modify XSLT stylesheets that are processed by an appli...Thu, 10 Apr 2025 00:00:00 GMTXSS (Cross-Site Scripting)https://bughra.dev/posts/xss/https://bughra.dev/posts/xss/Cross-Site Scripting (XSS) is a client-side injection vulnerability that allows attackers to execute malicious JavaScript in victims' browsers. This cheatshe...Thu, 10 Apr 2025 00:00:00 GMT