aravindkumarsvg

🔐 VAPT Checklist for iframe & postMessage Communication

✅ IFRAME Security Considerations

Check	Description
X-Frame-Options header	Should be set to DENY or SAMEORIGIN to prevent Clickjacking.
Content-Security-Policy (CSP)	Use frame-ancestors, child-src, frame-src directives to restrict embedding origins.
Sandboxing iframes	Use sandbox attribute with strict flags like allow-scripts or allow-forms.

aravindkumarsvg

🛡️ CSS Security Essentials

Learn how CSS can be a powerful tool for exploitation — from data exfiltration to phishing — when misused in web applications.

---

📌 Why CSS Matters in Security

CSS isn’t just about styling — in the wrong hands, it can be used to:

aravindkumarsvg

🔐 TOTP (Time-Based One-Time Password) - Full Guide

📘 What is TOTP?

TOTP (Time-Based One-Time Password) is a one-time password algorithm that uses the current time as a variable. It is commonly used in two-factor authentication (2FA) systems. TOTP generates a numeric code that changes every 30 seconds and is based on a shared secret between the client and the server.

• Defined in RFC 6238
• Based on HOTP (HMAC-based One-Time Password, RFC 4226)

---

aravindkumarsvg

OAuth 2.0 Parameters and Possible Values

This document lists various parameters used in OAuth 2.0 flows, including possible values where applicable.

---

🔐 Authorization Request Parameters

Parameter	Description	Example / Possible Values

aravindkumarsvg

✅ CSRF Vulnerability Testing Checklist

📌 Phase 1: Identify Candidate Endpoints

• Look for state-changing actions (e.g., transfer, password change, account update).
• Confirm the endpoint uses cookie-based authentication.
• Check if the endpoint accepts GET or POST methods.

---

📌 Phase 2: Analyze Request Properties

aravindkumarsvg

Pre-requisites

• Get the reverse shell in netcat
• check python support in the target system

which python

Shell Stablization

1. If your terminal is using zsh, then you need to switch to bash

aravindkumarsvg

#!/bin/bash

# Enabling ADB over network
# adb kill-server && adb start-server # restart adb server
# adb tcpip 5555 # start adb service
# adb connect <phone_id> # connect to the device

# For enabling loudspeaker and cut the call, make sure to change it based on your phone screen
# Ref for getting touch coordinates: https://android.stackexchange.com/questions/164295/how-can-i-see-the-pointer-location-and-simulate-it

aravindkumarsvg

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/xenial64"
  config.vm.box_check_update = false
  # Spark Jobs history
  config.vm.network "forwarded_port", guest: 4040, host: 4040
  # Spark Master
  config.vm.network "forwarded_port", guest: 8080, host: 8080

aravindkumarsvg

#!/bin/bash

# Global variable declarations
format="plain"
directories=() 
current_directory=`pwd`
report_directory="${current_directory}/report/"
fresh_report_directory="0"

# usage

aravindkumarsvg

#!/bin/bash

# Loops through the proc directory
for processId in `ls /proc/`; do
    # Checks for the status file for a process
    if [[ $processId =~ ^[0-9]+$ && -r "/proc/${processId}/status" ]]; then
        # Gets the swap space usage for the process
        swapUsage=`grep VmSwap "/proc/${processId}/status" | awk '{print $2}'`
        if [[ ! -z $swapUsage && $swapUsage > 0 ]]; then
            # Gets the process name