Skip to content

Instantly share code, notes, and snippets.

View aw-junaid's full-sized avatar
🐞
finding bugs.

Abdul Wahab Junaid aw-junaid

🐞
finding bugs.
287 followers · 11 following
View GitHub Profile
@aw-junaid
aw-junaid / clickjacking.md
Created November 23, 2025 13:25
Clickjacking is a malicious technique where a user is tricked into clicking something different from what they believe they are clicking. This is achieved by layering a transparent or invisible website element over a decoy page, which causes the user's click to perform an unintended action on the hidden, malicious site. Examples of this action i…

Finding a Clickjacking Vulnerability

Let's imagine our target is a social media site: https://socialapp.example.com.

Step 1: Spot State-Changing Actions

You browse the application and look for actions that change the state of your account or data and only require a single click (no text input, drag-and-drop, etc.).

Prime candidates on socialapp.example.com:

  • Profile Actions:
@aw-junaid
aw-junaid / CSRF.md
Created November 23, 2025 13:28

A Practical Walkthrough: Finding a CSRF Vulnerability

Let's imagine our target is a note-taking application: https://notes.example.com.

Step 1: Spot State-Changing Actions

You browse the application and identify actions that change data on the server. These are typically non-GET requests (POST, PUT, PATCH, DELETE).

Prime candidates on notes.example.com:

  • User Profile:
@aw-junaid
aw-junaid / sqlInjection.md
Created November 24, 2025 09:01
A SQL injection (SQLi) vulnerability is a web security flaw that enables an attacker to interfere with the queries an application makes to its database. It occurs when an application uses unsanitized user-supplied input to dynamically construct SQL queries, allowing malicious SQL code to be executed.

Finding a SQL Injection Vulnerability

Important Note: Always start with deliberately vulnerable applications like DVWA (Damn Vulnerable Web Application) or Web Security Academy before testing on real bug bounty programs.

Step 1: Map User Input Endpoints

Identify all locations where the application accepts user input:

Common SQLi injection points:

  • URL Parameters: GET /users?id=1
@aw-junaid
aw-junaid / IDOR.md
Created November 27, 2025 05:14
IDOR stands for Insecure Direct Object Reference, which is a type of web security vulnerability that occurs when an application directly exposes an internal object, like a user ID or file path, and doesn't perform adequate authorization checks. This allows an attacker to manipulate identifiers in a request, such as changing a URL parameter, to a…

Finding an IDOR Vulnerability

Let's imagine our target is a project management application: https://projects.example.com.

Step 1: Create Two Accounts

Create accounts with the same role to test horizontal privilege escalation:

@aw-junaid
aw-junaid / mathematical-notations.md
Created November 30, 2025 03:43
Comprehensive guide to all mathematical notations and symbols with explanations. Includes calculus (∫, ∑, ∞), algebra (∈, ⊂, ∀), geometry (∠, △, ∥), and logic symbols. Perfect for students, researchers, and technical writers.
@aw-junaid
aw-junaid / quantum-mechanics-symbols.md
Last active November 30, 2025 03:50
Ultimate guide to mathematical notation and quantum mechanics symbols. Includes calculus, algebra, set theory, Dirac notation, quantum operators, and Greek letters with detailed explanations. Perfect for students, physicists, and researchers.
@aw-junaid
aw-junaid / Nmap Cheat Sheet.md
Created December 17, 2025 15:27
The core scanning engine that performs network discovery, port scanning, version detection, and OS fingerprinting. It's a command-line tool that sends specially crafted packets to target hosts and analyzes the responses.
@aw-junaid
aw-junaid / networking.md
Created January 30, 2026 14:23
A comprehensive guide to essential Linux networking commands used for monitoring connections, SMB access, DNS enumeration, IP configuration, MAC spoofing, packet control, and network troubleshooting. Ideal for cybersecurity professionals, penetration testers, and system administrators.

Essential Linux Network Commands for Cyber Security & System Administration

Note: A few tools are deprecated on modern Linux (e.g., ifconfig, route, netstat). I include them, but I also include the modern ip replacements.

1) Monitor connections / sockets

ss (modern replacement for netstat)

  • Show TCP sockets with process info
@aw-junaid
aw-junaid / systeminfo.md
Created January 30, 2026 17:17
A complete guide to Linux system information and enumeration commands used for user management, process monitoring, package management, privilege escalation checks, SUID discovery, and system auditing. Essential for system administrators and cybersecurity professionals.

Linux System Information & Enumeration Commands (SysAdmin & Security Guide)

Host / identity / login info

  • nmblookup -A <ip> What it does: Queries NetBIOS name service to get the Windows/SMB hostname (and workgroup) for an IP (UDP/137).
    Example: 
    

    • 



nmblookup -A 192.168.1.10



  


  





    


          
    

      

        
        

          

              @aw-junaid
          

          

            
                aw-junaid
                / FunctionalCommands.md
            
            

              Created
              January 30, 2026 17:24
            

              
                Practical commands for shell interaction, file transfer, user management, auditing, searching help, credential cracking helpers, SSH key usage, IDs, and HTTP actions (curl/wget). Includes corrected syntax and a few essential additions.
              
          

        

      

        


      

      

    
Functional Commands (Quick Ops)


Practical commands for shell interaction, file transfer, user management, auditing, searching help, credential cracking helpers, SSH key usage, IDs, and HTTP actions (curl/wget). Includes corrected syntax and a few essential additions.




Shell / interactive sessions


    

  • 

    python -c "import pty; pty.spawn('/bin/bash')"
    

    •