Cheat sheets

Browser security resources

Cezary Cerekwicki, head of product security at Opera, compiled a list of browser security learning materials. It’s definitely for you if you are interested in hacking browsers but even if you’re not, there are some references like Public Suffix List or whitepapers...

Salesforce SOQL injection resources

Jason Haddix asked on Twitter for some tips about SOQL injection in Salesforce and there are some great resources linked there. I haven’t been hacking Salesforce for a while now but I remember from my pentesting days that it’s been an absolute mess so I want to have...

IDOR cheat sheet

With modern frameworks secured by default from many popular vulnerabilities, I see that IDORs have a bigger share in my pentest reports. Usually with high risk as well. IDORs are: hard to find using DAST, SAST or source code review relatively easy to find for a human...

Everything about 2FA

With the number of password leaks in recent years, 2FA (2 Factor authentication) is implemented in more and more systems, of course, including those with bug bounty programs. There are quite a few things that can go wrong with implementing 2FA and you should...

Over 200 public pentest reports

Pentesting reports are usually confidential. If you do regular pentests, you know that your reports mustn't be shared with anyone. It's likely that you only saw reports from companies you worked in and you think that you just can't read other ones....