❯ RedSquad

RoadMap

5 min read

CVEs Vulnerabilities DB

Exploits

  • Exploit-DB - Exploit Database
  • Sploitus - Convenient central place for identifying the newest exploits
  • Rapid7 - DB - Vulnerability & Exploit Database
  • Vulmon - Vulnerability and exploit search engine
  • packetstormsecurity.com - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
  • 0day.today - Ultimate database of exploits and vulnerabilities
  • LOLBAS - Living Off The Land Binaries, Scripts and Libraries
  • GTFOBins - Curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
  • Payloads All The Things - A list of useful payloads and bypasses for Web Application Security
  • XSS Payloads - The wonderland of JavaScript unexpected usages, and more
  • exploitalert.com - Database of Exploits
  • Reverse Shell generator - Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode
  • HackerOne hacktivity - See the latest hacker activity on HackerOne
  • Bugcrowd Crowdstream - Showcase of accepted and disclosed submissions on Bugcrowd programs
  • GTFOArgs - Curated list of Unix binaries that can be manipulated for argument injection
  • shell-storm.org/shellcode - Shellcodes database for study cases
  • Hacking the Cloud - Encyclopedia of the attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure
  • LOLDrivers - Open-source project that brings together vulnerable, malicious, and known malicious Windows drivers
  • PwnWiki - Collection of TTPs (tools, tactics, and procedures) for what to do after access has been gained
  • CVExploits Search - Your comprehensive database for CVE exploits from across the internet
  • VARIoT - VARIoT IoT exploits database
  • LOOBins - Detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes
  • Coalition Exploit Scoring System - Model that dynamically scores new and existing vulnerabilities to reflect their exploit likelihood
  • WADComs - Interactive cheat sheet containing a curated list of offensive security tools and their respective commands to be used against Windows/AD environments
  • LOLAPPS - Compendium of applications that can be used to carry out day-to-day exploitation
  • Living off the Hardware - Resource collection that provides guidance on identifying and utilizing malicious hardware and malicious devices
  • Living Off the Pipeline - How development tools commonly used in CI/CD pipelines can be used to achieve arbitrary code execution

Platforms

Report type

  • Title
    • The first impression is the last impression, the security engineer looks at the title first and he should be able to identify the issue.
    • Write about what kind of functionality you can able to abuse or what kind of protection you can bypass. Write in just one line.
    • Include the Impact of the issue in the title if possible.
  • Description
    • This component provides details of the vulnerability, you can explain the vulnerability here, write about the paths, endpoints, error messages you got while testing. You can also attach HTTP requests, vulnerable source code.
  • Steps to Reproduce
    • Write the stepwise process to recreate the bug. It is important for an app owner to be able to verify what you’ve found and understand the scenario.
    • You must write each step clearly in-order to demonstrate the issue. that helps security engineers to triage fast.
  • Proof of Concept
    • This component is the visual of the whole work. You can record a demonstration video or attach screenshots.
  • Impact
    • Write about the real-life impact, How an attacker can take advantage if he/she successfully exploits the vulnerability.
    • What type of possible damages could be done? (avoid writing about the theoretical impact)
    • Should align with the business objective of the organization