eWPT Preparation by Joas
Recon and Enumeration Domain
https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
https://medium.com/qualityholics/ewpt-exam-review-tips-8a4d9cebf5f9
https://elearnsecurity.com/uncategorized/pentesting-101-fingerprinting-continued/
https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html
https://www.youtube.com/watch?v=TmK0Zpggz48&ab_channel=SemiYulianto
https://www.youtube.com/watch?v=d8zwXxixz5Y&ab_channel=HacktifyCyberSecurity
https://resources.infosecinstitute.com/topic/how-to-create-a-subdomain-enumeration-toolkit/
https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/subdomain-enumeration
https://spyse.com/blog/information-gathering/how-to-find-subdomains-instantly
https://book.hacktricks.xyz/external-recon-methodology
https://github.com/KingOfBugbounty/KingOfBugBountyTips
https://www.youtube.com/watch?v=amihlWTtkMA&ab_channel=Nahamsec
https://www.youtube.com/watch?v=o8L2nweiF1s&ab_channel=InsiderPhD
https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21
https://portswigger.net/blog/finding-your-first-bug-bounty-hunting-tips-from-the-burp-suite-community
https://null-byte.wonderhowto.com/how-to/conduct-recon-web-target-with-python-tools-0198114/
https://www.infosecmatter.com/bug-bounty-tips/
https://hackbotone.medium.com/10-recon-tools-for-bug-bounty-bafa8a5961bd
https://www.youtube.com/watch?v=Hnz1d4WmD5Y&ab_channel=HackerSploit
https://www.youtube.com/watch?v=bewbdPvs_g8&ab_channel=Conda
Social Networks
https://www.linkedin.com/in/joas-antonio-dos-santos/
Wordpress Attacks and Other CMS Vulnerability
https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress
https://securityboulevard.com/2020/03/penetration-testing-for-wordpress-websites/
https://www.getastra.com/blog/security-audit/wordpress-penetration-testing/
https://deliciousbrains.com/wordpress-penetration-testing/
https://hackertarget.com/attacking-wordpress/
https://secure.wphackedhelp.com/blog/wordpress-security-tips-2019/
https://github.com/timashana/WordPress-Pentesting
https://github.com/jguerrero12/WordPress-Pentesting
https://github.com/whuang8/wordpress-pentests
https://github.com/magnimusprime/WordPress-Pentesting
https://www.infosecmatter.com/cms-vulnerability-scanners-for-wordpress-joomla-drupal-moodle-typo3/
https://www.acunetix.com/vulnerability-scanner/cms-vulnerability-scanner/
https://linuxsecurity.expert/security-tools/cms-vulnerability-scanners
https://medium.com/@rohitaher023/what-is-a-cms-vulnerability-scanner-and-what-is-its-need-for-security-5aef8d10227b
https://github.com/gajos112/OSCP/blob/master/CMS%20Vulnerability%20Scanners
BurpSuite
https://portswigger.net/burp/documentation/desktop/penetration-testing
https://www.youtube.com/watch?v=N-IKHmGjf2c&ab_channel=Bugcrowd
https://www.youtube.com/watch?v=G3hpAeoZ4ek&ab_channel=JohnHammond
https://www.youtube.com/watch?v=_XUQ7etMCT8&ab_channel=TutorialsPoint%28India%29Ltd.
https://www.youtube.com/watch?v=h2duGBZLEek&ab_channel=Bugcrowd
https://www.youtube.com/watch?v=Chql4bNE6_g&ab_channel=CyberFrat
https://www.youtube.com/watch?v=57559arUG3c&ab_channel=PortSwigger
https://www.youtube.com/watch?v=cyWmZ2WgnEE
https://www.youtube.com/watch?v=c0h3aciBIyQ&ab_channel=Vicky%27sBlog
https://www.youtube.com/watch?v=mibKttwhbRk&ab_channel=InsiderPhD
https://www.youtube.com/watch?v=iG7003AC8ys&ab_channel=webpwnized
https://www.youtube.com/watch?v=oWRseGm-a6I&ab_channel=KacperSzurekEN
https://www.youtube.com/watch?v=-6uPHcLj4oU&ab_channel=Hacksplained
https://portswigger.net/blog/20-burp-suite-tips-from-the-burp-user-community
ClickJacking Attacking
https://owasp.org/www-community/attacks/Clickjacking
https://portswigger.net/web-security/clickjacking
https://www.hacksplaining.com/prevention/click-jacking
https://resh.com.br/blog/realizando-bypass-no-cabecalho-x-frame-options/
https://auth0.com/blog/preventing-clickjacking-attacks/
https://www.synopsys.com/glossary/what-is-clickjacking.html
https://www.youtube.com/watch?v=jcp5t8PsMsY&ab_channel=HackerOne
https://www.youtube.com/watch?v=Pdc5KJfOQpI&ab_channel=Hacksplaining
https://www.youtube.com/watch?v=FEflwAIlLmg&ab_channel=Gomahamaya
https://www.youtube.com/watch?v=mso5FSWEtdo&ab_channel=VERILOGCOURSETEAM
https://www.youtube.com/watch?v=LEdwUGsffwY&ab_channel=MichaelSommer
https://www.youtube.com/watch?v=Zm1lQAQOqJ0&ab_channel=MichaelSommer
Session Hijacking
https://owasp.org/www-community/attacks/Session_hijacking_attack
https://www.youtube.com/watch?v=fxrCJNQ96Kg&ab_channel=intrigano
https://www.youtube.com/watch?v=OriuOtSCUpo&ab_channel=MarcosHenrique
https://www.youtube.com/watch?v=sqMCPxwzIf8&ab_channel=PluralsightIT-TrainingArchive
https://us.norton.com/internetsecurity-id-theft-session-hijacking.html
https://www.venafi.com/blog/what-session-hijacking
https://www.imperva.com/learn/application-security/session-hijacking/
https://www.globalsign.com/en/blog/session-hijacking-and-how-to-prevent-it
https://motilia.com/-/session-hijacking-xss-csrf
https://medium.com/stolabs/stored-xss-session-hijacking-20faf069ef4
https://www.youtube.com/watch?v=wbgOzImzAfg&ab_channel=D4RKR0N
https://www.youtube.com/watch?v=HQdCgooETXw&ab_channel=InfiniteLogins
https://www.youtube.com/watch?v=nJrH7HaiMPI&ab_channel=HackingTeacher
https://www.agiratech.com/xss-csrf-and-session-hijacking
FingerPrinting
https://pentestlab.blog/2012/08/01/web-application-fingerprinting/
https://pentestlab.files.wordpress.com/2012/11/automated-web-application-fingerprinting.pdf
https://www.youtube.com/watch?v=_k9Bsppz4A8&ab_channel=TheHacktivists
https://www.youtube.com/watch?v=_k9Bsppz4A8&ab_channel=TheHacktivists
https://www.youtube.com/watch?v=8WrluFRoJhs&ab_channel=BlackHat
https://null-byte.wonderhowto.com/how-to/fingerprint-web-apps-servers-for-better-recon-more-successful-hacks-0302807/
https://www.m2sys.com/blog/cloud-computing/three-ways-of-biometric-authentication-in-web-application/
https://www.youtube.com/watch?v=PAPaGTFSXK4&ab_channel=TheHacktivists
SQL Injection & Types and SQLMap
https://www.geeksforgeeks.org/authentication-bypass-using-sql-injection-on-login-page/#:~:text=SQL%20injection%20is%20a%20technique,that%20might%20destroy%20your%20database.
https://sechow.com/bricks/docs/login-1.html
https://portswigger.net/support/using-sql-injection-to-bypass-authentication
https://www.youtube.com/watch?v=RXBlTgsawdI&ab_channel=CyberSecurityTV
https://www.youtube.com/watch?v=b4Wn0n6LBcM&ab_channel=shadsluiter
https://www.youtube.com/watch?v=6O4NuKA0pSI&ab_channel=zSecurity
https://www.devmedia.com.br/sql-injection-em-ambientes-web/9733
https://www.guru99.com/learn-sql-injection-with-practical-example.html
http://www.securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html
https://www.sqlinjection.net/login/
https://owasp.org/www-community/attacks/Blind_SQL_Injection
https://portswigger.net/web-security/sql-injection/blind
https://www.netsparker.com/blog/web-security/how-blind-sql-injection-works/
https://infosecwriteups.com/out-of-band-oob-sql-injection-87b7c666548b
https://www.acunetix.com/blog/articles/sqli-part-6-out-of-band-sqli/
https://www.youtube.com/watch?v=soPDfYl2Ef8&ab_channel=RanaKhalil
https://www.youtube.com/watch?v=6Ei7wX1cp5k&ab_channel=RanaKhalil
https://www.youtube.com/watch?v=KOaDan0UqFs&ab_channel=RanaKhalil
https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band
https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/out-of-band-sql-injection/
CSRF
https://www.youtube.com/watch?v=HTgyif6u5RY&ab_channel=RanaKhalil
https://cobalt.io/blog/a-pentesters-guide-to-cross-site-request-forgery-csrf
https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery
https://www.youtube.com/watch?v=dMwxIHIabeg&ab_channel=TutorialsPoint%28India%29Ltd.
https://www.youtube.com/watch?v=TwG0Rd0hr18&ab_channel=HackerSploit
https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery
https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery
https://www.rapid7.com/blog/post/2020/11/19/this-one-time-on-a-pen-test-csrf-to-password-reset-phishing/
https://corneacristian.medium.com/top-25-csrf-bug-bounty-reports-ffb0b61afa55
https://www.youtube.com/watch?v=ImqLlFMQrwQ&ab_channel=TheXSSrat
https://www.youtube.com/watch?v=ULvf6N8AL2A&ab_channel=InsiderPhD
Crawling and Spidering
https://www.screamingfrog.co.uk/seo-spider/
https://medium.com/@marlessonsantana/utilizando-o-scrapy-do-python-para-monitoramento-em-sites-de-not%C3%ADcias-web-crawler-ebdf7f1e4966
https://www.webfx.com/blog/internet/what-is-a-web-crawler/
https://www.octoparse.com/DataCrawler
https://www.screamingfrog.co.uk/crawl-javascript-seo/
https://www.parsehub.com/blog/web-scraping-vs-web-crawling/
https://www.youtube.com/watch?v=Kw3m37ebxmQ&ab_channel=HackerSploit
https://securityonline.info/not-your-average-web-crawler-web-crawler-for-bug-hunting/
http://mateslab.weebly.com/web-crawler-security-tool.html
https://pentestmag.com/startup-new-kind-web-crawler/
https://hakluke.medium.com/introducing-hakrawler-a-fast-web-crawler-for-hackers-ff799955f134
Reviews
https://medium.com/@unt0uchable1/elearnsecurity-ewpt-review-and-tips-72f955f3670
https://sorsdev.com/2021/04/18/elearnsecuritys-ewpt-exam-review/
https://h0mbre.github.io/eWPT/
https://www.linkedin.com/pulse/como-tirei-certifica%C3%A7%C3%A3o-ewpt-review-iran-macedo/?trk=read_related_article-card_title&originalSubdomain=pt
https://kentosec.com/2020/06/25/elearnsecurity-web-application-penetration-tester-ewpt-review/
https://www.reddit.com/r/AskNetsec/comments/6fwthl/elearnsecuritys_ewpt/
https://cinzinga.com/eWPT-WAPT/
https://www.youtube.com/watch?v=cOH7IYhbVPA&ab_channel=WilsonSecurityGroup
https://bestestredteam.com/2019/05/16/elearnsecuritys-web-application-penetration-tester-review/
https://thomfre.dev/elearnsecurity-web-application-pentester
https://www.doyler.net/security-not-included/ewpt-exam
https://www.youtube.com/watch?v=FhIOeXMWWCw&ab_channel=WilsonSecurityGroup
https://medium.com/cybersecpadawan/elearnsecurity-ewpt-certification-b7592bfc70af
https://www.linkedin.com/pulse/overview-da-certifica%C3%A7%C3%A3o-ewpt-elearning-web-tester-dos-santos/?originalSubdomain=pt
https://github.com/h0mbre/h0mbre.github.io/blob/master/_posts/2019-04-15-eWPT.md
https://github.com/h0mbre/h0mbre.github.io/blob/master/_posts/2019-08-03-Security-Certifications-And-Fun.md
https://github.com/IgorSasovets/web-security-learning-resources
https://sorsdev.com/2021/04/24/elearnsecuritys-ewpt-tips-tricks/
https://medium.com/@klockw3rk/elearnsecurity-web-application-penetration-testing-course-wapt-ewpt-2f7480120b8e
https://veteransec.com/2018/12/22/my-elearnsecurity-experience-part-1-wapt/
Web Application Fundamentals
https://pt.wikipedia.org/wiki/Cross-origin_resource_sharing#:~:text=Cross%2DOrigin%20Resource%20Sharing%20ou,o%20recurso%20que%20ser%C3%A1%20recuperado.
https://developer.mozilla.org/pt-BR/docs/Web/HTTP/CORS
https://www.youtube.com/watch?v=af5RI6bLkyw&ab_channel=SoftwareEngineeringInstitute%7CCarnegieMellonUniversity
https://www.youtube.com/watch?v=h-WtIT6gCBk&ab_channel=TheTechCave
https://www.freecodecamp.org/news/secure-your-web-application-with-these-http-headers-fd66e0367628/
https://help.deepsecurity.trendmicro.com/20_0/on-premise/http-security-headers.html#:~:text=Security%20headers%20are%20directives%20used,Cross%2DSite%20Scripting%20or%20Clickjacking.
https://www.netsparker.com/blog/web-security/http-security-headers/
https://owasp.org/www-project-secure-headers/
https://www.smashingmagazine.com/2017/04/secure-web-app-http-headers/
https://www.youtube.com/watch?v=CFzgKfnmG-Q&ab_channel=PrettyPrinted
https://www.youtube.com/watch?v=9dT0FSH-aGQ&ab_channel=CodingTech
https://www.youtube.com/watch?v=eesqK59rhGA&ab_channel=TheTechCave
https://rapidapi.com/blog/api-glossary/http-request-methods/
https://code-maze.com/http-series-part-1/
XSS and BeeF
https://github.com/boku7/XSS-Clientside-Attacks
https://github.com/Naategh/PyCk/tree/master/Web
https://medium.com/bugbountywriteup/file-upload-xss-patched-83ea55bb9a55
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
https://www.kitploit.com/2018/05/xss-payload-list-cross-site-scripting.html
https://www.aptive.co.uk/blog/xss-cross-site-scripting/
https://labs.nettitude.com/blog/cross-site-scripting-xss-payload-generator/
https://cobalt.io/blog/a-pentesters-guide-to-cross-site-scripting-xss
https://xss.js.org/#/
https://www.researchgate.net/figure/Classification-of-XSS-payloads-exemplified_fig4_220622661
https://xsshunter.com/features
https://www.cin.ufpe.br/~tg/2009-2/agsj.pdf
ftp://ftp.registro.br/pub/gts/gts33/tutorial/A7%20-%20Cross-Site%20Scripting.pdf
http://www.inf.ufsc.br/~bosco.sobral/ensino/ine5680/material-seg-redes/Serie%20Ataques-RedeSegura-XSS.pdf
http://prlalmeida.com.br/anteriores/ArqRefNegocios/Aula%2054%20-%20Cross%20Site%20Scripting.pdf
https://www.enacomp.com.br/2017/docs/analise-vulnerabilidade_xss_apps_web.pdf
https://owasp.org/www-pdf-archive//OWASPTop10XSSLongIsland.pdf
https://owasp.org/www-community/Types_of_Cross-Site_Scripting
https://owasp.org/www-community/attacks/xss/
https://portswigger.net/web-security/cross-site-scripting
https://www.acunetix.com/websitesecurity/xss/
https://www.veracode.com/security/xss
https://blog.detectify.com/2019/03/15/what-are-the-different-types-of-xss/
Vulnerability Analysis
https://www.youtube.com/watch?v=Uv6Idf5ZB9c&ab_channel=MotasemHamdan
https://www.youtube.com/watch?v=KeSUiCr-WGo&ab_channel=webpwnized
https://www.youtube.com/watch?v=pPU2XTFyRmU&ab_channel=denimgroup
https://www.youtube.com/watch?v=wLfRz7rRsH4&ab_channel=CyberSecurityTV
https://mediaspace.regis.edu/media/OWASP+ZAP+Overview+For+Website+Vulnerability+Scanning/1_zpnvcxvx
https://www.youtube.com/watch?v=YTs8GF2eaA0&ab_channel=ParagDhali
https://www.youtube.com/watch?v=_MmDWenz-6U&ab_channel=OracleDevelopers
https://portswigger.net/burp/documentation/desktop/scanning
https://www.youtube.com/watch?v=VP9eQhUASYQ&ab_channel=PortSwigger
https://www.youtube.com/watch?v=W0O53inMaIY&ab_channel=webpwnized
https://www.youtube.com/watch?v=1HDC6fKsKYE&ab_channel=NullByte
https://www.youtube.com/watch?v=X3BGO9U8zuU&ab_channel=CalebBucker
https://github.com/poerschke/Uniscan
https://github.com/We5ter/Scanners-Box
https://github.com/skavngr/rapidscan
User Enumeration and Brute Force & Bypass Attack
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
https://www.kaspersky.com/blog/username-enumeration-attack/34618/
https://www.vaadata.com/blog/user-enumerations-on-web-applications/
https://www.triaxiomsecurity.com/common-web-application-vulnerabilities-username-enumeration/
https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses
https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses
https://www.youtube.com/watch?v=fP0VVzPI4jQ&ab_channel=Hacksplaining
https://www.youtube.com/watch?v=WCO7LnSlskE&ab_channel=SubhankarAdhikary
https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing
https://www.youtube.com/watch?v=ZUKvet_BsoY&ab_channel=ITProTV
https://www.youtube.com/watch?v=cL9NsXpUqYI&ab_channel=HackerSploit
https://www.youtube.com/watch?v=_-0JKW3U0aU&ab_channel=SathvikTechtuber
https://www.youtube.com/watch?v=fdb3U2EFLzo&ab_channel=ISOEHIndianSchoolofEthicalHacking
https://portswigger.net/support/using-burp-to-brute-force-a-login-page
https://www.hacksplaining.com/prevention/user-enumeration
XPath injection with XCAT
https://www.oreilly.com/library/view/web-penetration-testing/9781788623377/4ebcd489-b08a-4074-988b-df61d373a6b5.xhtml
https://tomforb.es/exploiting-xpath-injection-vulnerabilities-with-xcat/
https://www.kitploit.com/2014/08/xcat-tool-that-aides-in-exploitation-of.html?m=0
https://www.hacking.land/2017/10/xcat-automate-xpath-injection-attacks.html
https://snyk.io/advisor/python/xcat
https://owasp.org/www-pdf-archive/HAAS_OWASP_NZ_13-Improving_XPath_Injection.pdf
https://book.hacktricks.xyz/pentesting-web/xpath-injection
https://www.youtube.com/watch?v=4yrGD9Xj-hY&ab_channel=SecureCodeWarrior
https://www.youtube.com/watch?v=5ZDSPVp1TpM&ab_channel=MotasemHamdan
https://www.youtube.com/watch?v=6tV8EuaHI9M&ab_channel=Maurisec
https://www.youtube.com/watch?v=ySJwlMsFbco&ab_channel=JohnHammond
https://www.youtube.com/watch?v=p3-ZfhaSRZ0&ab_channel=ThiagoPereira
https://www.youtube.com/watch?v=AvOcikbZsik&ab_channel=EthicalHackingandDigitalForensicsTutorial
https://www.youtube.com/watch?v=U-MZJ6rbqi4&ab_channel=AutomationStepbyStep
SOAP Attacks
https://www.ws-attacks.org/SOAPAction_Spoofing
https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf
https://resources.infosecinstitute.com/topic/soap-requests/
https://www.neuralegion.com/blog/top-7-soap-api-vulnerabilities/
https://blog.securelayer7.net/owasp-top-10-penetration-testing-soap-application-mitigation/
https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-stamos.pdf
https://www.soapui.org/docs/security-testing/security-scans/sql-injection/
https://www.youtube.com/watch?v=UINLbiq19NQ&ab_channel=90%27sHacks
https://www.youtube.com/watch?v=4tmvQ5a4200&ab_channel=CyberSecurityTV
https://capec.mitre.org/data/definitions/110.html
https://www.mantisbt.org/bugs/view.php?id=16879
https://www.dionach.com/blog/web-services-blind-sql-injection/
https://resources.infosecinstitute.com/topic/soap-attack-2/
https://www.youtube.com/watch?v=jDcXub5grgM&ab_channel=90%27sHacks
File and Resource Attacks
https://owasp.org/www-community/attacks/Resource_Injection
https://resources.infosecinstitute.com/topic/file-inclusion-attacks/
https://www.sciencedirect.com/topics/computer-science/attack-resource
https://www.imperva.com/learn/application-security/rfi-remote-file-inclusion/
https://portswigger.net/web-security/file-path-traversal
https://www.neuralegion.com/blog/local-file-inclusion-lfi/
https://www.neuralegion.com/blog/file-inclusion-vulnerabilities/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/reflected-file-download-a-new-web-attack-vector/
https://www.onsecurity.io/blog/file-upload-checklist/
https://medium.com/@juangrimm/o-que-%C3%A9-lfi-hacking-3bc709dfb5da
CyberSecurityUP
CyberSecurityUP