| Cross Site Script (XSS) | Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. | Vulnerability | Read More >> |
| Burp Suite | Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. | Tool | Read More >> |
| Cross-Site-Script (XSS) | XSS is a type of injection attack that occurs when malicious code is injected into your web application via user input. This can allow attackers to steal cookies, access sensitive information, redirect users, etc. | Vulnerability | |
| SQL Injection | SQL Injection is a form of injection attack where data entered into a web application forms a query string that is sent to a database server. An attacker may use this vulnerability to extract confidential information from databases, deface websites, delete data, or even modify transactions. | Vulnerability | |
| (Cross-Site Request Forgery (CSRF) | CSRF is a type of request forgery attack that exploits a trusted session between a victim and a website. By manipulating the trusted session, an attacker can trick the victim into performing actions against their own interests. | Vulnerability | |
| Strict-Transport-Security (HSTS) | HTTPS stands for Hypertext Transfer Protocol Secure. This protocol was designed to ensure that data sent between two computers is encrypted. When using HTTPS, the connection between your browser and website's server is secure. HSTS is a security measure that forces browsers to use only secured connections to websites. This helps prevent man-in-the-middle attacks, where someone can intercept and read your traffic without being detected. | Security Header | |
| (Open Web Application Security Project) OWASP | OWASP (Open Web Application Security Project) is a community-driven open standard that helps organizations identify, analyze, and mitigate application security risks. OWASP provides free resources like guides, tools, training, events, and forums to help developers, testers, architects, and other IT professionals understand and effectively secure their applications. | Community | |
| DevSecOps | DevSecOps is a concept where developers and operations work together to deliver secure software faster. | | |
| Jenkins | Jenkins is a free open-source automation tool that can help you automate your workflow. Jenkins is a continuous integration server, meaning that it runs automated tests on your code before each commit. This helps ensure that your code works properly before you push it to GitHub. | Tool | |
| OWASP ZAP | ZAP stands for Zero Access Pathway. This project was created to help prevent attacks from malicious code that can be embedded into websites. By using this tool, we are able to scan our website for any vulnerabilities that may exist. | Tool | |
| OWASP Top 10 | The OWASP Top 10 is a list of the most common web application security risks. These risks include SQL injection, cross-site scripting, session management, insecure deserialization, directory traversal, parameter tampering, path disclosure, open redirects, insecure direct object references, and many others. | | |
| Username unumeration | Username enumeration is a technique that allows attackers to discover usernames from user accounts. This can be done through brute force attacks, dictionary-based attacks, or even social engineering. In this video we'll discuss how to perform username enumeration using Burp Suite. | Vulnerability | |
| Directory Traversal | Directory Traversal is the ability to access files that are not normally accessible. This can be done through the use of tools like FTP (File Transfer Protocol) or SSH (Secure Shell). Directory traversal is used to gain access to restricted directories. | Vulnerability | |
| Secure Shell Protocol (SSH) | Secure Shell Protocol is used to transfer files securely over a network. SSH is a protocol that allows users to log into remote computers using passwords or public/private keys. SSH can be used to connect to any computer running a Unix-like operating system. | Protocol | |
| Secure Copy Protocol (SCP) | Secure Copy Protocol is a file transfer protocol that uses encryption to ensure data integrity while being transferred between two hosts. SCP is commonly used to copy files from one host to another. | Protocol | |
| Simple Network Management Protocol (SNMP) | Simple Network Management Protocol is a standard communications protocol for managing devices on IP networks. SNMP provides information about network elements like routers, switches, servers, etc. | Protocol | |
| Hypertext Transfer Protocol Secure (HTTPS) | This protocol is used to transfer data securely over the internet. When you are using your browser to access websites, the website's address begins with https:// instead of http://. This means that any information sent from the site to your computer is encrypted, making sure that no one can read it while it travels across the web. | Protocol | |
| Hypertext Transfer Protocol (HTTP) | his protocol is used when you want to visit a website. Your browser uses this protocol to communicate with the server. | Protocol | |
| Simple Mail Transport Protocol (SMTP) | This protocol is usually used to send emails. | Protocol | |
| Local File Inclusion (LFI) | Local File Inclusion is a type of security vulnerability that allows attackers to include files from remote locations into web pages served by vulnerable servers. This can allow them to steal sensitive information like usernames, passwords, credit card details, etc. LFI attacks are usually carried out through malicious links in emails or websites. | Vulnerability | |
| Remote File Inclusion (RFI) | Remote File Inclusion is similar to local file inclusion but instead of including files locally, the attacker includes files remotely. This means that they don't need to have access to your server at all. They just need to know the path to the file. RFI attacks are usually carried through cross site scripting vulnerabilities. | Vulnerability | |
| Remote Code Execution (RCE) | Remote code execution occurs when a malicious actor executes code remotely without having direct access to the system. This can occur via a variety of vectors, including web-based attacks, email attachments, infected USB devices, etc. There are many different ways that remote code execution can take place. Some common vectors include: Web Application Attacks, Email Attachments, Malicious Links, Infected USB Devices, and Other Methods. | Vulnerability | |
| wordpress | WordPress is a free and open-source content management system (CMS) that allows users to easily publish their web pages or blogs online. WordPress was created by Automattic, LLC, the company behind the popular blogging platform Tumblr. WordPress is used by millions of people across the globe and has been downloaded over 100 million times. | CMS | |
| Joomla | Joomla! ® is free software released under the GNU/GPL license. Joomla!® was created to provide developers with a robust, reliable, and powerful content management system (CMS) platform that can be used to create websites and web applications. Joomla!™ is open-source software, meaning that its code is freely available for anyone to use and improve upon. | CMS | |
| Strapi | Strapi is a free open-source platform that makes developing your own web applications easy. It's built using ReactJS (a JavaScript library) and GraphQL (an API query language). You can use any programming language to develop plugins for Strapi. Strapi is used to create modern websites and mobile apps. With its modular architecture, you can easily add features like authentication, user management, data storage, email sending, payment processing, analytics, etc. | CMS | |
| Graphql | GraphQL is a query language that allows you to define how data should be returned from your API. This is done through a simple interface where you can define what fields are returned and how they are formatted. You can then use this information to create client-side applications that consume your API. Apollo Client is a library that makes working with GraphQL easy. It provides a number of features including caching, subscriptions, error handling, and much more. | Language | |
| Java Script | JavaScript is a programming language that can be used to create interactive web pages. JavaScript is embedded into HTML (HyperText Markup Language) documents to add interactivity and animation to your website. In this tutorial we are going to learn how to embed a simple Java Script code into our HTML document. | Language | |
| Wireshark | Wireshark is a network protocol analyzer that can capture packets from any interface on your computer. You can then use this information to analyze traffic on the network. This tool is useful for troubleshooting problems on the local area network (LAN) and helps identify what type of data is being sent over the wire. | Tool | |
| Aircrack-ng | This is a free software tool that allows you to crack WEP/WPA/WEP2 networks using only your wireless card. This program has been tested on Windows XP SP2, Vista, 7, 8, 10 and Mac OS X 10.5.8. | Tool | |
| Github | GitHub is a web-based hosting service that allows users to create online repositories where they can store files and share them with others. This allows developers to collaborate and work together easily from anywhere at any time. GitHub was founded in 2008 by Chris Wanstrath and PJ Hyett. | | |
| Git | Git is a version control system (VCS) used to manage changes to software code. A VCS helps programmers keep track of who changed what, when, and why. Git was created by Linus Torvalds while he was working for Novell in 2004. | | |
| Kali Linux | Kali Linux is a free open-source security distribution based on Debian GNU/Linux. Kali Linux was created by Offensive Security, Inc., a U.S.-based computer security company specialising in penetration testing and ethical hacking. | Operating System | |
| Windows | Windows Operating System (WOS) is a computer operating system developed and marketed by Microsoft Corporation. It was first released in 1985 as MS-DOS 6.0 and has since been updated several times. WOS is currently used on personal computers, servers, embedded systems, mobile devices, video game consoles, and other computing platforms. | Operating System | |
| Directory Listing | Directory listing vulnerabilities are a common problem that can occur when web servers are configured incorrectly. This type of vulnerability allows hackers to gain access to sensitive information about your website. A hacker may use this information to steal your customers' personal data, sell their information, or even shut down your site completely. | Vulnerability | |
| DOM Cross Site Scripting (DOM XSS) | DOM Cross Site Scripting (XSS) is a type of security vulnerability that occurs when malicious code is injected into a web page's Document Object Model (DOM). This can allow attackers to steal cookies, inject ads, redirect users, or access sensitive information. | Vulnerability | |
| Java Deserialization | The Java serialization mechanism allows objects to be saved to files or streams. This can be used to store data that needs to be sent over networks or stored on disk. However, this feature has been exploited before. In fact, the first time I heard about this was back in 2004, but it wasn't until recently that I started to pay attention to this issue again. How does it work? Serialization works by converting an object into a stream of bytes. These bytes are then written to a file or streamed to other applications. When reading these bytes, the application reads them from the file or stream and converts them back into an object. What's the problem? This method of storing information is great, but it has some drawbacks. One of the biggest problems is that if the original object isn't properly initialized, it could cause a memory leak. If the object contains pointers to other objects, they may not be deallocated properly. Another problem is that the serialized form of the object doesn't contain any information about its type. This means that if the object is converted back into its original state, it won't know what kind of object it is. | Vulnerability | |
| Open Redirection | The open redirect vulnerability allows attackers to use malicious URLs that point to any website other than the intended target. This can allow them to steal cookies, inject malware into your browser, or even change the content of the page you are viewing. | Vulnerability | |
| Session Fixation | Session fixation occurs when an attacker takes control of a user's session ID. They may then impersonate the user by logging into websites they have access to. | Vulnerability | |
| Server-Side Template Injection (SSTI) | Server side template injection is a technique that allows attackers to inject malicious code into web pages without having access to the server's filesystem. This can allow them to bypass certain security controls, like firewalls, and gain remote control over vulnerable servers. SSTI works by using HTML tags to insert content from external files. These files are typically stored on the same server as the page being served, but they could also be stored on other servers. When a user requests a page containing an embedded file, the browser first sends a request to the server hosting the page. If the server does not have a copy of the file, it returns a 404 error message. However, if the server has a copy of the file and it contains malicious code, the server may serve it instead of returning a 404 error. | Vulnerability | |
| Host Header Injection | Host Header Injection is a technique that allows attackers to inject malicious code into web pages served by vulnerable servers. This can allow them to steal cookies from other users, redirect victims to phishing sites, or even install malware on their computers. IT is used to deliver ransomware, exploit banking websites, and launch DDoS attacks. An attacker can use this flaw to create a specially crafted request that will cause the application to perform actions on behalf of the user. | Vulnerability | |
| X-Frame-Options | X-Frame-Options HTTP Response Header allows web browsers to prevent clickjacking attacks against pages that use framesets. This prevents malicious sites from tricking users into clicking links that take them out of their intended frame. | Header | |
| Content-Type | The content type is used to identify the MIME format of the data being transmitted. This information can be used by a web server to determine how to handle the request. | Header | |
| X-Content-Type-Options | The header allows the client to specify that they want to prevent caching of the document. In other words, if the browser requests this document again, it should not use its cached version but instead send a fresh copy back to the user. | Header | |
| X-XSS-Protection | The header prevents cross site scripting attacks by setting the value of the 'script' attribute to 'false'. If a malicious script is injected into your page, this option will prevent it from executing. | Header | |
| Content-Security-Policy | Content Security Policy (CSP) is a W3C specification that allows web applications to declare what resources they are allowed to load from. This helps prevent cross-site scripting attacks. CSP can be used to restrict access to sensitive data like credit card numbers, passwords, etc. | Header | |
| JSON Web Token (JWT) | JSON Web Token (JWT) is a JSON-based data structure that can be used to encode information about an identity, including its claims. JWTs are commonly used in OAuth 2.0 access tokens and OpenID Connect ID Tokens. They are based on the concept of signing and encrypting messages using HMAC SHA-256 hashing algorithms. | | |
| Security Assertion Markup Language (SAML) | SAML is a standard that allows users to authenticate themselves to web services using their username and password. This is useful if your website uses a third-party service that requires authentication. SAML is used for Single Sign On (SSO) where a user logs into a single application and then can access other applications without having to log in again. | | |
| OAuth | OAuth stands for Open Authentication. It's a protocol that allows third-party systems (such as social media sites) to access your information without having to ask for your username and password. This is especially useful if you're using multiple accounts from different websites. OAuth is used to authorize requests from clients, usually web applications, to obtain tokens that can be exchanged for a user's basic profile information. These tokens are short lived, typically only good for a few minutes, but they do allow the application to request specific pieces of data without exposing the user's credentials. | | |
| Cross-Origin Resource Sharing (CORS) | The Cross-Origin Resource Sharing (or CORS) is a standard that allows web servers to specify what origins are allowed to access their resources. This can help prevent cross-site scripting attacks. When a website wants to load content from another domain, they have to use either JSONP or XMLHttpRequest. These methods allow JavaScript code to make requests to other domains, but they both have some drawbacks. In order to implement CORS, the server needs to add a header to its responses. This header contains information about which origins are allowed to access the resource. | | |
| HTML Injection | The HTML injection vulnerability allows an attacker to inject arbitrary HTML into any page loaded from this domain. | Vulnerability | |
| HTTP Methods | HTTP Methods are used to communicate with a web server. They define how the client can interact with the server. There are five different types of HTTP methods that are defined as follows: GET, POST, PUT, DELETE, and HEAD. These methods are used to perform operations like retrieving data from a database, updating information, deleting records, etc. | | |
| Cookies | Cookies are temporary files that store information about your browsing activity on a website. They can be used to track what pages you visit and how long you spend on each page. Cookies are usually deleted once you close your browser but some websites may use them to keep track of your activities over time. | | |
| Subdomain Takeover | Subdomain takeover vulnerabilities are a type of attack that can occur when a website is compromised and the attacker gains access to other subdomains on the same domain name. This allows them to gain control over those subdomains and use them to spread malware, steal information, or even redirect users to malicious websites. | Vulnerability | |
| Malware | Malware is a term used to describe malicious software that can cause harm to your computer. This includes viruses, worms, trojans, adware, spyware, rootkits, etc. | Term | |
| Virus | A virus is a type of malware that infects your computer's operating system. Viruses are usually spread through email attachments, websites, or other types of files. Once infected, they replicate themselves over and over again until they have taken control of your entire hard drive. | Term | |
| Worms | Worms are small pieces of code that can copy themselves from one computer to another. They do this by using the internet to find computers that are vulnerable to them. Once they find a target, they attach themselves to the computer and wait for instructions. These instructions could be anything from sending spam emails to stealing personal information. | Term | |
| Adware | Adware is software that has been designed specifically to infect your computer without your knowledge or consent. This software can cause problems ranging from slow performance to complete system failure. Adware is usually bundled with other programs and often comes pre-installed on computers. Once installed, adware may continue to run even after you have uninstalled the original program | Term | |
| Spyware | Spyware is software that is designed to monitor what you do online. Some spyware is used to steal personal information from your computer while others are used to track your internet activity. | Term | |
| Rootkits | Rootkits are malicious software that can infect your computer without your knowledge. They are usually installed through other malware programs like viruses, Trojans, etc. Rootkits are designed to hide their existence from the user and make them undetectable. Once they have been installed, rootkits can monitor your activities and steal information from your system. This includes passwords, banking details, credit card numbers, personal data, etc. | Term | |
| Amazon Web Services (AWS) | Amazon Web Services (AWS)nAmazon Web Services is a cloud computing service that provides Internet-based resources through virtual machines. AWS offers several different types of services including Elastic Compute Cloud (EC2), Simple Storage Service (S3), Elastic Block Store (EBS), Relational Database Service (RDS), Auto Scaling, Elastic Load Balancing, and CloudFormation. These services are designed to make it easy to set up, operate, and scale infrastructure. | Cloud Platform | |
| Microsoft Azure | Microsoft Azure is a cloud computing platform that allows users to build and deploy applications online. This helps businesses reduce costs and increase productivity. Microsoft Azure provides its customers with a wide range of services including web hosting, database management, email, storage space, and many others. | Cloud Platform | |
| Google Cloud Platform (GCP) | Google Cloud Platform (GCP), is a fully managed service that provides developers with a suite of tools to build, deploy, and manage applications online. GCP offers a variety of services including storage, networking, databases, analytics, machine learning, messaging, APIs, and many others. | Cloud Platform | |
| Alibaba Cloud | Alibaba Cloud is a cloud computing service platform provided by Alibaba Group Holding Limited. It was launched in 2009 and has been expanding rapidly since then. It provides services including Infrastructure-as-a-Service (IaaS), Platform-as-a-service (PaaS) and Software-as-a- Service (SaaS). | Cloud Platform | |
| Oracle Cloud | Oracle Cloud is a service that provides computing resources through the Internet. Oracle Cloud offers services like storage, databases, networking, and other IT infrastructure services. It is a platform-as-a-service (PaaS) offering from Oracle Corporation. | Cloud Platform | |
| Secure Socket Layer (SSL) | This protocol was developed to provide secure communication between web browsers and servers. In other words, this protocol provides encryption and authentication of data that is sent over the internet. SSL uses public-key cryptography. Public-key cryptography relies on two keys: a public key and a private key. The public key can be shared freely while the private key should only be known to the owner. When a user wants to send information to a server, they use their own private key to encrypt the message. Only the recipient has access to the private key, so they are able to decrypt the message using the public key. | Protocol | |
| File Transfer Protocol | he file transfer protocol (FTP) is a standard way to move files between computers over a network. FTP is used to upload and download files from a server to your computer. You can use this method to send large amounts of data to and from your website. | Protocol | |
| Secure File Transfer Protocol (SFTP) | Secure File Transfer Protocol (SFTP) is an encrypted version of the File Transfer Protocol (FTP). SFTP uses public-private key encryption to encrypt communications between client/server. This means that only the user who has the private key can decrypt the communication. | Protocol | |
| Demilitarized zone (DMZ) | Demilitarized Zone (DMZ) is a term used to describe a portion of a network that has been separated from the rest of the network to prevent unauthorized access to sensitive information. DMZs are typically located between two firewalls, one internal and one external. This separation prevents any data from being transferred between the networks. | Term | |
| Firewall | Firewalls are used to protect your computer from outside attacks. They can be either software-based (e.g., antivirus) or hardware-based (e. g., firewalls). Firewall is a type of gateway that controls incoming and outgoing network connections and allows only certain kinds of data to enter or leave a computer. | Term | |
| Intrusion Detection System (IDS) | Intrusion detection system (IDS) is a network security device that monitors computer networks for unauthorized activity. An IDS can detect intrusions at various stages of their life cycle. Intrusions are detected using different methods including signature matching, anomaly detection, protocol analysis, host-based monitoring, and misuse prevention. | Term | |
| Intrusion Prevention System (IPS) | Intrusion prevention system (IPS) is a network security device that monitors traffic entering or leaving a protected area. An IPS can detect and block unauthorized access attempts to a computer network. | Term | |
| Internet Service Provider (ISP) | Internet Service Provider (ISP) is a company that provides access to the internet. ISPs are often referred to as broadband providers. There are many different types of ISP's including cable companies, satellite companies, DSL providers, wireless carriers, etc. | Term | |
| Virtual Private Network (VPN) | A virtual private network (VPN) is a secure connection between two devices that allows them to communicate securely over a public network. A VPN creates a secure tunnel through the internet from your computer to a remote server allowing you to access resources on the other side of the internet without being exposed to hackers. | Term | |
| Domain Name | Domain names are used to identify Internet resources, such as websites, computer servers, and other services that are connected to the Internet. A domain name consists of a series of characters that identifies a server's IP address. Domain names are organized into various top-level domains (TLDs), including.com,.net,.org, and many others. | Term | |
| Dynamic Host Configuration Protocol (DHCP) | This protocol allows your computer to automatically obtain IP addresses from a central server. DHCP is used to assign IP addresses to computers that are connected to a network. | Term | |
| IP Address | An IP address is a unique identifier that identifies each device connected to the internet. Every device has its own IP address, which allows computers to communicate with each other over the internet. An IP address consists of four numbers separated by dots (e.g., 192.168.1.1). Each number represents a different section of the network. The first three sections are called octets. Octet 1 is the network ID, octet 2 is the subnet mask, and octet 3 is the host ID. | Term | |
| Botnets | Botnets are networks of infected computers that are used to control other computers remotely. They can be used to perform any number of malicious activities, including sending spam email, stealing data, launching denial-of-service attacks, and even committing credit card fraud. | | |
| Denial of Service | Denial of Service (DoS) attacks are a type of cyber attack that involves flooding a target computer system with requests from multiple sources until it becomes overwhelmed and either crashes or slows down to a crawl. This can cause significant damage to the targeted network. | Attack | |
| Distributed Denial-of-Service (DDoS) | Distributed Denial-of-Service (DDoS) attacks involve sending malicious traffic from many different computers at once. This makes them harder to detect and stop than single-source DoS attacks. | Attack | |
| Phishing | Phishing is a type of social engineering that involves sending emails to people pretending to be someone else (the “victim”) asking them to perform some action on their behalf. This can include requesting personal information like usernames, passwords, credit card details, etc. | Attack | |
| Social Engineering | Social Engineering is the act of manipulating people into doing things they normally wouldn't do. This can either be done through deception or manipulation. Social engineering is used in many different ways, but some common examples are phishing (faking emails), phone scams, and even physical attacks. In this video we discuss how social engineering is being used today by hackers around the world to gain access to sensitive data and systems. We then explore the different ways that social engineering can be used to manipulate people. | Attack | |
| Encryption | Encryption is the process of converting data into a form that can only be read by those who have access to a specific code or key. This is done through the use of mathematical algorithms. | Term | |
| Hashing | Hashing is the act of using a computer program to create a unique hash code from a string of text. This hash code can then be used to identify that same string of text later on. Hashing is typically used to make sure that two different strings are not identical. | | |
| Clickjacking | Clickjacking is a type of attack that involves tricking users into clicking on links/buttons that take them to malicious websites. This can happen if the user is tricked into thinking they are visiting a legitimate website but instead end up at a phishing site where their personal information is stolen. | Vulnerability | |
| Dark Web | The Dark Web is a hidden section of the internet that requires special software to access. This area of the web is used primarily for illegal activities such as buying and selling drugs, weapons, counterfeit goods, hacking into private databases, and other criminal activity. | | |
| Darknet | Darknet is a term used to describe the hidden parts of the internet that are not indexed by search engines. These websites can be accessed through Tor (The Onion Router) browser, which allows users to browse anonymously. Darknet markets have been around since before Bitcoin was even created. They offer everything from drugs, weapons, stolen credit card details, and other illicit goods and services. | | |
| Bitcoin | Bitcoin is a cryptocurrency that was created in 2008 by Satoshi Nakamoto. It uses peer-to-peer technology to facilitate instant payments. The total supply of Bitcoins is capped at 21 million coins, though this limit can change over time. Bitcoin offers low transaction fees, minimal volatility and allows users to send money across the world without borders or intermediaries. | | |
| Nikto | Nikto is a free online scanner that checks your server for vulnerabilities like SQL injection, directory traversal, cross-site scripting (XSS), file inclusion, remote code execution, etc. Nikto can scan both Apache and IIS web servers. | Tool | |
| Active Directory | Active Directory (AD) is a Microsoft technology that provides centralized management of user accounts and resources across multiple devices and platforms. AD allows users to access their network resources from any device, anywhere at any time. | | |
| Dex2Jar | DEX2JAR is a free online tool that allows users to convert their favourite files into jar archives. This can be done manually or automatically using batch conversion scripts. | Tool | |
| Bluestacks | Bluestacks is a free app that allows you to run android apps on your windows pc. | Tool | |
| namp | Nmap is a free open-source utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on your network, what services (application name and version) they are offering, what operating systems and OS versions they are running, and what type of packet filters/firewalls are in use at their perimeter. | Tool | |
| Coverity | Coverity is a software testing tool that helps developers identify potential vulnerabilities in their code before they are released into production. Coverity uses static analysis techniques to detect coding errors, including memory leaks, buffer overflows, race conditions, and other common programming mistakes. | Tool | |
