eWPT Preparation by Joas

Recon and Enumeration Domain

https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6

https://medium.com/qualityholics/ewpt-exam-review-tips-8a4d9cebf5f9

https://elearnsecurity.com/uncategorized/pentesting-101-fingerprinting-continued/

https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html

https://www.youtube.com/watch?v=TmK0Zpggz48&ab_channel=SemiYulianto

https://www.youtube.com/watch?v=d8zwXxixz5Y&ab_channel=HacktifyCyberSecurity

https://resources.infosecinstitute.com/topic/how-to-create-a-subdomain-enumeration-toolkit/

https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/subdomain-enumeration

https://spyse.com/blog/information-gathering/how-to-find-subdomains-instantly

https://book.hacktricks.xyz/external-recon-methodology

https://github.com/KingOfBugbounty/KingOfBugBountyTips

https://www.youtube.com/watch?v=amihlWTtkMA&ab_channel=Nahamsec

https://www.youtube.com/watch?v=o8L2nweiF1s&ab_channel=InsiderPhD

https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21

https://portswigger.net/blog/finding-your-first-bug-bounty-hunting-tips-from-the-burp-suite-community

https://null-byte.wonderhowto.com/how-to/conduct-recon-web-target-with-python-tools-0198114/

https://www.infosecmatter.com/bug-bounty-tips/

https://hackbotone.medium.com/10-recon-tools-for-bug-bounty-bafa8a5961bd

https://www.youtube.com/watch?v=Hnz1d4WmD5Y&ab_channel=HackerSploit

https://www.youtube.com/watch?v=bewbdPvs_g8&ab_channel=Conda

Social Networks

https://www.linkedin.com/in/joas-antonio-dos-santos/

Wordpress Attacks and Other CMS Vulnerability

https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress

https://securityboulevard.com/2020/03/penetration-testing-for-wordpress-websites/

https://www.getastra.com/blog/security-audit/wordpress-penetration-testing/

https://deliciousbrains.com/wordpress-penetration-testing/

https://hackertarget.com/attacking-wordpress/

https://secure.wphackedhelp.com/blog/wordpress-security-tips-2019/

https://github.com/timashana/WordPress-Pentesting

https://github.com/jguerrero12/WordPress-Pentesting

https://github.com/whuang8/wordpress-pentests

https://github.com/magnimusprime/WordPress-Pentesting

https://www.infosecmatter.com/cms-vulnerability-scanners-for-wordpress-joomla-drupal-moodle-typo3/

https://www.acunetix.com/vulnerability-scanner/cms-vulnerability-scanner/

https://linuxsecurity.expert/security-tools/cms-vulnerability-scanners

https://medium.com/@rohitaher023/what-is-a-cms-vulnerability-scanner-and-what-is-its-need-for-security-5aef8d10227b

https://github.com/gajos112/OSCP/blob/master/CMS%20Vulnerability%20Scanners

BurpSuite

https://portswigger.net/burp/documentation/desktop/penetration-testing

https://www.youtube.com/watch?v=N-IKHmGjf2c&ab_channel=Bugcrowd

https://www.youtube.com/watch?v=G3hpAeoZ4ek&ab_channel=JohnHammond

https://www.youtube.com/watch?v=_XUQ7etMCT8&ab_channel=TutorialsPoint%28India%29Ltd.

https://www.youtube.com/watch?v=h2duGBZLEek&ab_channel=Bugcrowd

https://www.youtube.com/watch?v=Chql4bNE6_g&ab_channel=CyberFrat

https://www.youtube.com/watch?v=57559arUG3c&ab_channel=PortSwigger

https://www.youtube.com/watch?v=cyWmZ2WgnEE

https://www.youtube.com/watch?v=c0h3aciBIyQ&ab_channel=Vicky%27sBlog

https://www.youtube.com/watch?v=mibKttwhbRk&ab_channel=InsiderPhD

https://www.youtube.com/watch?v=iG7003AC8ys&ab_channel=webpwnized

https://www.youtube.com/watch?v=oWRseGm-a6I&ab_channel=KacperSzurekEN

https://www.youtube.com/watch?v=-6uPHcLj4oU&ab_channel=Hacksplained

https://portswigger.net/blog/20-burp-suite-tips-from-the-burp-user-community

ClickJacking Attacking

https://owasp.org/www-community/attacks/Clickjacking

https://portswigger.net/web-security/clickjacking

https://www.hacksplaining.com/prevention/click-jacking

https://resh.com.br/blog/realizando-bypass-no-cabecalho-x-frame-options/

https://auth0.com/blog/preventing-clickjacking-attacks/

https://www.synopsys.com/glossary/what-is-clickjacking.html

https://www.youtube.com/watch?v=jcp5t8PsMsY&ab_channel=HackerOne

https://www.youtube.com/watch?v=Pdc5KJfOQpI&ab_channel=Hacksplaining

https://www.youtube.com/watch?v=FEflwAIlLmg&ab_channel=Gomahamaya

https://www.youtube.com/watch?v=mso5FSWEtdo&ab_channel=VERILOGCOURSETEAM

https://www.youtube.com/watch?v=LEdwUGsffwY&ab_channel=MichaelSommer

https://www.youtube.com/watch?v=Zm1lQAQOqJ0&ab_channel=MichaelSommer

Session Hijacking

https://owasp.org/www-community/attacks/Session_hijacking_attack

https://www.youtube.com/watch?v=fxrCJNQ96Kg&ab_channel=intrigano

https://www.youtube.com/watch?v=OriuOtSCUpo&ab_channel=MarcosHenrique

https://www.youtube.com/watch?v=sqMCPxwzIf8&ab_channel=PluralsightIT-TrainingArchive

https://us.norton.com/internetsecurity-id-theft-session-hijacking.html

https://www.venafi.com/blog/what-session-hijacking

https://www.imperva.com/learn/application-security/session-hijacking/

https://www.globalsign.com/en/blog/session-hijacking-and-how-to-prevent-it

https://motilia.com/-/session-hijacking-xss-csrf

https://medium.com/stolabs/stored-xss-session-hijacking-20faf069ef4

https://www.youtube.com/watch?v=wbgOzImzAfg&ab_channel=D4RKR0N

https://www.youtube.com/watch?v=HQdCgooETXw&ab_channel=InfiniteLogins

https://www.youtube.com/watch?v=nJrH7HaiMPI&ab_channel=HackingTeacher

https://www.agiratech.com/xss-csrf-and-session-hijacking

FingerPrinting

https://pentestlab.blog/2012/08/01/web-application-fingerprinting/

https://pentestlab.files.wordpress.com/2012/11/automated-web-application-fingerprinting.pdf

https://www.youtube.com/watch?v=_k9Bsppz4A8&ab_channel=TheHacktivists

https://www.youtube.com/watch?v=_k9Bsppz4A8&ab_channel=TheHacktivists

https://www.youtube.com/watch?v=8WrluFRoJhs&ab_channel=BlackHat

https://null-byte.wonderhowto.com/how-to/fingerprint-web-apps-servers-for-better-recon-more-successful-hacks-0302807/

https://www.m2sys.com/blog/cloud-computing/three-ways-of-biometric-authentication-in-web-application/

https://www.youtube.com/watch?v=PAPaGTFSXK4&ab_channel=TheHacktivists

SQL Injection & Types and SQLMap

https://www.geeksforgeeks.org/authentication-bypass-using-sql-injection-on-login-page/#:~:text=SQL%20injection%20is%20a%20technique,that%20might%20destroy%20your%20database.

https://sechow.com/bricks/docs/login-1.html

https://portswigger.net/support/using-sql-injection-to-bypass-authentication

https://www.youtube.com/watch?v=RXBlTgsawdI&ab_channel=CyberSecurityTV

https://www.youtube.com/watch?v=b4Wn0n6LBcM&ab_channel=shadsluiter

https://www.youtube.com/watch?v=6O4NuKA0pSI&ab_channel=zSecurity

https://www.devmedia.com.br/sql-injection-em-ambientes-web/9733

https://www.guru99.com/learn-sql-injection-with-practical-example.html

http://www.securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html

https://www.sqlinjection.net/login/

https://owasp.org/www-community/attacks/Blind_SQL_Injection

https://portswigger.net/web-security/sql-injection/blind

https://www.netsparker.com/blog/web-security/how-blind-sql-injection-works/

https://infosecwriteups.com/out-of-band-oob-sql-injection-87b7c666548b

https://www.acunetix.com/blog/articles/sqli-part-6-out-of-band-sqli/

https://www.youtube.com/watch?v=soPDfYl2Ef8&ab_channel=RanaKhalil

https://www.youtube.com/watch?v=6Ei7wX1cp5k&ab_channel=RanaKhalil

https://www.youtube.com/watch?v=KOaDan0UqFs&ab_channel=RanaKhalil

https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band

https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/out-of-band-sql-injection/

CSRF

https://www.youtube.com/watch?v=HTgyif6u5RY&ab_channel=RanaKhalil

https://cobalt.io/blog/a-pentesters-guide-to-cross-site-request-forgery-csrf

https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery

https://www.youtube.com/watch?v=dMwxIHIabeg&ab_channel=TutorialsPoint%28India%29Ltd.

https://www.youtube.com/watch?v=TwG0Rd0hr18&ab_channel=HackerSploit

https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery

https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery

https://www.rapid7.com/blog/post/2020/11/19/this-one-time-on-a-pen-test-csrf-to-password-reset-phishing/

https://corneacristian.medium.com/top-25-csrf-bug-bounty-reports-ffb0b61afa55

https://www.youtube.com/watch?v=ImqLlFMQrwQ&ab_channel=TheXSSrat

https://www.youtube.com/watch?v=ULvf6N8AL2A&ab_channel=InsiderPhD

Crawling and Spidering

https://www.screamingfrog.co.uk/seo-spider/

https://medium.com/@marlessonsantana/utilizando-o-scrapy-do-python-para-monitoramento-em-sites-de-not%C3%ADcias-web-crawler-ebdf7f1e4966

https://www.webfx.com/blog/internet/what-is-a-web-crawler/

https://www.octoparse.com/DataCrawler

https://www.screamingfrog.co.uk/crawl-javascript-seo/

https://www.parsehub.com/blog/web-scraping-vs-web-crawling/

https://www.youtube.com/watch?v=Kw3m37ebxmQ&ab_channel=HackerSploit

https://securityonline.info/not-your-average-web-crawler-web-crawler-for-bug-hunting/

http://mateslab.weebly.com/web-crawler-security-tool.html

https://pentestmag.com/startup-new-kind-web-crawler/

https://hakluke.medium.com/introducing-hakrawler-a-fast-web-crawler-for-hackers-ff799955f134

Reviews

https://medium.com/@unt0uchable1/elearnsecurity-ewpt-review-and-tips-72f955f3670

https://sorsdev.com/2021/04/18/elearnsecuritys-ewpt-exam-review/

https://h0mbre.github.io/eWPT/

https://www.linkedin.com/pulse/como-tirei-certifica%C3%A7%C3%A3o-ewpt-review-iran-macedo/?trk=read_related_article-card_title&originalSubdomain=pt

https://kentosec.com/2020/06/25/elearnsecurity-web-application-penetration-tester-ewpt-review/

https://www.reddit.com/r/AskNetsec/comments/6fwthl/elearnsecuritys_ewpt/

https://cinzinga.com/eWPT-WAPT/

https://www.youtube.com/watch?v=cOH7IYhbVPA&ab_channel=WilsonSecurityGroup

https://bestestredteam.com/2019/05/16/elearnsecuritys-web-application-penetration-tester-review/

https://thomfre.dev/elearnsecurity-web-application-pentester

https://www.doyler.net/security-not-included/ewpt-exam

https://www.youtube.com/watch?v=FhIOeXMWWCw&ab_channel=WilsonSecurityGroup

https://medium.com/cybersecpadawan/elearnsecurity-ewpt-certification-b7592bfc70af

https://www.linkedin.com/pulse/overview-da-certifica%C3%A7%C3%A3o-ewpt-elearning-web-tester-dos-santos/?originalSubdomain=pt

https://github.com/h0mbre/h0mbre.github.io/blob/master/_posts/2019-04-15-eWPT.md

https://github.com/h0mbre/h0mbre.github.io/blob/master/_posts/2019-08-03-Security-Certifications-And-Fun.md

https://github.com/IgorSasovets/web-security-learning-resources

https://sorsdev.com/2021/04/24/elearnsecuritys-ewpt-tips-tricks/

https://medium.com/@klockw3rk/elearnsecurity-web-application-penetration-testing-course-wapt-ewpt-2f7480120b8e

https://veteransec.com/2018/12/22/my-elearnsecurity-experience-part-1-wapt/

Web Application Fundamentals

https://pt.wikipedia.org/wiki/Cross-origin_resource_sharing#:~:text=Cross%2DOrigin%20Resource%20Sharing%20ou,o%20recurso%20que%20ser%C3%A1%20recuperado.

https://developer.mozilla.org/pt-BR/docs/Web/HTTP/CORS

https://www.youtube.com/watch?v=af5RI6bLkyw&ab_channel=SoftwareEngineeringInstitute%7CCarnegieMellonUniversity

https://www.youtube.com/watch?v=h-WtIT6gCBk&ab_channel=TheTechCave

https://www.freecodecamp.org/news/secure-your-web-application-with-these-http-headers-fd66e0367628/

https://help.deepsecurity.trendmicro.com/20_0/on-premise/http-security-headers.html#:~:text=Security%20headers%20are%20directives%20used,Cross%2DSite%20Scripting%20or%20Clickjacking.

https://www.netsparker.com/blog/web-security/http-security-headers/

https://owasp.org/www-project-secure-headers/

https://www.smashingmagazine.com/2017/04/secure-web-app-http-headers/

https://www.youtube.com/watch?v=CFzgKfnmG-Q&ab_channel=PrettyPrinted

https://www.youtube.com/watch?v=9dT0FSH-aGQ&ab_channel=CodingTech

https://www.youtube.com/watch?v=eesqK59rhGA&ab_channel=TheTechCave

https://rapidapi.com/blog/api-glossary/http-request-methods/

https://code-maze.com/http-series-part-1/

XSS and BeeF

https://github.com/boku7/XSS-Clientside-Attacks

https://github.com/Naategh/PyCk/tree/master/Web

https://medium.com/bugbountywriteup/file-upload-xss-patched-83ea55bb9a55

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

https://www.kitploit.com/2018/05/xss-payload-list-cross-site-scripting.html

https://www.aptive.co.uk/blog/xss-cross-site-scripting/

https://labs.nettitude.com/blog/cross-site-scripting-xss-payload-generator/

https://cobalt.io/blog/a-pentesters-guide-to-cross-site-scripting-xss

https://xss.js.org/#/

https://www.researchgate.net/figure/Classification-of-XSS-payloads-exemplified_fig4_220622661

https://xsshunter.com/features

https://www.cin.ufpe.br/~tg/2009-2/agsj.pdf

ftp://ftp.registro.br/pub/gts/gts33/tutorial/A7%20-%20Cross-Site%20Scripting.pdf

http://www.inf.ufsc.br/~bosco.sobral/ensino/ine5680/material-seg-redes/Serie%20Ataques-RedeSegura-XSS.pdf

http://prlalmeida.com.br/anteriores/ArqRefNegocios/Aula%2054%20-%20Cross%20Site%20Scripting.pdf

https://www.enacomp.com.br/2017/docs/analise-vulnerabilidade_xss_apps_web.pdf

https://owasp.org/www-pdf-archive//OWASPTop10XSSLongIsland.pdf

https://owasp.org/www-community/Types_of_Cross-Site_Scripting

https://owasp.org/www-community/attacks/xss/

https://portswigger.net/web-security/cross-site-scripting

https://www.acunetix.com/websitesecurity/xss/

https://www.veracode.com/security/xss

https://blog.detectify.com/2019/03/15/what-are-the-different-types-of-xss/

Vulnerability Analysis

https://www.youtube.com/watch?v=Uv6Idf5ZB9c&ab_channel=MotasemHamdan

https://www.youtube.com/watch?v=KeSUiCr-WGo&ab_channel=webpwnized

https://www.youtube.com/watch?v=pPU2XTFyRmU&ab_channel=denimgroup

https://www.youtube.com/watch?v=wLfRz7rRsH4&ab_channel=CyberSecurityTV

https://mediaspace.regis.edu/media/OWASP+ZAP+Overview+For+Website+Vulnerability+Scanning/1_zpnvcxvx

https://www.youtube.com/watch?v=YTs8GF2eaA0&ab_channel=ParagDhali

https://www.youtube.com/watch?v=_MmDWenz-6U&ab_channel=OracleDevelopers

https://portswigger.net/burp/documentation/desktop/scanning

https://www.youtube.com/watch?v=VP9eQhUASYQ&ab_channel=PortSwigger

https://www.youtube.com/watch?v=W0O53inMaIY&ab_channel=webpwnized

https://www.youtube.com/watch?v=1HDC6fKsKYE&ab_channel=NullByte

https://www.youtube.com/watch?v=X3BGO9U8zuU&ab_channel=CalebBucker

https://github.com/poerschke/Uniscan

https://github.com/We5ter/Scanners-Box

https://github.com/skavngr/rapidscan

User Enumeration and Brute Force & Bypass Attack

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account

https://www.kaspersky.com/blog/username-enumeration-attack/34618/

https://www.vaadata.com/blog/user-enumerations-on-web-applications/

https://www.triaxiomsecurity.com/common-web-application-vulnerabilities-username-enumeration/

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses

https://www.youtube.com/watch?v=fP0VVzPI4jQ&ab_channel=Hacksplaining

https://www.youtube.com/watch?v=WCO7LnSlskE&ab_channel=SubhankarAdhikary

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing

https://www.youtube.com/watch?v=ZUKvet_BsoY&ab_channel=ITProTV

https://www.youtube.com/watch?v=cL9NsXpUqYI&ab_channel=HackerSploit

https://www.youtube.com/watch?v=_-0JKW3U0aU&ab_channel=SathvikTechtuber

https://www.youtube.com/watch?v=fdb3U2EFLzo&ab_channel=ISOEHIndianSchoolofEthicalHacking

https://portswigger.net/support/using-burp-to-brute-force-a-login-page

https://www.hacksplaining.com/prevention/user-enumeration

XPath injection with XCAT

https://www.oreilly.com/library/view/web-penetration-testing/9781788623377/4ebcd489-b08a-4074-988b-df61d373a6b5.xhtml

https://tomforb.es/exploiting-xpath-injection-vulnerabilities-with-xcat/

https://www.kitploit.com/2014/08/xcat-tool-that-aides-in-exploitation-of.html?m=0

https://www.hacking.land/2017/10/xcat-automate-xpath-injection-attacks.html

https://snyk.io/advisor/python/xcat

https://owasp.org/www-pdf-archive/HAAS_OWASP_NZ_13-Improving_XPath_Injection.pdf

https://book.hacktricks.xyz/pentesting-web/xpath-injection

https://www.youtube.com/watch?v=4yrGD9Xj-hY&ab_channel=SecureCodeWarrior

https://www.youtube.com/watch?v=5ZDSPVp1TpM&ab_channel=MotasemHamdan

https://www.youtube.com/watch?v=6tV8EuaHI9M&ab_channel=Maurisec

https://www.youtube.com/watch?v=ySJwlMsFbco&ab_channel=JohnHammond

https://www.youtube.com/watch?v=p3-ZfhaSRZ0&ab_channel=ThiagoPereira

https://www.youtube.com/watch?v=AvOcikbZsik&ab_channel=EthicalHackingandDigitalForensicsTutorial

https://www.youtube.com/watch?v=U-MZJ6rbqi4&ab_channel=AutomationStepbyStep

SOAP Attacks

https://www.ws-attacks.org/SOAPAction_Spoofing

https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf

https://resources.infosecinstitute.com/topic/soap-requests/

https://www.neuralegion.com/blog/top-7-soap-api-vulnerabilities/

https://blog.securelayer7.net/owasp-top-10-penetration-testing-soap-application-mitigation/

https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-stamos.pdf

https://www.soapui.org/docs/security-testing/security-scans/sql-injection/

https://www.youtube.com/watch?v=UINLbiq19NQ&ab_channel=90%27sHacks

https://www.youtube.com/watch?v=4tmvQ5a4200&ab_channel=CyberSecurityTV

https://capec.mitre.org/data/definitions/110.html

https://www.mantisbt.org/bugs/view.php?id=16879

https://www.dionach.com/blog/web-services-blind-sql-injection/

https://resources.infosecinstitute.com/topic/soap-attack-2/

https://www.youtube.com/watch?v=jDcXub5grgM&ab_channel=90%27sHacks

File and Resource Attacks

https://owasp.org/www-community/attacks/Resource_Injection

https://resources.infosecinstitute.com/topic/file-inclusion-attacks/

https://www.sciencedirect.com/topics/computer-science/attack-resource

https://www.imperva.com/learn/application-security/rfi-remote-file-inclusion/

https://portswigger.net/web-security/file-path-traversal

https://www.neuralegion.com/blog/local-file-inclusion-lfi/

https://www.neuralegion.com/blog/file-inclusion-vulnerabilities/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/reflected-file-download-a-new-web-attack-vector/

https://www.onsecurity.io/blog/file-upload-checklist/

https://medium.com/@juangrimm/o-que-%C3%A9-lfi-hacking-3bc709dfb5da