#100DaysOfHacking This repository contains links to all the 100 days tweets that I posted during the #100DaysOfHacking challenge. Tweet Links Announcement of Challenge 🤞 Day 1 - Tested 2FA, Interesting JS File, Sqreen WAF Day 2 - Rate Limitation, XSS, XSRF Day 3 - Improper rate limitation on OTP (email verification) plus no expiry of OTP — Report Submitted Day 4 - Report closed as N/A, understanding app's auth and CSRF protection Day 5 - CSRF all the way, Auth cookies behavior Day 6 - CRLF, Fetching JS files Day 7 - JS file exploration continued Day 8 - MySQL DB set up for recon data, Discord Web Hook setup Day 9 - Finding secrets in JS files, Heroku check JS script Day 10 - Fetching post-auth JS files, studying program's documentation Day 11 - Working on JS files Day 12 - Static analysis of JS files, Sourcemaps Day 13 - Bit of JS, Feeling Down 😞 Day 14 - Electron JS, KOTH THM Day 15 - OAuth 2.0, Implicit Grant Lab, OAuth links of target Day 16 - Flawed CSRF Protection Day 17 - Flawed CSRF lab continued Day 18 - H1 Ambassador Cup CTF, IDOR Writeups Day 19 - IDOR Day 20 - IDOR & Shodan Findings Day 21 - Trying to change profile pic via IDOR , Decoding app's cookie , SSRF via Profile Photo Upload Day 22 - Katie's IDOR series, Autorize, Autorepeater Day 23 - Autorize configuration & testing on target Day 24 - IDOR, gau Day 25 - Proper usage of gau to fetch program's URLs Day 26 - API Testing, So much manual cURLing 🤢 Day 27 - Giving another shot to APIs with repeater, EXIF Issue reporting deferred Day 28 - Burp + Postman Day 29 - Bbht Fork Update, Shodan Day 30 - API hacking writeups, notes & postman collection Day 31 - KiteRunner Failed, % shown some unique response, IDOR found [Report Submitted] Day 32 - Recon Methodology of Ahmad Halabi Day 33 - Subdomain enumeration, HTTPx, Port Scan Day 34 - IPs from subdomains Day 35 - Rustscan, Writeups Day 36 - Ffuf on API endpoint Day 37 - Nullbyte fuzzing API & builtwith Day 38 - Escapehtml4 not escaping apostrophe Day 39 - Dev tools, Reading client side source, Bad commits Day 40 - Location.href to DOM XSS, New API Endpoint found Day 41 - mailto:, URL Object Day 42 - Finding code execution and functionality with breakpoints Day 43 - Resending XHR with Dev tools Day 44 - postMessage Day 45 - Firing range postMessage lab Day 46 - First Report Resolved 😍 Day 47 - Making authenticated requests with getJS, Using devtools to find postMessage, retesting vulnerable endpoint Day 48 - Burp’s Dom invader, postmessage-tracker extension Day 49 - Old S3 Bucket containing interesting files, ORWA methodology of shodan Day 50 - Shodan all the way Day 51 - Lighthouse finds vulns in AngularJS Day 52 - Trying to exploit vulns of [email protected] Day 53 - AngularJS , Auth JS File Day 54 - Reading whole login JS file, Trying to Bypass OTP using JS Debugger Day 55 - Starting HTB Box, Testing Some Auth Related Functions using Dev Tools Day 56 - How IDOR is fixed? , Cyber Defense Path Day 57 - API Testing with OWASP ZAP, 2nd Order IDORs, Getting Burnt Out 🥺 Day 58 - TryHackMe ONLY , Breaking security of Linux/Windows given physical access to machine Day 59 - Postman Environment & Dynamic Variables, Finding multiple postman collections, Approach to test the API Day 60 - Reading API documentation, Familiarity with Target is Important Day 61 - HTB, Virtual Hosts Explained Day 62 - HTB, WPScan, Wordpress 5.2.3, Information Disclosure Day 63 - THM: Introductory Networking Room Day 64 - THM: MITRE(started), 250 IDOR Reports, Health Issues Day 65 - THM: MITRE(done), CEH Prep Day 66 - ECCouncil CEH Exam Passed, HTB: Paper box Pwned Day 67 - Using Postman, Zap & Burp together with Upstream Proxy, Throttling Active Scan to Avoid Rate Limitation on API Day 68 - Dynamic API? , EC2 IPs on Shodan Day 69 - Potentially Infinite Subdomains, Access Control Testing, Session Validation Checks Day 70 - Horizontal Priv Esc on API, Active Scan on ZAP, Platform Shift Day 71 - Android Hacking Lab Environment, My experience with Genymotion, ADB, Frida, Android Studio Day 72 - Google API Key , Intents & Activities and other Android Concepts, Why lesser security issues in android? Day 73 - Different tools for decompilation, Android WebView, xAPK files from ApkPure Day 74 - Developing my first Android app Day 75 - React-native-decompiler, API key in app.config, Mobsec Vs. Websec Day 76 - Vulnerable Injured Android Day 77 - Frustrating APK Decompilation, From JADx to Dex2Jar Day 78 - Decompilation Mystery Resolved, Finding some flags, Exported Activies, Path of Actvity's Code, Lots of Amazing Android Resources Day 79 - Exploiting Exported Activities using AM & Malicious App, Setting up Drozer on Docker, Building POC App Day 80 - IP of Emulator Device, Network issues on Docker, Outdated Drozer? , Android 11 Compatibility, Android Tamer Day 81 - Testing app's exported activities, SSL Pinning on app? Hacker101 Mobile Hacking Crash Course Day 82 - Studying what SSL Pinning is? SSL Pinning Bypass Techniques, okHTTP Library Day 83 - Target App's SSL Pinning Bypassed using Frida! Learning Frida Usage, Method Hooking Day 84 - Insecure Data Storage in Android, World Readable Directories Day 85 - Expo.dev, API Keys and their impact, Android Attack Surface Day 86 - One liner to find all the world readable files/dirs, Plan for rest of the challenege discussed Day 87 - Log Analysis via LogCat, Screenshot Capturing Security Issues, OWASP GitBook on Mobile Security Day 88 - Reverse Engineering Electron JS, Grep! Grep! Grep!, contextIsolation & nodeIntegration Day 89 - Electronegativity, Fetching Electron Version via Console, Unrestricted Navigation Issue Found Day 90 - Running Electron JS from Source, Proxying Electron App via Burp/Zap, Unexpected Event Day 91 - VPS Migration & Setup, Rough Plan for Recon, Writing Clean Code, pyLint Day 92 - Improving code structure, __ name __ variable, reconFTW Day 93 - sys.argv Vs. argparse, Multiple values of a single argument Day 94 - Debugging GO issues in CronJobs, moduleNotFoundError in Python Day 95 - Environment Variables in CRON, moduleNotFoundError {fixed}, weak reference object error {fixed}, Fetching subdomains already stored in DB based on program name input Day 96 - subprocess.check_output(), Ditching temporary files, Storing new subdomains in DB, Sending new subdomains to discord Day 97 - Fixing the dynamic paths generated for configuration files Day 98 - Implementing probing functionality to recon automation framework, Habit of this challenge :) Day 99 - Adding port scanner to recon framework, ZAP Automation Framework, GraphQL Backend, Blog Post Draft Day 100 - ZAP Automation Framework Hands On, Reporting of ZAP Framework, Blog Post Released on Last Day Blog Post on 100DaysOfHacking Challenge