jub0bs

## mux_test.go
package mux

import (
	"crypto/rand"
	"math/big"
	"net/http"
	"net/http/httptest"
	"testing"
)

## ejs.sh
curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

# using linkfinder
function ejs() {
   URL=$1;
   curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" | xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'"
}

# with file download (the new best one):
# but there is a bug if you don't provide a root url

## hbh-header-abuse-test.py
# github.com/ndavison

import requests
import random
import string
from argparse import ArgumentParser


parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")

## Testing_Checklist.md

      
              1 file
            
          
              149 forks
            
          
                43 comments
              
            
              278 stars
            
          
                jhaddix
                / Testing_Checklist.md
            
            
              Last active
              December 20, 2025 02:42
                — forked from amotmot/WAHH_Task_Checklist.md
            
              
                Fast Simple Appsec Testing Checklist 
              
          
    Fast Testing Checklist

A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file
Contents


Recon and analysis
Test handling of access
Test handling of input
Test application logic
Assess application hosting
Miscellaneous tests


## get-hsts-preload-list.sh
#!/usr/bin/env bash

# https://code.google.com/p/chromium/issues/detail?id=226801
url='https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT';
curl -#s "${url}" | \
	base64 --decode | \
	sed '/^ *\/\// d' | \
	sed '/^\s*$/d' > hsts.json;
	package mux

	import (
	"crypto/rand"
	"math/big"
	"net/http"
	"net/http/httptest"
	"testing"
	)
	curl -L -k -s https://www.example.com \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]" \| awk -F '//' '{if(length($2))print "https://"$2}' \| sort -fu \| xargs -I '%' sh -c "curl -k -s \"%\" \| sed \"s/[;}\)>]/\n/g\" \| grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\|(\.(get\|post\|ajax\|load)\s\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" \| awk -F "['\"]" '{print $2}' \| sort -fu

	# using linkfinder
	function ejs() {
	URL=$1;
	curl -Lks $URL \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]*" \| sed -r "s/^src['\"]?[=:]['\"]//g" \| awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' \| sort -fu \| xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" \| xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'"
	}

	# with file download (the new best one):
	# but there is a bug if you don't provide a root url
	#!/usr/bin/env bash

	# https://code.google.com/p/chromium/issues/detail?id=226801
	url='https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT';
	curl -#s "${url}" \| \
	base64 --decode \| \
	sed '/^ *\/\// d' \| \
	sed '/^\s*$/d' > hsts.json;