Tutorials on How To Exploit Some Vulnerabilities

This is a list of tutorial resources that can be helpful to security researchers that want to learn more about web and mobile application hacking. Please let us know if you have any suggestions for resources that we should add to this post!

Web applications:


  • A comprehensive tutorial on cross-site scripting – link1.6k
  • Favorite XSS Filters/IDS and how to attack them – pdf link639
  • Introduction to cross-site scripting – link364
  • Avoiding XSS Detection – link




  • Finding and Preventing CSRF – pdf link474
  • How to exploit CSRF Vulnerabilities – link385



SQL Injection

  • Introduction to SQL Injection – link614
  • Introduction to MySQL Injection – link198
  • Full MSSQL Injection PWNage – link200
  • Everything you wanted to know about SQL injection – link269



Remote Code/Command Execution

  • How to find RCE in scripts (with examples)- link621
  • Yahoo LFI Converted to RCE – link169
  • Remote Code Execution in Elasticsearch – CVE-2015-1427 – link175




  • Generic XXE Detection – link326
  • XML Out-Of-Band Data Retrieval – pdf link114
  • SSRF vs. Business-critical applications: XXE tunneling in SAP – pdf
  • What you didn’t know about XXE – pdf link125




  • SSRF Attacks – slideshare link163
  • Cross Site Port Attacks – link115
  • Hunting for Top Bounties – YouTube link294
  • How to steal and modify data using Business Logic flaws – slideshare
  • Exploiting CVE-2011-2461 on google.com – link92
  • PentesterLab – link165 – PentesterLab provides vulnerable systems that can be used to test and understand vulnerabilities. (thanks @n0x00)
  • InjectX to find XSS – link – thanks @1N3
  • Attacking Ruby on Rails Applications – link58



Mobile Applications:


  • Debugging Java Applications Using JDB – link174
  • Hacking Android Apps Using Backup Techniques – link243


  • Setting Up a Mobile Pentesting Platform – link164
  • iOS Application Security – link97

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s