Weekly Pentest Tips & Tricks
- Buy now
- Learn more
Tips & Tricks Request

Request a Pentest Trick
Hacking Labs

Hacking Labs
A01 - Broken Access Control

0x02 - Broken Auth in 30 Seconds
0x19 - Account Takeover via Open Redirect
0x40 - Info Leak to Account Takeover
0x42 - Auth Bypass with 0-based UUIDs
0x64 - Pentesting Admin Accounts
0x77 - Another Way to Bypass 2FA
0x81 - Seven Ways to Bypass 403
0x122 - Finding Orphaned Privileges
0x123 - Deleted Page Gave Me Owner Access
0x158 - ATO With Cached Magic Links
A02 - Cryptographic Failures

0x06 - JWT Exfil from Source Page
0x29 - Automating JWT Pentests
0x49 - Cracking JWT Tokens
0x75 - Validating Leaked API Keys
0x96 - Token Randomness Analysis
0x130 - Bypass Encryption w/ JS Debugger
0x132 - Reset Token to Backdoor Trick
0x152 - Cracking Password Reset Tokens
A03 - Injection Attacks

0x01 - XSS via Custom Named Tags
0x11 - Email Field Payload Injection
0x12 - XML Formatted XSS Payloads
0x15 - SSRF for Internal Network Scanning
0x18 - Burp Hackvertor for Advanced Injection
0x25 - OOB Template Injection via SMS
0x35 - HTML Injection for Phishing Emails
0x36 - File Read via Login Wallpapers
0x52 - XSS in SVG Images
0x76 - XSS via Phone Number Field
0x80 - Race Conditions with Turbo Intruder
0x89 - XSS via PostMessage
0x90 - XSS via HREF URLs
0x91 - Invading the DOM
0x115 - Real-World Reflected XSS
0x143 - Full-Width Characters Bypass
0x145 - Exploiting Blind HTML Injection
0x151 - File Upload + CSP + WAF Bypass = XSS
A04 – Insecure Design

0x17 - Exploiting Race Conditions
0x22 - Phishing via Signup Forms
0x37 - Open Redirect via REGEX Bypass
0x44 - No Email Verification Abuse
0x62 - Location Spoofing Tricks
0x99 - Loop Denial of Service
0x100 - Infinite Trial Period
0x141 - Why Pentesters Love Blacklists
0x153 - Business Logic Abuses
0x163 - DoS in Sparse Fieldsets API
0x165 - When Cronjobs Implode
A05 – Security Misconfiguration

0x05 - DB Dump via Underscore Wildcards
0x28 - Azure Subdomain Takeover at Scale
0x32 - Command Injection in Azure Webapps
0x34 - File Upload Bypass in Firebase
0x38 - Dir Listing via Range Header Abuse
0x41 - Crashing Apps with Large Inputs
0x47 - CORS Misconfig Exploitation
0x85 - Escalating Debug Log Pages
0x121 - File Upload Bypass via ZIPs
0x144 - Bypassing Firewalls Whitelisting
A06 – Vulnerable Components

0x48 - Finding NPM Dependency Confusion
0x53 - Using Collaborator as Email Inbox
0x65 - Can't Find Dependency Confusion?
0x83 - Hacking GitHub CI/CD Workflows
0x88 - Attacking GWT-RPC Apps
0x102 - File Upload Bypasses for 2025
0x108 - Bypassing Geolocation Restrictions
0x118 - Exploiting Dangling JS Dependencies
0x127 - Denial of.. Wallet?!
0x156 - Triggering OOM With Bomb GIFs
A07 – Identification and Authentication Failures

0x07 - GraphQL Crash via Recursive Queries
0x23 - Private Email Leak via Google SSO
0x27 - Email Spoof via Client-Side Bypass
0x43 - Email Spoof via DMARC Policy Abuse
0x59 - File Access Bypass via Referer in CDN
0x95 - How the Microsoft MFA was Bypassed
0x133 - Authentication Bypasses for 2025
0x166 - Data Leakage Through Updates
Recon & Attack Surface

0x04 - Reading Intercom Widget Messages
0x14 - Hidden Endpoints via Link Headers
0x30 - Hidden API Endpoints in WADL Files
0x39 - SSRF in PDF Generators
0x58 - Google Maps API Key Testing
0x66 - Attack Surface via Timing Attacks
0x69 - Finding CSRF through Methods Change
0x79 - Attack Paths in API Docs
0x84 - Finding Only Exploitable CVEs
0x86 - Email Enumeration with Slack
0x98 - Scanning OpenAPI with SOAPI
0x110 - Exploiting Typos in DNS Records
0x106 - Finding Backups From the Past
0x120 - Reverse Engineering APIs
0x135 - Secrets in GitHub Garbage
0x147 - Checking Ports for Exfiltration
Tooling & Automation

0x08 - Better Folder Enumeration
0x13 - Optimizing Payload Lists
0x20 - Firebase Pentest with Artillery
0x21 - Auto-Finding Dangerous JS Functions
0x24 - GraphQL Voyager for Circular Refs
0x26 - Burp + Python for Pentest Automation
0x31 - Automating Pentests with Bamdas
0x33 - Hiding Uninteresting HTTP Headers
0x51 - Auto-Finding Injectable Parameters
0x55 - No Collaborator? No Problem!
0x57 - Missed Request Smuggling Vulns
0x60 - Burp Fuzzing Insertion Points
0x61 - Modifying Requests on the Fly
0x63 - Reviewing Scanner Payloads in Burp
0x73 - Websocket Pentesting Extension
0x74 - UUID Bruteforce with Custom Lists
0x78 - Blind XSS Hunting in Seconds
0x87 - SQLMap Command Generator
0x93 - Bypassing URL Validation
0x101 - So You Decided to Password Spray?
0x105 - The Offsec Toolkit
0x136 - API Scanning Automation FTW
0x137 - Optimizing Burp Scanner
0x160 - Source Code in Plain Sight
Creative, Strategic, and Mindset

0x00 - Sandbox Escape in Point of Sale (POS)
0x09 - Bypassing CAPTCHA - Techniques
0x16 - Path Traversal - Techniques
0x45 - Exploiting Online Compilers
0x50 - Payload Gen with SCAMMPERR
0x54 - Tracking Users with Image URLs
0x56 - Domain Blacklist Bypass w/ Azure DNS
0x70 - Pentesting SIP Protocols
0x71 - RickRolling a Payment Terminal
0x82 - Exploiting Hop-by-Hop Headers
0x94 - When SQLmap Fails: 3 Tips
0x103 - What's Response Filter DoS
0x104 - Train Your (Hacker) Imagination
0x107 - Should We Avoid Burp Collaborator?
0x109 - How to Write Exploits
0x119 - Is Google Sabotaging Hackers?
0x124 - Find Your Crush on Dating Apps
0x125 - Unveiling the Web's Secrets
0x129 - Honey, I'm h̶o̶m̶e̶ payload!
0x131 - How to Exploit Slopsquatting
0x134 - Are Browsers Sabotaging Hackers?
0x139 - Look Where Others Haven’t
0x140 - Making Exploits More Reliable
0x142 - Github Issues for Inspiration
0x148 - Web Attack Escalations
0x150 - How to Hack an ATM
0x154 - The Rule of #3
0x161 - Three Pentesting Mistakes I Made
Bug Bounty $$$

0x03 - Maximizing Vulns Impact
0x46 - Weaponizing XSS for Maximum Impact
0x67 - Unlocking Premium for Free
0x97 - Is This in Scope?
0x111 - Leaking YouTube Emails for $10K
0x112 - $4,000 Bounty for Clickjacking?
0x116 - $1000 Privacy Loophole Exploit
0x146 - High Demand Bounties ($50k+)
0x155 - Get 1,500$ For Your Research
0x157 - Don't Track Me!
0x162 - $350,000 Bounties for HTTP/1.1
0x164 - Three Tips for BB Reports
0x169 - How I Hacked 500 Routers
0x170 - How I Hacked My Hotel
0x171 - Amazon Payment Bypass
AI/ML/LLM/MCP

0x68 - Top 10 AI Chatbot Attack Ideas
0x72 - Stealing AI Chatbot Prompts
0x92 - Scanning Docs with NotebookLM
0x113 - What is Burp's Shadow Repeater
0x114 - Is Nuclei AI Worth It?
0x117 - Email Assistant Account Takeover
0x126 - Formatting XSS Payloads
0x128 - What's a Model Context Protocol (MCP)
0x138 - Vibe Coding -> More Hacking
0x149 - RCE in MCP Inspector
0x159 - Recon the Cursor
0x167 - LLM Bypass via Alternative Language
0x168 - Hacking MCP Servers
0x172 - Building & Breaking AI Agents
Latest Tips & Tricks

0x173 - Test Credit Cards
0x174 - Comment Crusader
0x175 - Pay Me Baby One More Time
0x176 - 429 Too Many Request
0x177 - Maximizing Tricks Value
0x178 - API Key Rotation
0x179 - Leaking Source Code with Fuzzing
0x180 - Replaying POST Payloads in Browser
0x181 - Deleting Messages With Emojis 😂
0x182 - Cache Poisoning Profile Pics
0x183 - Run Postman Collections for BAC
0x184 - Exploiting Half-Open Sessions
0x185 - Bug Bounty Helper
0x186 - New Era of Secret Detection
0x187 - File Access Bypass using Chatbots
0x188 - HTTP Response Manipulation
0x189 - NextJS Paths Recon
0x190 - OWASP Top Ten 2025
0x191 - AI Liberating Prompts
0x192 - The Silent ATO
0x193 - The 600,000$ Discount Bug
0x194 - The Kasada Anti-Bot
0x195 - Business Logic Bug in Snapchat
0x196 - Reversing Blazor Web Apps
0x197 - Bypass Auth with GraphQL

0x05 - DB Dump via Underscore Wildcards

Did you know you can dump a whole database table even without SQL injection?

The underscore _ character is a less-known payload that you can use when pentesting the search functions of an application

This is an alternative to the more common asterisk (*) and percent sign (%) payloads that usually get blocked by WAFs and developers.

By using a wildcard character it's possible to match and read a larger set of values which can uncover sensitive information stored on the DB table.

Note that the _ wildcard represents ONLY A SINGLE CHARACTER so you need to add multiple underscore wildcards to dump all the info

How to do it

Find a search function within the app and intercept the request
Increase the results size number to max (i.e: 10.000) if needed
Replace the search string with the wildcard payload _
Continue to increase the payload until no more values are returns ( __ , ___, ____, _____, etc.)
Note how these payloads match all values and the server ends up dumping the whole table