remove anchor tag

Author: frankheat

README.md

@@ -9,15 +9,15 @@
 Welcome to offsecnotes, a website dedicated to Offensive Security notes. This project provides a collection of concepts, techniques, and tools useful for anyone interested in penetration testing and offensive security.
 
 <p align="center">
-  <a href="#key-features">Android</a> •
-  <a href="#how-to-use">Web App</a> •
-  <a href="#download">Network</a> •
-  <a href="#credits">Misc</a>
+  <a href="https://frankheat.io">Android</a> •
+  <a href="https://frankheat.io">Web App</a> •
+  <a href="https://frankheat.io">Network</a> •
+  <a href="https://frankheat.io">Misc</a>
 </p>
 
 # Project link
 
-👉 https://frankheat.github.io/offsecnotes
+👉 https://frankheat.io
 
 # Table of contents
 

content/android/framework.md

@@ -9,7 +9,7 @@ weight: 6
 
 **Read React Native JavaScript source code**
 
-### Without Hermes engine <a href="#react-native-without-hermes-engine" id="react-native-without-hermes-engine"></a>
+### Without Hermes engine
 
 ```sh
 # 1. Dissasemble
@@ -24,7 +24,7 @@ cat index.android.bundle
 # 4. Build and sign the apk
 ```
 
-### With Hermes engine <a href="#react-native-without-hermes-engine" id="react-native-without-hermes-engine"></a>
+### With Hermes engine
 
 You need [https://github.com/Kirlif/HBC-Tool](https://github.com/Kirlif/HBC-Tool)
 

content/android/reverse engineering/reversing.md

@@ -114,7 +114,7 @@ java -jar APKEditor.jar m -i <path_splitted_apk> -o merged.apk
 java -jar uber-apk-signer.jar -a merged.apk --allowResign -o <merged_signed>
 ```
 
-## Troubleshooting apktool <a href="#troubleshooting-install-errors" id="troubleshooting-install-errors"></a>
+## Troubleshooting apktool
 
 * **INSTALL\_FAILED\_INVALID\_APK:** Failed to extract native libraries
   * This error occurs in some apktool versions with apps containing native libraries. To fix it, set `extractNativeLibs` to `true` in `AndroidManifest.xml`, then repackage and re-sign the APK.

content/web/vulnerabilities/api.md

@@ -96,7 +96,7 @@ If the application behaves differently, may suggest that the invalid value impac
 **Note**: We change isAdmin to "foo" because we want see if the user input is processed. If we get an error may indicate that the user input is being processed.
 {{< /hint >}}
 
-## Server-side parameter pollution <a href="#server-side-parameter-pollution" id="server-side-parameter-pollution"></a>
+## Server-side parameter pollution
 
 You make the request and the server queries an internal API
 

content/web/vulnerabilities/authentication.md

@@ -77,7 +77,7 @@ See if you can change the password of an arbitrary user. E.g. look for a hidden
 * current password: \<right>, new-password-1=XXX, new-password-2=YYY
 {{< /hint >}}
 
-## 2FA <a href="#bypassing-two-factor-authentication" id="bypassing-two-factor-authentication"></a>
+## 2FA
 
 * **Brute-force OTP**
 * **Bypassing two-factor authentication**&#x20;

content/web/vulnerabilities/graphql-api.md

@@ -29,15 +29,15 @@ JSON-encoded body
 }
 ```
 
-## GraphQL endpoints <a href="#finding-graphql-endpoints" id="finding-graphql-endpoints"></a>
+## GraphQL endpoints
 
-### Universal queries <a href="#universal-queries" id="universal-queries"></a>
+### Universal queries
 
 Sending `query{__typename}` to a GraphQL endpoint will return `{"data": {"__typename": "query"}}` in the response.
 
 Try with POST, GET or POST with `application/x-www-form-urlencoded`
 
-## Common endpoint names <a href="#common-endpoint-names" id="common-endpoint-names"></a>
+## Common endpoint names
 
 ```sh
 /graphql
@@ -58,9 +58,9 @@ More endpoint: [https://github.com/danielmiessler/SecLists/blob/fe2aa9e7b04b98d9
 **Note**: Response could be "query not present" or similar. (meaning it's present)
 {{< /hint >}}
 
-## Discovering schema information <a href="#discovering-schema-information" id="discovering-schema-information"></a>
+## Discovering schema information
 
-### Using introspection <a href="#using-introspection" id="using-introspection"></a>
+### Using introspection
 
 To use introspection to discover schema information, query the `__schema` field. (could be disabled in production environments)
 
@@ -188,7 +188,7 @@ Now you can easily view relationships between schema entities using a GraphQL vi
 
 Suggestions are a feature of the Apollo GraphQL platform where the server suggests query amendments in error messages. [Clairvoyance](https://github.com/nikitastupin/clairvoyance) is a tool that uses suggestions to automatically recover all or part of a GraphQL schema, even when introspection is disabled.
 
-## Bypassing GraphQL introspection defenses <a href="#bypassing-graphql-introspection-defenses" id="bypassing-graphql-introspection-defenses"></a>
+## Bypassing GraphQL introspection defenses
 
 * Developers might use a regex to exclude the `__schema` keyword. Try spaces, new lines, and commas, which GraphQL ignores but flawed regex does not.
 
@@ -210,7 +210,7 @@ Suggestions are a feature of the Apollo GraphQL platform where the server sugges
 
 * POST request with a content-type of `x-www-form-urlencoded`
 
-## Bypassing rate limiting <a href="#bypassing-rate-limiting-using-aliases" id="bypassing-rate-limiting-using-aliases"></a>
+## Bypassing rate limiting
 
 Use aliases to return multiple instances of the same type of object in one request.
 
@@ -230,7 +230,7 @@ Use aliases to return multiple instances of the same type of object in one reque
     }
 ```
 
-## GraphQL CSRF <a href="#graphql-csrf" id="graphql-csrf"></a>
+## GraphQL CSRF
 
 GraphQL can be exploited for CSRF attacks. POST requests with `application/json` content type are secure against forgery if the content type is validated.
 

content/web/vulnerabilities/jwt.md

@@ -15,7 +15,7 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4
 
 The header and payload parts of a JWT are base64url-encoded JSON objects.
 
-**JWT signature <a href="#jwt-signature" id="jwt-signature"></a>**
+**JWT signature**
 
 The server issuing the token generates the signature by hashing the header and payload, sometimes encrypting the resulting hash. This process uses a secret signing key, allowing servers to verify the token's integrity:
 

content/web/vulnerabilities/oauth-2.0.md

@@ -99,7 +99,7 @@ if you notice that the authorization request does not send a `state` parameter,
 
 ## OpenID Connect
 
-### Identifying OpenID Connect <a href="#identifying-openid-connect" id="identifying-openid-connect"></a>
+### Identifying OpenID Connect
 
 Look for the mandatory `openid` scope
 

content/web/vulnerabilities/race-conditions.md

@@ -51,7 +51,7 @@ def handleResponse(req, interesting):
     table.add(req)
 ```
 
-## Multi-endpoint race windows <a href="#aligning-multi-endpoint-race-windows" id="aligning-multi-endpoint-race-windows"></a>
+## Multi-endpoint race windows
 
 **Connection warming**
 
@@ -66,7 +66,7 @@ In Burp Repeater, try adding a `GET` request for the homepage at the start of yo
 
 Web servers often delay processing if too many requests are sent too quickly. By sending many dummy requests to trigger rate or resource limits, you can create a server-side delay, making the single-packet attack viable even with delayed execution.
 
-## Session-based locking mechanisms <a href="#session-based-locking-mechanisms" id="session-based-locking-mechanisms"></a>
+## Session-based locking mechanisms
 
 Some frameworks prevent accidental data corruption through request locking. For example, PHP's native session handler processes one request per session at a time.
 

content/web/vulnerabilities/web-cache-deception.md

@@ -120,7 +120,7 @@ Premise
 /static/js/info.js     # 2 time "X-Cache: hit" -> Perfect, the page is cached
 ```
 
-### Normalization by the origin server <a href="#exploiting-normalization-by-the-origin-server" id="exploiting-normalization-by-the-origin-server"></a>
+### Normalization by the origin server
 
 ```python
 # 3. Confirm that the cache rule is based on the static directory