漏洞挖掘计划

开始时间：2020.11.11正式开始

赏金规划： 计划得7万刀 两个月 月入3万刀

措施：

• 1.恢复晨间日志
• 2.恢复Trello项目计划
• 3.购买了pentesterlab服务
• 4.手上多本漏洞挖掘书籍和多门安全课程
• 5.一个自己开发的扫描器
• 6.每天至少6个小时时间
• 7.每天更新漏洞报告信息

漏洞挖掘学习

1.XSS 测试用例

https://brutelogic.com.br/knoxss.html

2.怎么写渗透笔记 Effective Note-Taking For Bug Bounties

https://www.bugbountyhunter.com/guides/?type=notetaking

3.渗透测试管理与协作平台

https://attackforge.com/

4.Bug hunter wins ‘Researcher of the Month’ award for DOD account takeover bug

https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/

5.Fuzzing Go package using go-fuzz & libfuzzer

https://academy.fuzzinglabs.com/fuzzing-go-package-go-fuzz-libfuzzer

6.部署一个ReconNote

https://www.kitploit.com/2020/11/reconnote-web-application-security.html

7.漏洞挖掘工具

Introducing BBRF: yet another Bug Bounty Reconnaissance Framework

https://honoki.net/2020/10/08/introducing-bbrf-yet-another-bug-bounty-reconnaissance-framework/

https://github.com/honoki/bbrf-client

漏洞挖掘报告

1.Ultimate Member Plugin for WordPress Allows Site Takeover

https://threatpost.com/ultimate-member-plugin-wordpress-site-takeover/161053/

2.SSRF (Server Side Request Forgery) worth $4,913 | My Highest Bounty Ever !

https://medium.com/techfenix/ssrf-server-side-request-forgery-worth-4913-my-highest-bounty-ever-7d733bb368cb

3.Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure

https://hackerone.com/reports/923132

4.Chaining password reset link poisoning, IDOR+account information leakage to achieve account takeover at https://api.redacted.com

https://medium.com/bugbountywriteup/chaining-password-reset-link-poisoning-idor-account-information-leakage-to-achieve-account-bb5e0e400745