今日重点:
1.Hackerone的新榜单
https://www.hackerone.com/blog/announcing-new-leaderboards-more-ways-engage-compete-and-win
从中国的榜单来看,中国人其实很少,特别是2020年,努力上榜。
https://hackerone.com/leaderboard/country?year=2020&country=CN
2.Latest web hacking tools – Q3 2020
https://portswigger.net/daily-swig/latest-web-hacking-tools-q3-2020
3.HEY.com email stored XSS
https://hackerone.com/reports/982291
漏洞挖掘资料
1.CORS misconfiguration POC Builder
https://tools.honoki.net/cors.html
2.CobaltStrike源码
https://github.com/Freakboy/CobaltStrike
3.burp json插件
https://github.com/synacktiv/burp-jq
4.Extrapolating Adversary Intent Through Infrastructure
https://www.domaintools.com/resources/blog/extrapolating-adversary-intent-through-infrastructure#
5.Talks About bugbountyhunter.com, Recon, Reading Javascript, Getting Started in Bug Bounty
6.Bypassing Restrictions | Website Unblocking | ft. UserAgent | Medium, ETPrime
漏洞报告学习
1.Ticket Trick at https://account.acronis.com
https://hackerone.com/reports/999765
2.漏洞分析 – Apple授权过程的任意账号登录漏洞($100,000)
3.从postMessage跨域通信中发现的Facebook DOM XSS
https://www.anquanke.com/post/id/222278
4.SQL LIKE clauses wildcard injection 这个注入需要学习一下
https://hackerone.com/reports/852306
5.DoS on the Direct Messages 猜测是消息DOS
https://hackerone.com/reports/746003
6.Access to multiple production Grafana dashboards 我在想,他是怎么fuzzing的
https://hackerone.com/reports/663628
7.Ticket Trick at https://account.acronis.com 劫持邮件内容
Pxiaoer's Blog 