今日重点：

1.SRC混子的漏洞挖掘之道

https://xz.aliyun.com/t/8501

2.hackerone新厂商

https://hackerone.com/jimdo?type=team

漏洞挖掘学习

1.恶意软件分析

https://github.com/sully90h/practical-malware-analysis

2.自动XSS

https://medium.com/@keshavaarav22/automating-xss-using-dalfox-gf-and-waybackurls-bc6de16a5c75

2.自动的侦查工具 Findomain+: Advanced, automated and modern recon

https://findomain.app/findomain-advanced-automated-and-modern-recon/

3.Garud – An Automation Tool That Scans Sub-Domains, Sub-Domain Takeover And Then Filters Out XSS, SSTI, SSRF And More Injection Point Parameters

https://www.kitploit.com/2020/11/garud-automation-tool-that-scans-sub.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PentestTools+%28PenTest+Tools%29

4.Finding And Exploiting S3 Amazon Buckets For Bug Bounties

https://medium.com/bugbountywriteup/finding-and-exploiting-s3-amazon-buckets-4ce2d501b0d4

5.Stealing your data using XSS

https://medium.com/bugbountywriteup/stealing-your-data-using-xss-bf7e4a31e6ee

6.CLICKJACKING TO OBTAIN LOGIN CREDENTIALS

https://medium.com/bugbountywriteup/clickjacking-to-obtain-login-credentials-abee3ae9825e

7.chrome 插件 – 扫描不信任的类型

https://github.com/filedescriptor/untrusted-types

漏洞报告学习

1.服务器模板注入RCE via Server-Side Template Injection

https://cyc10n3.medium.com/rce-via-server-side-template-injection-ad46f8e0c2ae

2.Stealing User’s PII info by visiting API endpoint directly

https://medium.com/@kunal94/stealing-users-pii-info-by-visiting-api-endpoint-directly-5062e0147f67