今日重点:
1.Project Resonance Wave 1: Internet-Wide Analysis of Subdomain Takeover
https://redhuntlabs.com/blog/project-resonance-wave-1.html
https://github.com/redhuntlabs/Project-Resonance/tree/master/Wave%201%20-%20Subdomain%20Takeovers
漏洞挖掘资源
1.Working with Hackers – Ioana Piroska – Visma SecCon 2020
https://redhuntlabs.com/blog/project-resonance-wave-1.html
漏洞报告学习
1.IDOR when moving contents at CrowdSignal
https://hackerone.com/reports/915127
2.No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal
https://hackerone.com/reports/915110
3.IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal
https://hackerone.com/reports/915114
4.No Rate Limit when accessing “Password protection” enabled surveys leads to bypassing passwords via “pd-pass_surveyid” cookie
https://hackerone.com/reports/905816
5.Site-wide CSRF at Atavist
https://hackerone.com/reports/951292
6.IDOR leads to Edit Anyone’s Blogs / Websites
https://hackerone.com/reports/974222
7.Stored XSS on app.crowdsignal.com + your-subdomain.survey.fm via Embed Media
https://hackerone.com/reports/920005
8.Stored XSS on https://app.crowdsignal.com/surveys/%5BSurvey-Id%5D/question – Bypass
https://hackerone.com/reports/974271
挖掘工具
DNS tools:
- -viewdns.info
- -dnslytics.com
- -dnsspy.io
- -leafdns.com
- -dnsdumpster.com
- -intodns.com
- -www.zonecut.net/dns
- -xip.io
- -nip.io
- -ptrarchive.com
- -www.whatsmydns.net
- -ceipam.eu/en/dnslookup.php
- -spyse.com/tools/dns-lookup
- -www.buddyns.com/delegation-lab
Search engines for Hackers:
- -censys.io
- -shodan.io
- -viz.greynoise.io
- -zoomeye.org
- -onyphe.io
- -wigle.net
- -intelx.io
- fofa.so
- -hunter.io
- -zorexeye.com
- -pulsedive.com
- -netograph.io
- -vigilante.pw
- -pipl.com
- -abuse.ch
- -maltiverse.com/search
- -insecam.org
每日漏洞挖掘统计
| 平台 | 漏洞记录 | 漏洞赏金 |
| hackerone | 0 | 0 |
| bugcrowd | 0 | 0 |
Pxiaoer's Blog 