今日重点：

1.Cross-site scripting (XSS) cheat sheet

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#top

漏洞挖掘资源

1.ImageMagick – Shell injection via PDF password

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

2.bypass 403 工具

https://github.com/lobuhi/byp4xx/

3.Tired of Duplicates in Bug Bounty 怎么处理漏洞重复

https://safaras.medium.com/tired-of-duplicates-in-bug-bounty-b34d786fe6a4

4.使用AutomationML实现安全风险

https://www.kitploit.com/2020/11/amlsec-automated-security-risk.html

5.Active-Directory-Exploitation-Cheat-Sheet

https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet

6.Hunting Usernames and Accounts (OSINT)

7.Exposed — Doxers Leaking Their Own Personal Information

在 Medium.com 上查看

漏洞报告学习

1.Blind SSRF in /appsuite/api/oxodocumentfilter&action=addfile

https://hackerone.com/reports/865652

2.一个密码泄露

3.Stealing your Github code with malicious YAML file – Bug Bounty Reports Explained

4.Stored XSS on https://app.crowdsignal.com/surveys/%5BSurvey-Id%5D/question – Bypass

https://hackerone.com/reports/974271

5.IDOR leads to Edit Anyone’s Blogs / Websites

https://hackerone.com/reports/974222

6.Stored XSS on app.crowdsignal.com + your-subdomain.survey.fm via Embed Media

https://hackerone.com/reports/920005

7.一个有趣的漏洞

https://medium.com/@vedanttekale20/story-of-an-interesting-bug-de07fbef4017