Day044

今日重点:子域名劫持与自动化扫描

hackerone漏洞列表:

https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPSUBDOMAINTAKEOVER.md

漏洞原理

1.web 安全系列-15-subdomain takeover 子域劫持

https://houbb.github.io/2020/08/09/web-safe-15-subdomain-takeover

2.深入解析子域名接管(Subdomain Takeover)漏洞

https://www.secpulse.com/archives/94973.html

3.HackerOne | 子域名劫持漏洞的挖掘指南

https://www.freebuf.com/articles/web/183254.html

4.技术分析 | 我们来“劫持”个GitHub自定义域名玩吧!

https://www.freebuf.com/articles/web/171952.html

5.Domain takeover

https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover

6.A GUIDE TO SUBDOMAIN TAKEOVERS

https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

7.Subdomain takeovers

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

8.How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes

https://medium.com/@hakluke/how-to-setup-an-automated-sub-domain-takeover-scanner-for-all-bug-bounty-programs-in-5-minutes-3562eb621db3

漏洞分析

1.挖洞经验 | 通过域名劫持实现Azure DevOps账户劫持

https://www.freebuf.com/articles/web/242727.html

2.挖洞经验 | 看我如何通过子域名接管绕过Uber单点登录认证机制

https://www.freebuf.com/news/141630.html

3.挖洞经验 | 看我如何在前期踩点过程中发现价值$4500的漏洞

https://www.freebuf.com/articles/network/171219.html

4.挖洞经验 | 看我如何在短时间内对Shopify五万多个子域名进行劫持

https://www.freebuf.com/articles/web/186411.html

5.Exploiting Subdomain Takeover on S3

https://gupta-bless.medium.com/exploiting-subdomain-takeover-on-s3-6115730d01d7

自动化工具

1.Osmedeus

https://github.com/j3ssie/Osmedeus

2.OneForAll

https://github.com/shmilylty/OneForAll

3.second-order

https://github.com/mhmdiaa/second-order

4.SubOver

https://github.com/Ice3man543/SubOver

5.more

https://github.com/search?q=Subdomain+Takeover&type=

视频教程

1.Live Stream Subdomain Takeovers for Bug Bounties

2.Subdomain Takeover Step by Step | Bug Bounty 2020

重点:开发自动化工具

开发进度: https://pxiaoer.blog/2020/12/01/subdomain-takeover/

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

您正在使用您的 WordPress.com 账号评论。 登出 /  更改 )

Google photo

您正在使用您的 Google 账号评论。 登出 /  更改 )

Twitter picture

您正在使用您的 Twitter 账号评论。 登出 /  更改 )

Facebook photo

您正在使用您的 Facebook 账号评论。 登出 /  更改 )

Connecting to %s