1.oauth-account-takeover
https://blog.dixitaditya.com/oauth-account-takeover
2.The tale of CVE-2021–34479 (VSCode XSS)
https://medium.com/techiepedia/the-tale-of-cve-2021-34479-vscode-xss-b336ba6cf3d6
3.Exploiting Password Reset Bugs
https://infosecwriteups.com/exploiting-password-reset-bugs-1936991d0ab0
漏洞分析:
- https://hackerone.com/reports/1266828 邀请功能的漏洞其实蛮多的,这里绕过了员工邀请发送的限制,导致账号接管
- https://hackerone.com/reports/1256375 博客文章加密的,绕过访问atom就可以直接读取,没有验证权限。确实feed的权限是可以测试一下的。
- https://hackerone.com/reports/1363672 一个空格绕过登录限制?
挖掘进度:
开始挖掘databricks
[…] Day123: 每日漏洞挖掘——5.3 […]
赞赞