How to Start Bug Bounties 101 & How to Make a Million in 4 Years

如何启动 Bug 悬赏101 & 如何在4年内赚100万

I got lots of questions and requests especially from new beginners to the area, so wanted to prepare a blog post regarding how to start at bug hunting and how to be successful.

我收到了很多问题和要求,尤其是来自新手的问题和要求,所以我想准备一个博客文章,关于如何开始寻找 bug 和如何成功。

Firstly, I want to say as there is no only true way exist to became successful in any area including this one. Every person has their own personality, characteristics, speciality and qualifications so this criteria could differ from one to another. I am only telling my story and mental methodology here, which directed me to earn $1 million through 4 years.

首先,我想说的是,在任何领域,包括这个领域,都没有唯一的成功之路。每个人都有自己的个性、特点、专长和资格,因此这个标准可能因人而异。我只是在这里讲述我的故事和思维方法,它们指引我通过4年赚取100万美元。

How (not) to start at first place?

如何(不)在第一位开始?

If you are a person who is consistently asking other people about how to become successful in bug bounty sector or being mentor to them, I can surely tell you that as this is not the right way. Nobody has a simple formula to become successful in any area. So first thing to do in here could be stopping to ask people generic “how to” questions. Instead of it; you can do your homework, do some research about the area and find out your way yourself which will really help you later in terms of gaining bug hunting mindset.

如果你一直在问别人如何在昆虫奖励领域获得成功,或者成为他们的导师,我可以肯定地告诉你,这不是正确的方法。没有人有一个在任何领域成功的简单公式。所以在这里要做的第一件事可能是停下来问人们一般的“如何”的问题。相反,你可以做你的家庭作业,做一些关于这个领域的研究,找出你自己的方法,这将真正帮助你以后获得捕捉虫子的心态。

When I was lecturing “Cyber Security 101” class at the Istanbul Bilgi University for 4 years, my first slide of the presentation for the first term was this one:

当我在伊斯坦布尔比尔基大学(Istanbul Bilgi University)讲授“网络安全101”(Cyber Security 101)课程4年时,我第一学期演讲的第一张幻灯片是这样的:

It was in Turkish on original content, translated for the blog
这是在土耳其的原始内容,翻译的博客

This concept could be expanded & adapted to any area. In terms of bug hunting:

这个概念可以扩展和适用于任何领域:

  • “Learning how to use Google” is super essential. I use nearly 50-100 times per day for the last 4 years of my time. If you know how to use if efficiently, you can find what you are looking for faster and smarter. If you want to know how to use it efficiently, you can start Googling about it.
  • “学习如何使用谷歌”是非常必要的。在过去的4年里,我每天使用近50-100次。如果你知道如何有效地使用,你就能更快更聪明地找到你想要的东西。如果你想知道如何有效地使用它,你可以开始用谷歌搜索它。
  • If your native language is not English, then learning it is super essential as using Google. The most international accepted language for 2021 is English and nearly all resources can be found within it.
  • 如果你的母语不是英语,那么学习它就像使用谷歌一样非常重要。2021年最为国际接受的语言是英语,几乎所有的资源都可以在英语中找到。
  • I mentioned Turkish (as native language) on my original slide because knowing your native language is an important thing to become successful in any area. If you cannot know your native language well at first place, then you cannot use/learn/know other languages well too. In addition to that, we are using our language as a gateway to the outer world. Applying it to bug hunting: To understand what you are reading/researching, to speak with other people on same interests, to write a good report, to make a discussion with the report reviewer/triager; you need to know your native language + English good. There is a concept exist as Sapir–Whorf hypothesis regarding to the subject as: “a principle suggesting that the structure of a language affects its speakers’ worldview or cognition, and thus people’s perceptions are relative to their spoken language.”. which I highly believe as it is really effecting our perspective of lives including our approaches to any subject. So knowing your language better + an extra language might bring a new different point of view to the human being. (If you are into the topic, I also can recommend the 2016 Sci-Fi movie Arrival which had a different unique approach to this hypothesis.)
  • 我在最初的幻灯片中提到了土耳其语(作为母语) ,因为懂得母语是在任何领域取得成功的一个重要因素。如果你一开始就不能很好地掌握你的母语,那么你也就不能很好地使用/学习/了解其他语言。除此之外,我们还把自己的语言当作通往外部世界的大门。运用它来寻找错误: 要理解你正在阅读/研究的东西,要与其他有相同兴趣的人交谈,要写一份好的报告,要与报告的审阅者/试读者进行讨论,你需要了解你的母语 + 英语。关于这一主题,存在着萨丕尔-沃尔夫假说这样一个概念: “一个原则表明,语言的结构影响说话者的世界观或认知,因此人们的感知是相对于他们的口语的。”.我非常相信这一点,因为它确实影响了我们对生活的看法,包括我们处理任何问题的方法。因此,更好地了解你的语言 + 一种额外的语言可能会给人类带来一种新的不同的观点。(如果你对这个话题感兴趣,我还可以推荐2016年的科幻电影《抵达》 ,它对这个假设有着不同的独特方法。)
  • “Finding your own area/speciality” is actually important on the long run to become expertise and unique in the industry. As a real world example, Tommy tells it all the time as he made nearly all of his bug bounty payouts from a single vulnerability category, SSRF, which is a good proof to what some focused working can put into your wallet.
  • 从长远来看,“发现自己的领域/专长”实际上非常重要,这样才能成为行业中的专家和独特人物。作为一个现实世界的例子,Tommy 一直在讲述这个故事,因为他几乎所有的 bug 赏金都来自一个漏洞类别,SSRF,这是一个很好的证据,证明一些专注的工作可以放入你的钱包。
  • “Technical knowledge & experience” is all you can put into this area. Comparing to the other working concepts/practices (such as winemaking, having nearly 1000 years of history and experience), bug hunting (as well as nearly all IT topics) is still a new topic which changes everyday. So adding some value to it is easy comparing to other disciplines.
  • “技术知识和经验”是你所能投入到这个领域的全部。与其他工作概念/实践(如酿酒,有近千年的历史和经验)相比,缺陷搜寻(以及几乎所有的 IT 主题)仍然是一个每天都在变化的新课题。因此,与其他学科相比,为它增加一些价值是很容易的。
  • I am not going to talk in details about “Keeping up-to date” in here, because as it is obvious that information technologies are updated every day and without having that, your bugs could be out-of-date 🙂
  • 我不打算在这里详细讨论“保持最新”,因为很明显,信息技术每天都在更新,如果没有更新,你的 bug 可能已经过时了:)
  • In terms of bug hunting, “Expanding your network/social skills” is not too important comparing to the prior items, however having those still can bring you new opportunities. Human beings are known as social living creatures from beginning and working as a community always brings positive developments.
  • 在寻找错误方面,“拓展你的社交网络和社交技能”与之前的项目相比并不是很重要,但是拥有这些仍然可以给你带来新的机会。人类从一开始就被称为社会生物,作为一个共同体工作总是带来积极的发展。

How to become successful?

如何成功?

From both my experience and observations of other bug hunters’ career paths/resumes; I can say that if you have a penetration test/offensive security research experience on your back then it is easier to getting adapted on bug hunting discipline. But as I said, there is no point of generalizing and I do personally know lots of successful bug hunters even if they didn’t go into the university at all or yet. So this really depends on the person. You could become successful when you are at your 14 or could fail even after you have your PhD in Computer Sciences.

根据我的经验和对其他 bug 猎手的职业道路/简历的观察,我可以说,如果你有一个渗透测试/攻击性安全研究的经验,那么你就更容易适应 bug 猎手的训练。但是正如我所说的,没有必要一概而论,我个人认识很多成功的 bug 猎手,即使他们根本没有进入大学,或者还没有进入大学。所以这真的取决于人。当你14岁的时候,你可能会成功,甚至在你获得计算机科学博士学位之后也可能失败。

Firstly, definition of “being success” in here is really important and it also depends from person to person too. Most of the times, success is came down to the salary/payout/money; however I can say that there are more success items exist in bug bounty hunting comparing to the regular day job. From my point of view, I am choosing bug hunting over regular working due to those earnings of successes:

首先,“成功”的定义在这里是非常重要的,它也取决于人与人之间的关系。大多数情况下,成功与否取决于薪水/奖金/金钱; 但是我可以说,与正常的日常工作相比,在捕捉虫子方面存在着更多的成功因素。在我看来,由于这些成功的收益,我选择了寻找 bug 而不是定期工作:

  • Being own your boss: If you have a really good self-discipline and really do not like illogical duties coming from your superior, than this is definitely it for you. This is the uttermost thing that I love about bug hunting. You are your own boss.
  • 做自己的老板: 如果你真的有很好的自律能力,并且真的不喜欢上级不合逻辑的责任,那么这绝对是适合你的。这是我最喜欢猎杀昆虫的原因。你是你自己的老板。
  • Performance basis payouts: If you are eager of earning more money, instead of changing your job, you can work for extra bucks over the night 🙂
  • 绩效奖励: 如果你渴望赚更多的钱,你可以通宵工作赚取额外的钱,而不是换工作
  • Flexible working: Most of the new IT jobs has this as a benefit but still taking a day or month off without asking to anyone for approval is still awesome.
  • 灵活的工作: 大多数新的 IT 工作都有这样的福利,但是不需要征求任何人的同意就可以休息一天或者一个月,这仍然很棒。

So without having the same salary on a daily job, I would still prefer hunting as those advantages. Having those is a success for me rather than huge payouts 🙂 To sum up; for becoming successful, a person needs to define their own success criteria at first.

所以即使没有相同的薪水,我仍然更喜欢打猎这些优势。对我来说,拥有这些是一种成功,而不是巨大的回报:)总而言之,为了成功,一个人首先需要定义自己的成功标准。

Now as a starting point, it differs within various experience levels:

现在作为一个起点,它在不同的经验水平上有所不同:

  • If you are starting without any IT experience, then this is the toughest one to achieve. For becoming successful in this area, one should really know the basics of the IT such as networks, hosts, software, protocols etc. basically everything. Without knowing them, finding vulnerabilities would be really hard. I could suggest to understand those technologies at first; e.g. installing a web service, creating a DNS server, learning a programming language etc. then afterwards focusing on security field.
  • 如果你刚开始的时候没有任何 IT 经验,那么这是最难实现的一个。要想在这个领域取得成功,你必须真正了解 IT 的基本知识,比如网络、主机、软件、协议等等,基本上一切都要了解。在不了解他们的情况下,发现漏洞是非常困难的。我可以建议先了解这些技术,例如安装一个网络服务器,创建一个 DNS 服务器,学习一种编程语言等,然后再专注于安全领域。
  • If you are starting with IT experience but without a pentest experience; then this is still hard for you but not the toughest. The main thing in here is actually learning about security principles. Why do we need security? What are we trying to protect? Who are protecting from? How can we protect that? What could be entry points? What are the attack types? If you can start answering those questions on all case by case, then the basics of the offensive security could be start shaping on you.
  • 如果你刚开始有 IT 经验,但是没有经验,那么这对你来说仍然很难,但不是最难的。这里的主要内容是学习安全原则。我们为什么需要安全?我们要保护什么?谁在保护我们?我们怎样才能保护它呢?入口可能是什么?攻击类型有哪些?如果你可以开始逐个回答这些问题,那么攻击性安全的基础就可以开始塑造你。
  • If you are coming from pentest experience like me; I can say that bug hunting discipline is really different than pentest and a little bit hard to getting used to. Instead of the pentest projects (finding every vulnerability including all levels), you need to focus nearly to find exploitable vulnerabilities rather than theoretical ones. I remember as we were reporting SQLi’s on the pentest projects within having errors as ' characters or reporting <> escapes on the responses of the HTML’s without trying to actually dump an information from DB or bypassing WAF for a successful XSS attack. So this is the time that you need to focus on finding actual vulnerabilities within real world scenarios & impacts.
  • 如果你和我一样是从五角大楼来的,我可以说捕捉虫子的训练和五角大楼的训练是完全不同的,而且有点难以适应。你需要集中精力找到可利用的漏洞,而不是理论上的漏洞,而不是五角大楼的项目(找到每一个漏洞,包括所有级别)。我记得当我们报告 SQLi 的项目时,在有错误作为字符的情况下,或者在 HTML 的响应上报告 < > 转义,而没有尝试实际转储 DB 的信息,或者绕过 WAF 成功实现 XSS 攻击。因此,现在是你需要专注于在现实世界的情景和影响中发现实际漏洞的时候了。

I personally prefer and suggest to start into bug hunting after learning the security concepts + having online trainings. You can still find vulnerabilities without having extreme technical skills but most of the times they would happen within temporary lucky findings/reports which could make you struggle in the future.

我个人更倾向于并建议在学习了安全概念之后再开始寻找 bug + 进行在线培训。即使没有极端的技术技能,你仍然可以找到漏洞,但是大多数时候,这些漏洞发生在暂时的幸运发现/报告中,这可能会让你在未来遇到麻烦。

After starting actively bug hunting, this is my mental applied methodology for both short/long term:

在开始积极地寻找 bug 之后,这就是我的短期/长期思维应用方法:

  • Being consistent: Especially for the first years, consistency is really important. Some days while you are getting some valid reports, some days you will get nothing. So within consistency you will increase your chances to find valid reports per day/week.
  • 始终如一: 特别是在第一年,始终如一是非常重要的。有些日子你得到一些有效的报告,有些日子你什么也得不到。因此,在一致性的范围内,您将增加每天/每周找到有效报告的机会。
  • Goals & motivation: Demotivation is really common especially at the first days/months of hunting. I personally felt like thousands of times demotivated when cannot find any bugs during the day. What I found as a solution is focusing of the both short/long term realistic goals instead of daily wins. The important thing in here is actually what you achieve per average. Setting weekly/monthly/yearly achievable goals and actually achieving them is really good for intrinsic satisfaction.
  • 目标和动机: 挫败动机是很常见的,尤其是在打猎的最初几天或几个月。就我个人而言,当我在白天找不到任何漏洞时,我感到无数次失去了动力。我发现一个解决办法就是把注意力集中在短期/长期的现实目标上,而不是每天的成功。这里最重要的是你平均取得了什么成绩。设定每周/每月/每年可以实现的目标,并真正实现它们,这对内在的满足感确实有好处。
  • Variety in bugs: If you are focused only on XSS bugs, then you can only report XSS bugs. 🙂 especially for the beginners, having different set of categories testing is really important. For my first year on hunting; I can say that I looked and reported for all kind of bugs. Within this, you will start to have more valid reports comparing to the lesser diversified testing which will reduce the stress both in terms of payouts & fear of not finding anything.
  • Bug 的多样性: 如果你只关注 XSS bug,那么你只能报告 XSS bug。特别是对于初学者,进行不同类别的测试是非常重要的。在我狩猎的第一年,我可以说我找过并报告过各种各样的虫子。在这个范围内,你将开始有更多有效的报告比较较少的多样化的测试,这将减少压力,无论是在支付和担心找不到任何东西。
  • Focusing on some categories: As the prior Tommy & SSRF example, especially after some time; focusing on some categories and increasing the technical knowledge about them & being expertise on them will really create difference in the industry. Especially after my 2nd year at the hunting, I started focusing on some of the categories that I love such as Authorization/Authentication. Read everything about them. Apply everything you learn about them in the real world. Manually analyze every request and response. In some step, you will catch those special ones unique to you!
  • 专注于某些类别: 就像之前的 Tommy & SSRF 的例子,尤其是在一段时间之后; 专注于某些类别,增加关于它们的技术知识和专业知识,将真正创造行业的差异。特别是在狩猎的第二年之后,我开始关注一些我喜欢的类别,比如授权/认证。阅读关于他们的一切。在现实世界中应用你所学到的关于他们的一切。手动分析每个请求和响应。在一些步骤中,你会抓住那些特别的你独特的!
  • Learn platforms/mentality: Every bug bounty platform, target, program, triager etc. has a huge difference of approaches comparing to others. For last 4.5 years (All of my bug hunting journey), I mostly worked (80–85%) on a single platform which bringed me succeed. While I was testing mostly new systems/targets per week on my first years; especially for the last 2 years, I started testing my old targets again per 6 months which I earned most of my payouts. On this period, I found out that application owners creates lots of different vulnerabilities while patching the reported ones which are overlooked most of the times. Also testing/getting used to same technologies will collect more deep/technical information regarding those which makes it possible to report more complex and unhidden bugs. So while testing different applications/targets extends & diversifies your knowledge, testing the same ones from time to time provides new discoveries that goes unnoticed.
  • 学习平台/心态: 每个 bug 赏金平台、目标、程序、试用程序等与其他方法相比都有巨大的差异。在过去的4.5年(我所有的虫子搜寻之旅)中,我大部分时间(80-85%)都是在一个单一的平台上工作,这个平台让我成功。在我的第一年里,我每周测试的大部分是新的系统/目标; 特别是在过去的两年里,我开始每6个月再次测试我的旧目标,这样我就赚到了我的大部分收入。在此期间,我发现应用程序所有者在修补报告的大多数时候被忽视的漏洞时会创建许多不同的漏洞。另外,测试/习惯相同的技术将收集更深层次的/技术信息,这些信息使得报告更复杂和未隐藏的错误成为可能。因此,当测试不同的应用程序/目标扩展和丰富你的知识时,时不时地测试相同的应用程序会提供新的发现,而这些发现往往被忽视。
  • Have your own mental methodology: Every successful bug hunter I met has a unique approach of testing, which is shaped after some time. So find the methodologies that suits best for you and improve them on your way.
  • 有你自己的思维方法论: 我遇到的每一个成功的 bug 猎人都有一个独特的测试方法,这是经过一段时间后形成的。因此,找到最适合你的方法,并在你的路上改进它们。

Last thoughts

最后的想法

As I said on the prolog section of the post: “There is no only true way exist to became successful in any area.”. Every human being has their own journey. We will always use others’ experiences for self-development as on the history, however will also determine our self-journeys within individual efforts and diligence.

正如我在博文的序言部分所说: “在任何领域获得成功都没有唯一的真正途径。”.每个人都有自己的旅程。我们将永远用别人的经验来自我发展,就像历史上那样,然而也将决定我们个人努力和勤奋的自我旅程。

Stay safe and be luck on your side 🙂

注意安全,保持好运气

【转载】【漏洞分析】Github access token exposure

hackerone公开了一个五万美元的报告,今天想谈谈这个报告。

链接: https://hackerone.com/reports/1087489

其实这个报告很简单,就是一个Shopify的员工开发了一个应用,但是不小心把.env 文件发布了。但是这个.env文件中有shopify Github仓库的token,这就拿到了github仓库的权限。

这里为什么没有发现这个github token呢,其实主要是因为这个员工开发的是Electron应用,发布到了公网,而且还有人去分析这个Electron应用并在文件系统中找到这个.env文件夹。

这个漏洞发生的几率是非常小的,第一是员工用了工作电脑,还发布了一个应用,而且这个应用还打包了本地的.env文件夹,最后还得安全人员去分析这个应用。

但是我们可以从这个例子中尝试一下怎么去扫描github token等这种验证信息。

目前,github 通过密码扫描服务,会去提醒公共仓库的用户这个安全点。链接:https://docs.github.com/cn/code-security/secret-security/about-secret-scanning

扫描器列表

  1. Gittyleaks 看着不行
  2. scanning feature  github官方扫描
  3. Git Secrets  AWS发布的,用来阻止提交AWS密钥
  4. Repo Supervisor 找到错误的配置和密码
  5. Truffle Hog  这个工具使用正则表达式进行搜索,包括了分支和提交历史。(推荐使用)
  6. Git Hound go写的检查工具
  7. Gitrob  go写的,已经停止维护
  8. Watchtower Radar API AI驱动的检测,发现是个商业项目,可以研究一下
  9. Repo security scanner 是一个命令行工具
  10. GitGuardian  也是一个商业产品
  11. Shhgit 这个很牛b
  12. yar
  13. GitGot
  14. git-wild-hunt

国内的github 扫描器

  1. GSIL
  2. Hawkeye
  3. 码小六 推荐使用 https://github.com/4×99/code6

扫描器的问题

传统的扫描器其实就是去用关键字去匹配,而且还是使用的Github自己的查询结果,这种关键字查询的问题和官方的服务是重复的,收货不会多。

这和账号本身出发是冲突的,我们要找的这种类型的泄露,其实是和账户人的公司,职位有关系。

优化方向

  1. 关键字问题

其实是需要自己来定制规则,很多漏洞都需要很敏感,而且需要深度扫描,还需要和别人抢时间,确实很难。

dotfile 文件 例子:https://www.freebuf.com/articles/web/201871.html

2.扫描的范围

包括下面的例子,提交的记录也是需要扫描

3.从人出发和从项目出发

从人出发, 可以全网扫描,把github的账户按照公司归类并从账户的其他项目中寻找公司信息

从项目出发,可以通过一个项目,去得到所有的提交者的所有repo,并针对性的寻找信息

监控来讲,其账户的最新的star记录也是有用的,我们已经知道了账号属于的公司,就可以判断这个人,这个公司的技术栈,也知道最近在关注什么样的技术,其实可以干的事情是非常多的。

4.AI的角色

其实这里还是用很多NLP的东西,还有一些分类算法,聚类算法,还是看数据的多少,全网爬github应该不难,重点是需要关注的点是什么,当然用账号信息做数据挖掘也是可以的。

参考资源:

1.Building a GitHub Secrets Scanner https://developer.okta.com/blog/2021/02/01/building-a-github-secrets-scanner

2. 自己动手打造Github代码泄露监控工具  https://www.freebuf.com/articles/web/173479.html

3. 自己动手打造Github代码泄露监控工具之改进篇 https://www.freebuf.com/sectool/188102.html

4.如何利用GitHub搜索敏感信息 https://www.freebuf.com/articles/network/192643.html

Day048

1.为什么侦察是 漏洞挖掘挣钱的关键?

链接: https://twitter.com/osiryszzz/status/1378540350281687044

步骤:

1 – the sqlis were damn easy to identify – discovering the resources affected, not so much. lots of recon (gau, google dorking, spidering, url guessing) on target. discovered a number of web services, however no vulns

SQL注入非常容易识别,发现受影响的资源不容易。大量的侦察(gau,google daring, spidering , url guessing ) ,发现一些网络服务,但是不会有漏洞。

2 – kept URL guessing and found a zip file containing web.config – several creds leaked – more interesting was the URLs disclosed in there as they point to asmx web services – turns out 90% of these are on sites out of scope

继续进行网址猜测,发现了一个包含web.config的zip文件。有几个信息泄露,包括了指向asmx的网络服务。但是多数不在测试范围内。

3 – the paths of these web services were somehow similar to other folders and couple web services that existed on the main target, so I created several dictionaries to be used in an attack with permutations to see if the site had these endpoints just in different folders

发现web服务的路径在某种程序上与其他的文件夹类似,并存在于主目标的几个web服务上。所以我创建了一个字典用于攻击,看看是否存在不同的文件夹的端点。

4.- dict1 known folders on target. dict2, dict3 both had paths extracted from the urls in web.config, with some permutations based on names similarities I inferred; dict4 endpoints from web.config. ran ffuf cluster-bomb style out of 35k possibilities, found 10+

测试了3个文件夹的,从web.config中的url提取路径,还有一些推断的相似的排列,从35000中可能性中使用ffuf找到了10+以上。

5.- 10+ web services that supposedly were on OOS sites, however available in different locations on target in scope. each web service had many endpoints (some even 30-40). moral of the story, these had more holes than swiss cheese. that’s were all sqlis were

在10个以上的web服务中,有OOS网站,但是不在可接受范围内。每一个web服务有很多的端点,意味着漏洞比较多。

6 – TLDR; would i have reported the web.config finding immediately, other people would have seen the URLs and perhaps locate these web services on the target; i didn’t report it and worked until i found their location and reported as many sqlis as i could.

我立即报告了web.config查找的结果,其他人可能看到了url,并在目标上定位这些web服务。我主要是想找到竟可能多的SQL注入。

7 – my take away and tip for the reader: don’t report a bug as soon as you find it, especially if it shows that it can be used to further own a target. keep the intel for yourself and hack. if after a while it doesn’t lead to anything, report the bug and move on.

给读者的建议,一旦发现了bug,不要马上报告。特别是有可能有收获的时候,把情报留给自己。如果没有进展,过一段时间再报告。

2.I Built a TV That Plays All of Your Private YouTube Videos

链接: https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

3.Breaking GitHub Private Pages for $35k

链接: https://robertchen.cc/blog/2021/04/03/github-pages-xss

4.BugBountyTip

链接: https://twitter.com/intigriti/status/1379044920074375175

Day047

1.推特的缩放图功能的问题

链接: https://twitter.com/David3141593/status/1368957384471810048

推特的缩放图测试,确实可以利用这个东西来隐藏一些东西。不知道微博有没有这种问题。还没有去测试。

2.复现漏洞-Google的SSRF 旁路

链接: http://omespino.com/write-up-google-vrp-n-a-ssrf-bypass-with-quadzero-in-google-cloud-monitoring/

每日复现一个漏洞的内容会专门发文章

3.一个GraphQL漏洞的报告

链接:https://infosecwriteups.com/somebody-call-the-plumber-graphql-is-leaking-again-654bf1a38d26

4.Github的README项目: 如何管理一个开源项目的安全

链接: https://github.com/readme/octoverse-security

5.Git clone的漏洞

6.发现悬空DNS记录漏洞

链接: https://gist.github.com/TheBinitGhimire/9ebcd27086a11df1d7ec925e5f604e03

主要是自动化了整个步骤

Day046

1.依赖关系混淆攻击

链接: https://redhuntlabs.com/blog/dependency-confusion-attack-what-why-and-how.html

比较有感想,比如 opencv-python 导入的时候 是import cv2 但是很多人会直接pip install cv2 这给了一些人攻击的机会

供应链攻击:https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

2.QuickXSS 新工具

链接: https://github.com/theinfosecguy/QuickXSS

看了一下是一个bash脚本,安装了一些库,然后生成payload

3.目标侦查的一些资源

https://github.com/ffuf/ffuf

https://hackingpassion.com/shodan-com…

https://github.com/tomnomnom

https://github.com/projectdiscovery

https://github.com/michenriksen/aquatone

https://pentest-tools.com/information…

https://github.com/jobertabma/virtual…

https://github.com/EnableSecurity/waf…

https://github.com/danielmiessler/Sec…

https://github.com/yasinS/sandcastle

https://digi.ninja/projects/bucket_fi…

https://youtu.be/1Kg0_53ZEq8

4.API安全测试的一些资料

简单看了一下,发现都是例子,非常好。

5.接管微软账号的那个文章

这篇文章,我在不同的地方看到了几次,5万美元其实不算多。

加密的请求被破解之后,内部的WAF 也是有限制的,看看作者怎么突破限制。

所以需要的是请求的代码必须是同时到达,才不会被WAF封IP,那作者是怎么做的呢

作者攻击的只是凭用户名和密码登录的,二次验证开启的用户是不能完成的。作者用了大量的计算资源和1000个IP才完成了攻击。

其实大多数都会去测试用户名和密码,但是要找到绕过系统的一些限制确实还是很难。

6.查找隐藏登录表达的客户端id

链接:https://ahmdhalabi.medium.com/finding-hidden-login-endpoint-exposing-secret-client-id-88c3c2a1af45

作者开始无意发现了一个登陆表单,但是提示没有clientID,然后作者就直接在google搜索,找到了这种clientID,直接就登陆了。

Dorking:site:accounts.redacted.com inurl:client_id.

作者还从和内部团队的沟通中,发现了存在这个值,才去google搜索出来的,直接把严重程度往上提了一个档次。