Day051:强化第1天

尝试挖一些越权漏洞

越权漏洞的一些资料

  1. https://sec.nmask.cn/article_content?a_id=a484681d2c7b61b9c018fafe67b59c9a
  2. https://cloud.tencent.com/developer/article/1516373
  3. https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPIDOR.md
  4. https://www.cnblogs.com/AirCrk/p/12915798.html
  5. https://nosec.org/home/detail/4195.html
  6. https://hackerone.com/reports/869705

配置了burp的一些插件并实验了Goby和Xray联动

Day044

今日重点:子域名劫持与自动化扫描

hackerone漏洞列表:

https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPSUBDOMAINTAKEOVER.md

漏洞原理

1.web 安全系列-15-subdomain takeover 子域劫持

https://houbb.github.io/2020/08/09/web-safe-15-subdomain-takeover

2.深入解析子域名接管(Subdomain Takeover)漏洞

https://www.secpulse.com/archives/94973.html

3.HackerOne | 子域名劫持漏洞的挖掘指南

https://www.freebuf.com/articles/web/183254.html

4.技术分析 | 我们来“劫持”个GitHub自定义域名玩吧!

https://www.freebuf.com/articles/web/171952.html

5.Domain takeover

https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover

6.A GUIDE TO SUBDOMAIN TAKEOVERS

https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

7.Subdomain takeovers

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

8.How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes

https://medium.com/@hakluke/how-to-setup-an-automated-sub-domain-takeover-scanner-for-all-bug-bounty-programs-in-5-minutes-3562eb621db3

漏洞分析

1.挖洞经验 | 通过域名劫持实现Azure DevOps账户劫持

https://www.freebuf.com/articles/web/242727.html

2.挖洞经验 | 看我如何通过子域名接管绕过Uber单点登录认证机制

https://www.freebuf.com/news/141630.html

3.挖洞经验 | 看我如何在前期踩点过程中发现价值$4500的漏洞

https://www.freebuf.com/articles/network/171219.html

4.挖洞经验 | 看我如何在短时间内对Shopify五万多个子域名进行劫持

https://www.freebuf.com/articles/web/186411.html

5.Exploiting Subdomain Takeover on S3

https://gupta-bless.medium.com/exploiting-subdomain-takeover-on-s3-6115730d01d7

自动化工具

1.Osmedeus

https://github.com/j3ssie/Osmedeus

2.OneForAll

https://github.com/shmilylty/OneForAll

3.second-order

https://github.com/mhmdiaa/second-order

4.SubOver

https://github.com/Ice3man543/SubOver

5.more

https://github.com/search?q=Subdomain+Takeover&type=

视频教程

1.Live Stream Subdomain Takeovers for Bug Bounties

2.Subdomain Takeover Step by Step | Bug Bounty 2020

重点:开发自动化工具

开发进度: https://pxiaoer.blog/2020/12/01/subdomain-takeover/

Day042

今日重点:

1.Bheem 侦察平台,聚合了很多的工具

https://github.com/harsh-bothra/Bheem

漏洞挖掘资源

1.bug-bounty-dorks

https://github.com/sushiwushi/bug-bounty-dorks

2.dirsearch

https://github.com/maurosoria/dirsearch

3.gin – a Git index file parser

https://github.com/sbp/gin

4.KingOfBugBountyTips

https://github.com/KingOfBugbounty/KingOfBugBountyTips

漏洞报告学习

1.The YouTube bug that allowed unlisted uploads to any channel

https://medium.com/bugbountywriteup/the-youtube-bug-that-allowed-uploads-to-any-channel-3b41c7b7902a

2.Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters

3.Account Takeover(ATO) and Email verification bypass in 2mins

https://medium.com/@karthiksoft007/account-takeover-ato-and-email-verification-bypass-in-2mins-5a6c8cb692a7

4.Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata

https://hackerone.com/reports/530974

5.Bcrypt — Account TakeOver Due To Weak Encryption — #HR51KDB

https://medium.com/bugbountywriteup/bcrypt-account-takeover-due-to-weak-encryption-hr51kdb-4418f6e65907

Day041

今日重点:

1.侦查工具 3klCon

https://github.com/eslam3kl/3klCon

漏洞挖掘资源

1.Bug Hunting Tactics

https://speakerdeck.com/harshbothra/bug-hunting-tactics

2.Bounty Thursdays – Wordlists for content discovery and API bugs!

3.Beginner’s Guide to CTFs

https://medium.com/bugbountywriteup/beginners-guide-to-ctfs-c934a0d7f5f9

漏洞报告学习

1.My bug bounty journey. The middle-class boy who wanted everything for free.

https://vivekps143.medium.com/my-bug-bounty-journey-the-mind-of-a-middle-class-boy-who-wanted-everything-for-free-1456e160817c

Day040

重点:用Rust开发Fuzzing tools

Github: https://github.com/pxiaoer/rfuss2

文章:

1.Build simple fuzzer – part 1

https://carstein.github.io/2020/04/18/writing-simple-fuzzer-1.html

2.Build simple fuzzer – part 2

https://carstein.github.io/2020/04/25/writing-simple-fuzzer-2.html

3.Build simple fuzzer – part 3

https://carstein.github.io/2020/05/02/writing-simple-fuzzer-3.html

4.Build simple fuzzer – part 4

https://carstein.github.io/2020/05/21/writing-simple-fuzzer-4.html

Day039

今日重点:

1.Zero-day in Sign in with Apple

https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/

漏洞挖掘资源

1.SAML Testing

2.SSTI to Local File Read

https://www.r29k.com/articles/bb/ssti

3.crtfinder v2

https://github.com/eslam3kl/crtfinder

4.Exploiting dynamic rendering engines to take control of web apps

https://r2c.dev/blog/2020/exploiting-dynamic-rendering-engines-to-take-control-of-web-apps/

5.Bug-Bounty-Toolz

https://github.com/m4ll0k/Bug-Bounty-Toolz

6.Reconizer

https://github.com/Sicks3c/Reconizer

7.Bug-Bounty-Roadmaps

https://github.com/1ndianl33t/Bug-Bounty-Roadmaps

漏洞报告学习

1.Chaining vulnerabilities lead to account takeover

https://ahzsec.medium.com/chaining-vulnerabilities-lead-to-account-takeover-b583f0c10591

2.Unauthenticated Account Takeover Through HTTP Leak

https://medium.com/bugbountywriteup/unauthenticated-account-takeover-through-http-leak-33386bb0ba0b

3.Spear Phishing in Google Cloud

https://medium.com/@filipz0203/spear-phishing-in-google-cloud-a80fb42577fe