mirror of
https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters.git
synced 2024-11-13 23:57:05 +00:00
see changelog
This commit is contained in:
parent
f5a8b7307b
commit
e8ba9c566d
5 changed files with 19 additions and 0 deletions
|
@ -19,6 +19,7 @@ A collection of Blog Posts ordered by Vulnerability Types
|
|||
- [Buffer Overflow](#Buffer-Overflow)
|
||||
- [IDOR](#IDOR)
|
||||
- [GraphQL](#GraphQL)
|
||||
- [RCE](#RCE)
|
||||
- [Misc](#Misc)
|
||||
---
|
||||
## XSS
|
||||
|
@ -93,11 +94,15 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
|
|||
- [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - [Vijay Kumar ](https://twitter.com/IndoAppSec)
|
||||
- [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - [@R0X4R](https://twitter.com/R0X4R)
|
||||
- [From Multiple IDORs leading to Code Execution on a different Host Container](https://www.rahulr.in/2019/10/idor-to-rce.html?m=1) - [@Rahul_R95](https://twitter.com/Rahul_R95)
|
||||
- [Automating BURP to find IDORs](https://medium.com/cyberverse/automating-burp-to-find-idors-2b3dbe9fa0b8) - [Aditya Soni](https://medium.com/@hetroublemakr)
|
||||
|
||||
## GraphQL
|
||||
- [Private System Note Disclosure using GraphQL](https://hackerone.com/reports/633001) - Ron Chan
|
||||
- [Graphql Abuse to Steal Anyone’s Address](https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417) - pratik yadav
|
||||
|
||||
## RCE
|
||||
- [My First RCE (Stressed Employee gets me 2x bounty)](https://medium.com/@abhishake100/my-first-rce-stressed-employee-gets-me-2x-bounty-c4879c277e37) - [Abhishek Yadav](https://medium.com/@abhishake100)
|
||||
|
||||
## Misc
|
||||
- [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
|
||||
- [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
|
||||
|
@ -105,6 +110,7 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
|
|||
- [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - [@nj_dav](https://twitter.com/nj_dav)
|
||||
- [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) - James Kettle
|
||||
- [Abusing ImageMagick to obtain RCE](https://strynx.org/imagemagick-rce/) - [strynx](https://strynx.org/)
|
||||
- [How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN](https://blog.detectify.com/2019/09/19/alyssa-herrera-pulse-corporate-networks-ssl-vpn/) - [Alyssa Herrera](https://twitter.com/Alyssa_Herrera_)
|
||||
|
||||
---
|
||||
back to [Intro Page](/README.md)
|
|
@ -4,6 +4,16 @@
|
|||
|
||||
Updates to this repo will be pushed monthly. You can read about the latest changes below.
|
||||
|
||||
## Update 2020.02
|
||||
### Added
|
||||
- New XSS Lab: **XSS Labs from PwnFunction**
|
||||
- New Recon & OSINT Tool: **Reconness**
|
||||
- New [IDOR Blogspost](/assets/blogposts.md#IDOR): **Automating BURP to find IDORs**
|
||||
- New [Misc Blogpost](/assets/blogposts.md#Misc): **How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN**
|
||||
- New Blogspost Category: [RCE](/assets/blogposts.md#RCE)
|
||||
- New RCE Blogpost :**My First RCE (Stressed Employee gets me 2x bounty)**
|
||||
- New Vulnerabilities Post: **The 7 main XSS cases everyone should know**
|
||||
|
||||
## Update 2020.01
|
||||
### Added
|
||||
- New changelog page
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
- [DWVA](http://www.dvwa.co.uk)
|
||||
- [Google Gruyere](https://google-gruyere.appspot.com/)
|
||||
- [Web Security Academy by PortSwigger](https://portswigger.net/web-security)
|
||||
- [XSS Labs from PwnFunction](https://xss.pwnfunction.com/) Great Labs in a beautiful layout
|
||||
|
||||
---
|
||||
back to [Intro Page](/README.md)
|
|
@ -33,6 +33,7 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
|
|||
|[httprobe](https://github.com/tomnomnom/httprobe)|Take a list of domains and probe for working http and https servers.|Go|[Tom Hudson](https://github.com/tomnomnom)|
|
||||
|[Osmedeus](https://github.com/j3ssie/Osmedeus)|Fully automated offensive security framework for reconnaissance and vulnerability scanning|Python|[j3ssie](https://github.com/j3ssie)|
|
||||
|[hakrawler](https://github.com/hakluke/hakrawler)|hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files|Go|[@hakluke](https://twitter.com/hakluke)|
|
||||
|[Reconness](https://github.com/reconness)|A Web App Tool to Run and Keep all your #recon in the same place.|C#|[@reconness](https://twitter.com/reconness)|
|
||||
|
||||
#### OSINT Webpages
|
||||
| Name | Description | Created by |
|
||||
|
|
|
@ -16,6 +16,7 @@ As we start to build this repository, we'll be adding more vulnerability types a
|
|||
- [Google Application Security (XSS Guide)](https://www.google.com/intl/am_AD/about/appsecurity/learning/xss/)
|
||||
- [What is PHP and why is XSS so common there?](https://www.youtube.com/watch?v=Q2mGcbkX550) - by LiveOverflow
|
||||
- [Finding Your First Bug: Cross Site Scripting (XSS)](https://www.youtube.com/watch?v=IWbmP0Z-yQg) - by InsiderPhD
|
||||
- [The 7 main XSS cases everyone should know](https://brutelogic.com.br/blog/the-7-main-xss-cases-everyone-should-know/) - [brutelogic](https://brutelogic.com.br/blog/about/)
|
||||
|
||||
## Cross-Site Request Forgery (CSRF)
|
||||
- [Cross-Site Request Forgery Attack](https://www.youtube.com/watch?v=eWEgUcHPle0) - by PwnFunction
|
||||
|
|
Loading…
Reference in a new issue