Bug Bounty Career - Web Hacking

根据joas的Ebooks加强网络安全Career&skills方面的学习

From: Bug Bounty Career – WEB HACKING.pdf

last update: 2020/12/04

Details

• 目标是帮助信息安全专业人士、爱好者甚至年轻人进入挖洞赏金区域；
• 了解在Bug赏金领域工作所需的技能；
• 当然，这并不是一个能让你成为专业人士的指南，但我希望它能够有所帮助；

Bug Bounty Platforms

• 1.HackerOne
• 2.Bugcrowd
• 3.Intigriti
• 4.Bug Hunt
• 5.Hackaflag
• 6.Yogosha
• 7.Zeroday initiative
• 8.Open Bug Bounty
• 9.YesWeHack
• 10.Cobalt.io
• 11.Synack Red Team
• 国内SRC & 众测
• 国内SRC厂商评价表 - 仅供参考
• https://docs.qq.com/sheet/DUnRXdkx2U0JOQVZu

Skills Bug Bounty Hunter

• Knowledge in Programming Logic;
• Knowledge in Web Attack Vectors;
• Knowledge in Reverse Engineering;
• Skills in Web Development;
• Programming Logic exercised;
• Computational basis;
• CTF Player;
• Knowledge in Network Computer;
• Knowledge in System Administrator (Linux and Windows);
• Knowledge in Cloud Computer (AWS, GOOGLE and AZURE);
• Skills in Infrastructure Exploitation;

译

• 编程逻辑知识；
• 网络攻击向量知识；
• 逆向工程知识；
• 网页开发技能；
• 运用编程逻辑；
• 计算基础；
• CTF（夺旗）选手；
• 网络计算机知识；
• 系统管理员知识（Linux和Windows）；
• 云计算知识（AWS、Google和Azure）；
• 基础设施攻击技能；

Web Vulnerabilities – TOP 17

1. Open Redirect;
2. HTTP Parameter Pollution;
3. Cross-Site Request Forgery;
4. HTML Injection and Content Spoofing;
5. Carriage Return Line Feed Injection;
6. Cross Site Scripting;
7. Template Injection;
8. SQL Injection;
9. Server Side Request Forgery;
10. XML External Entity;
11. Remote Code Execution;
12. Memory Vulnerabilities;
13. Subdomain Takeover;
14. Race Conditions;
15. Insecure Direct Object References;
16. Oauth Vulnerabilities;
17. Application Logic and Configuration Vulnerabilities;

Web Vulnerabilities - List

https://owasp.org/www-community/vulnerabilities/

Vulnerabilities – HackerOne Rank

https://www.hackerone.com/top-ten-vulnerabilities

Resources

• https://infosecwriteups.com/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65 ✨
• https://github.com/EdOverflow/bugbounty-cheatsheet ✨
• https://github.com/djadmin/awesome-bug-bounty ✨
• https://github.com/devanshbatham/Awesome-Bugbounty-Writeups ✨
• https://github.com/Muhammd/awesome-bug-bounty
• https://github.com/ajdumanhug/awesome-bug-bounty-tips
• https://medium.com/bugbountyhunting/bug-bounty-toolkit-aa36f4365f3f
• https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters ✨
• https://github.com/bobby-lin/study-bug-bounty
• Writeups
• https://pentester.land/writeups/ ✨
• https://infosecwriteups.com/
• https://github.com/yaworsk/bugbounty/blob/master/writeups.md
• https://paper.seebug.org/802/
• Tools
• https://github.com/KingOfBugbounty/KingOfBugBountyTips ✨
• https://hackbotone.com/10-recon-tools-for-bug-bounty-bafa8a5961bd?gi=415999c256c4
• https://portswigger.net/solutions/bug-bounty-hunting/best-bug-bounty-tools
• https://www.hackerone.com/ethical-hacker/100-hacking-tools-and-resources ✨
• https://github.com/vavkamil/awesome-bugbounty-tools ✨