漏洞报告
【 Recorded Future】Dom Xss 漏洞
https://hackerone.com/reports/1448616【 U.S. Dept Of Defense】ADF Faces 中的错误设置导致信息泄露
https://hackerone.com/reports/1422641【 U.S. Dept Of Defense】反射型xss
https://hackerone.com/reports/1223577【 U.S. Dept Of Defense】通过隐藏参数“████████”在 https://███████ 中反射 XSS
https://hackerone.com/reports/1029238【 U.S. Dept Of Defense】 log4j 任意代码执行
https://hackerone.com/reports/1423496【GitHub Security Lab】#1454582 [Java] CWE-552:查询以检测不安全的请求调度程序使用情况
https://hackerone.com/reports/1454582
挖洞技巧
研究人员绕过基于 SMS 的多因素身份验证保护 Box 帐户
https://thehackernews.com/2022/01/researchers-bypass-sms-based-multi.htmlCAPTAIN HOOK - 如何(不)寻找 JAVA 应用程序中的漏洞
https://www.synacktiv.com/en/publications/captain-hook-how-not-to-look-for-vulnerabilities-in-java-applications.htmlWindows RPC 协议中另一个意外的提权漏洞
https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol/
挖洞工具
- espoofer是一种开源测试工具,可绕过电子邮件系统中的 SPF、DKIM 和 DMARC 身份验证。它可以帮助邮件服务器管理员和渗透测试人员检查目标电子邮件服务器和客户端是否容易受到电子邮件欺骗攻击或被滥用来发送欺骗电子邮件。
https://github.com/chenjj/espoofer