漏洞报告

价值1.75万美刀的全回显SSRF

https://hackerone.com/reports/1406938

TikTok SMB子账号接管

https://hackerone.com/reports/1404612

基于X-Forwarded-Host的XSS

https://hackerone.com/reports/1392935

挖洞技巧

SSRF绕过姿势

https://github.com/cujanovic/SSRF-Testing

使用谷歌标签管理感染网站

https://decoded.avast.io/pavlinakopecka/web-skimming-attacks-using-google-tag-manager/

挖洞工具

Java自动代码审计工具，尤其针对Spring框架

https://github.com/4ra1n/SpringInspector

CSRF扫描器

https://github.com/s0md3v/Bolt

攻击方对靶标资产梳理，快速定位脆弱资产的网络空间测绘安全工具

https://github.com/binganao/TaiO