bug bounty tips(10-19 2022)
2022-11-2 15:28:19 Author: 安全狗的自我修养(查看原文) 阅读量:10 收藏

bug bounty tips(10-19 2022)

vscode文件中存在的敏感信息


org:company filename:sftp.json
org:company host AND pass
user:name filename:sftp.json
user:name host AND pass
"company.com" host AND pass

示例:

{
    "protocol": "sftp",
    "host": "example.com",
    "remotePath": "/var/www",
    "username": "root",
    "password": "swordfish!23"
}

S3凭证泄露


org:company filename:.credentials
org:company aws_secret_access_key OR aws_secret_key
user:name filename:.credentials
user:name aws_secret_access_key OR aws_secret_key
user:name aws_secret_access_key OR aws_secret_key

示例:

#
 AWS Credentials file
[default]
aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used alone
aws_secret_access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX
[second-profile]
aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used alone
aws_secret_access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX

api模糊测试相关的tip

/api/metadata和/api/resource加入到你的字典

auth token bypass


/api/users/login -----> 需要有two-factor认证
/api/users/auth-token  --------->绕过

其它学习教程。


文章来源: http://mp.weixin.qq.com/s?__biz=MzkwOTE5MDY5NA==&mid=2247486007&idx=4&sn=598a7b74f2c20677275beab9a5c8d4de&chksm=c13f397ef648b06866906066197b3e988dc30a4164f324f82efd05d38f76be4ea1eef5fd99a1#rd
如有侵权请联系:admin#unsafe.sh