好的,用户让我总结一下这篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我需要通读文章,了解主要信息。 文章主要介绍了几个网络应用安全工具,比如Waybackurls、BreachCollection和Crt.sh。作者提到这些工具在漏洞赏金狩猎中非常有效,并且分享了使用方法和经验。 接下来,我需要将这些信息浓缩到100字以内。要抓住关键点:工具名称、用途以及它们如何帮助用户。 可能会写成:“文章介绍了几个实用的网络应用安全工具,如Waybackurls用于获取历史URL、BreachCollection用于搜索泄露凭证、Crt.sh用于查找子域名。这些工具在漏洞赏金狩猎中非常有效。” 检查一下是否符合要求:没有使用“总结”等开头,控制在100字以内,并且准确传达了主要内容。 </think> 文章介绍了几个实用的网络应用安全工具,如Waybackurls用于获取历史URL、BreachCollection用于搜索泄露凭证、Crt.sh用于查找子域名。这些工具在漏洞赏金狩猎中非常有效。 2025-12-15 08:32:45 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏
There are lots of web app security tools. Some of them are very well known, like BurpSuite, Nmap, Nuclei, ffuf, etc, whilst others, even though they are very good, have flown under the radar, or are not being used to the fullest of their potential by most hackers.
I will share some tools/websites that will surely be very effective in your Bug Bounty adventures. All the tools mentioned have landed me bounties in the past.
1. Waybackurls
This tool, created by TomNomNom, fetches all the URLs of a domain in the Wayback Machine. Whilst this tool is not exactly new, a lot of hackers do not make the best use of it.
The methodology I will sugggest is:
- Use waybackurls to fetch all URLs for a target
- grep the output file, so you’re searching for usually vulnerable parameters or paths (example: “redirect=”, “url=”, etc…)
- Test manually the results
This way, you will become more time efficient and score more bugs.
2.BreachCollection
In breachcollection.com you can search for leaked credentials for your target. If your program allows it, you can try to log in with them, and if they are correct, you should report them.
Here’s how to do it:
Get Appsec.pt’s stories in your inbox
Join Medium for free to get updates from this writer.
1. Register or Log in on BreachCollection.com
2. Make a query for your target. If you make a “Domain” query, you will receive all breached credentials that log you in on the target’s website.
3. If you make an “Email Domain” query, you will receive passwords whose corresponding email is associated with the target (for example, for “example.com”, you will receive all the results containing emails ending with “@example.com”)
4. Test these credentials, if you have permission to do so.
Press enter or click to view image in full size
For Bug Bounty, credentials that lead access to admin panels, or employees’ credentials are the ones I recommend reporting the most. Some programs might not be very interested in user credentials (even though I have had luck reporting those in the past).
Note: You should not perform these attacks on targets that do not allow Credential Spoofing Attacks, so be mindful of the Out of Scope rules.
BreachCollection earns my recommendation because it offers a very complete database at a very affordable pricing, when compared to other alternatives.
You can register and use it for free, but results will be censored, but it is good enough for you to have an idea of the size of the database.
3. Crt.sh
crt.sh is a Certificate Transparency Log Search Engine. It lets you search for SSL/TLS certificates issued for any domain, revealing subdomains, related domains, and more.
You can leverage this tool to discover more subdomains on a target, helping you navigate through attack surface that many other hunters missed.
You can combine this website with a tool like HTTPX to retrieve all responding subdomains, eliminating dead entries.
Hope these tools help you. You can leave more suggestions in the comments!
如有侵权请联系:admin#unsafe.sh