漏洞赏金初学者的路线图
作者:Sec-Labs | 发布时间:
请不要犹豫,为这个 repo 做出贡献!
项目地址
https://github.com/bittentech/Bug-Bounty-Beginner-Roadmap
漏洞赏金新手路线图
嗨!我是Ansh Bhawnani。我目前是一名安全工程师,也是一名兼职内容创作者。我创建这个资源库是为了让每个人都能做出贡献,以指导年轻而热情的人开始他们在bug bounties方面的职业生涯。更多的内容将被定期添加。请继续关注。所以,让我们开始吧!
注意:在过去的几年里,错误悬赏的情况已经发生了变化。一年前我们曾经很容易找到的问题,现在就不容易了。自动化正在被严格使用,大多数 "低垂的果实 "正在被复制,如果你不走运的话。如果你想开始做bug赏金,你必须下定决心,坚持不懈,集中精力,因为竞争是非常激烈的。
简介
什么是漏洞?
安全错误或漏洞是 "在软件和硬件组件中发现的计算逻辑(如代码)的弱点,一旦被利用,就会对保密性、完整性或可用性产生负面影响。
什么是漏洞赏金?
错误赏金或错误赏金计划是IT界的行话,是指对发现和报告特定软件产品中的错误而给予的奖励或赏金计划。许多IT公司提供错误赏金,以推动产品改进并从最终用户或客户那里获得更多的互动。实施错误赏金计划的公司可能会收到数以百计的错误报告,包括安全错误和安全漏洞,许多报告这些错误的人都会得到奖励。
奖励是什么?
根据问题的严重程度和修复成本,有各种类型的奖励。它们的范围从真金白银(最普遍)到高级订阅(Prime/Netflix)、折扣券(用于购物网站的电子商务)、礼品券、礼品袋(服装、徽章、定制文具等)。金额可能从50美元到50,000美元不等,甚至更多。
学什么?
- 技术的
- 计算机基础
- https://www.comptia.org/training/by-certification/a
- https://www.youtube.com/watch?v=tIfRDPekybU
- https://www.tutorialspoint.com/computer_fundamentals/index.htm
- https://onlinecourses.swayam2.ac.in/cec19_cs06/preview
- https://www.udemy.com/course/complete-computer-basics-course/
- https://www.coursera.org/courses?query=computer%20fundamentals
- 计算机网络
- https://www.youtube.com/watch?v=0AcpUwnc12E&list=PLkW9FMxqUvyZaSQNQslneeODER3bJCb2K
- https://www.youtube.com/watch?v=qiQR5rTSshw - https://www.youtube.com/watch?v=L3ZzkOTDins
- https://www.udacity.com/course/computer-networking--ud436
- https://www.coursera.org/professional-certificates/google-it-support
- https://www.udemy.com/course/introduction-to-computer-networks/
- 操作系统
- https://www.youtube.com/watch?v=z2r-p7xc7c4
- https://www.youtube.com/watch?v=_tCY-c-sPZc
- https://www.coursera.org/learn/os-power-user
- https://www.udacity.com/course/introduction-to-operating-systems--ud923
- https://www.udemy.com/course/linux-command-line-volume1/
- https://www.youtube.com/watch?v=v_1zB2WNN14
- 命令行
- Windows:
- Linux:
- https://www.youtube.com/watch?v=fid6nfvCz1I&list=PLRu7mEBdW7fDlf80vMmEJ4Vw9uf2Gbyc _
- https://www.youtube.com/watch?v=UVUd9_k9C6A -
- https://www.youtube.com/watch?v=GtovwKDemnI
- https://www.youtube.com/watch?v=2PGnYjbYuUo
- https://www.youtube.com/watch?v=e7BufAVwDiM&t=418s
- https://www.youtube.com/watch?v=bYRfRGbqDIw&list=PLkPmSWtWNIyTQ1NX6MarpjHPkLUs3u1wG&index=4
- 编程
- C
- Python
- JavaScript
- PHP
- 计算机基础
其他
Where to learn from?
- Books
- Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
- Real World Bug Hunting: https://www.amazon.in/Real-World-Bug-Hunting-Field-Hacking-ebook/dp/B072SQZ2LG
- Bug Bounty Hunting Essentials: https://www.amazon.in/Bug-Bounty-Hunting-Essentials-Quick-paced-ebook/dp/B079RM344H
- Bug Bounty Bootcamp: https://www.amazon.in/Bug-Bounty-Bootcamp-Reporting-Vulnerabilities-ebook/dp/B08YK368Y3
- Hands on Bug Hunting: https://www.amazon.in/Hands-Bug-Hunting-Penetration-Testers-ebook/dp/B07DTF2VL6
- Hacker's Playbook 3: https://www.amazon.in/Hacker-Playbook-Practical-Penetration-Testing/dp/1980901759
- OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project
- Web Hacking 101: https://www.pdfdrive.com/web-hacking-101-e26570613.html
- OWASP Mobile Testing Guide :https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
- Writeups
- Medium: https://medium.com/analytics-vidhya/a-beginners-guide-to-cyber-security-3d0f7891c93a
- Infosec Writeups: https://infosecwriteups.com/?gi=3149891cc73d
- Hackerone Hacktivity: https://hackerone.com/hacktivity
- Google VRP Writeups: https://github.com/xdavidhu/awesome-google-vrp-writeups
- Blogs and Articles
- Hacking Articles: https://www.hackingarticles.in/
- Vickie Lo Blogs: https://vickieli.dev/
- Bugcrowd Blogs: https://www.bugcrowd.com/blog/
- Intigriti Blogs: https://blog.intigriti.com/
- Portswigger Blogs: https://portswigger.net/blog
- Forums
- Reddit: https://www.reddit.com/r/websecurity/
- Reddit: https://www.reddit.com/r/netsec/
- Bugcrowd Discord: https://discord.com/invite/TWr3Brs
- Official Websites
- OWASP: https://owasp.org/
- PortSwigger: https://portswigger.net/
- Cloudflare: https://www.cloudflare.com/
- YouTube Channels
- English
- Insider PHD: https://www.youtube.com/c/InsiderPhD
- Stok: https://www.youtube.com/c/STOKfredrik
- Bug Bounty Reports Explained: https://www.youtube.com/c/BugBountyReportsExplained
- Vickie Li: https://www.youtube.com/c/VickieLiDev
- Hacking Simplified: https://www.youtube.com/c/HackingSimplifiedAS
- Pwn function :https://www.youtube.com/c/PwnFunction
- Farah Hawa: https://www.youtube.com/c/FarahHawa
- XSSRat: https://www.youtube.com/c/TheXSSrat
- Zwink: https://www.youtube.com/channel/UCDl4jpAVAezUdzsDBDDTGsQ
- Live Overflow :https://www.youtube.com/c/LiveOverflow
- Hindi
- Spin The Hack: https://www.youtube.com/c/SpinTheHack
- Pratik Dabhi: https://www.youtube.com/c/impratikdabhi
- English
PRACTICE! PRACTICE! and PRACTICE!
-
CTF
- Hacker 101: https://www.hackerone.com/hackers/hacker101
- PicoCTF: https://picoctf.org/
- TryHackMe: https://tryhackme.com/ (premium/free)
- HackTheBox: https://www.hackthebox.com/ (premium)
- VulnHub: https://www.vulnhub.com/
- HackThisSite: https://hackthissite.org/
- CTFChallenge: https://ctfchallenge.co.uk/
- PentesterLab: https://pentesterlab.com/referral/olaL4k8btE8wqA (premium)
-
Online Labs
- PortSwigger Web Security Academy: https://portswigger.net/web-security
- OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
- XSSGame: https://xss-game.appspot.com/
- BugBountyHunter: https://www.bugbountyhunter.com/ (premium)
- W3Challs : https://w3challs.com/
-
Offline Labs
- DVWA: https://dvwa.co.uk/
- bWAPP: http://www.itsecgames.com/
- Mwetasploitable2: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
- BugBountyHunter: https://www.bugbountyhunter.com/ (premium)
- W3Challs : https://w3challs.com/
漏洞赏金平台
- Crowdsourcing
- Bugcrowd: https://www.bugcrowd.com/
- Hackerone: https://www.hackerone.com/
- Intigriti: https://www.intigriti.com/
- YesWeHack: https://www.yeswehack.com/
- OpenBugBounty: https://www.openbugbounty.org/
- Individual Programs
标签:学习路线, 学习笔记