Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed. You can sign up for the newsletter here.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week. This issue covers the week from 18 to 25 of January.
Our favorite 5 hacking items
1. Article of the week
A More Advanced Recon Automation #1 (Subdomains)
If you want to automate some of your recon tasks but don’t know where to start, this is an excellent beginning.
A recon workflow chart is given as an example. This is the first article of a series. It explains how to automate subdomains enumeration using a Bash script, and includes commands, tools plus tips like how to check for wildcard resolution (i.e. false positive subdomains).
Looking forward to the sequel(s)!
2. Writeup of the week
How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc)
Logic vulnerabilities are my favorite. This one is an authentication flaw found on big sites like Google, Microsoft, Instagram, Cloudflare & many more.
Ironically, it abuses 2FA. The first thing that Luke Berner noticed is that if you request a 2FA code and change your password, the 2FA code remains valid for 20 minutes. And you can make it valid for a longer period of time by waiting indefinitely in the 2FA input page.
From there he concluded with this attack scenario:
- The attacker compromises someone’s account, enables 2FA, requests a 2FA code, stays on the 2FA page, then disables 2FA
- The victim changes his/her password to get back control of the account
- The attacker is still be able to access the account using the 2FA code, even without knowing the victim’s new password!
3. Tool of the week
Turbo Intruder: Burp extension link
Turbo Intruder: Embracing the billion-request attack: Article & Video
Debug.py: Example script to help debug/diagnose issues with Turbo Intruder failing to connect
Turbo Intruder is a new Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. Here are some things to know about it:
- It’s open source.
- It’s really incredibly fast because it’s built on a custom HTTP stack.
- Despite its speed, it has a low risk of causing Denial of Service on the target server. According to @albinowax, “it’s certainly possible but the low number of concurrent connections helps avoid this – it tends to just run slowly on struggling websites rather than overwhelming them.
- It doesn’t need Burp Suite to run, you can launch it from the command line.
- It can be used for file/directory bruteforce, detecting race conditions or any other attacks that require more speed, duration or complexity that Burp Intruder
4. Conference of the week
LevelUp 0x03 2019
– Bad API, hAPI Hackers!
– AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs
Yes! It’s that time of the year again. A new LevelUp conference with so many good talks on Web app security, social engineering, API, IoT and mobile security, plus some non technical talks.
A must, especially for bug hunters!
5. Tutorial of the week
How to add a module to Metasploit from Exploit-DB
Have you ever found an Exploit-DB exploit that you wanted to test and didn’t know how to do so? One very easy and quick way to use these exploits is to add them to Metasploit and use them as any other Metasploit module.
This isn’t a new trick but it might be very helpful if you’re starting out in penetration testing. I remember when I discover this, it was mind-boggling.
Other amazing things we stumbled upon this week
Medium to advanced
Pentest & Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Objection: Runtime mobile exploration toolkit, powered by Frida
More tools, if you have time
- bXSSRequest: Literally spray blind xss payloads everywhere/. “A tool that would spray payloads at a list of urls or endpoints in request headers”
- Electronegativity: A tool to identify misconfigurations and security anti-patterns in Electron applications
- Htcap: A web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes
- Malice: VirusTotal Wanna Be. “A free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company “
- Passcreator: Create your own wordlist or passaword list
- Nmap for Go: Idiomatic nmap bindings for go developers
- SSHReverseShell: Full TTY reverse shell over SSH. “tool to automatically drop you into a full TYY shell and implemented secure file transfer over SSH”
- Tiny SHell: SSH-like backdoor with full-pty terminal
- sshtranger_things.py: SSHtranger Things Exploit POC
Misc. pentest & bug bounty resources
- WebSploit: All-in-one Kali VM including DVWA, Multidae, Hackazon, WebGoat, Juice-shop & Mutillidae 2
- SQLi Platform: Training for SQL injections
Bug bounty news
At the end of February we are going to announce the first bug bounty of the MoD. Ethical hackers were recruited in the cyber operational research [department] and they’re going to track down the faults of our system
Breaches & Vulnerabilities
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/18/2019 to 01/25/2019.