Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed. You can sign up for the newsletter here.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 25 of January to 01 of February.
Our favorite 5 hacking items
1. Conference of the week
BSides Leeds 2019, especially:
– Confessions Of A Bug Bounty Triager & Slides
– So You Want To Be A Pentester?
– Hacking Companies For Internet Glory While Not Dying In A Sarlacc Pit
– A Pentester’s Guide To Left Shifting Security
These are four very interesting talks. They’re respectively about:
- Questions & tips from a bug bounty triager for both bug hunters & companies/triagers;
- Advice for anyone looking for a pentester job from the CEO of a pentesting company;
- Differences between bug bounty & pentesting;
- Ideas from a pentester on how to integrate pentesting into the development process. Automating some tests helps detect vulnerabilities early in the development lifecycle.
2. Writeup of the week
Guest blog: Eray Mitrani – Hacking isn’t an exact science
This is a great writeup on a simple bug that affects some misconfigured Jira instances.
When a new dashboard or shared filters are being set up, they can become inadvertently accessible without authentication if permissions are set to “everyone”. You can test, for instance, if the status endpoint is accessible by trying /status/, then if it doesn’t work try /status/..;/.
What I love about this writeup is how @ErayMitrani explains two fundamentals processes for bug hunters:
- How to apply someone else’s research to find new bugs on bug bounty programs even if you don’t understand the bug 100%;
- How organizing his bug hunting notes allows him to go back and look for new bugs in programs he tested previously.
3. Tutorial of the week
SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-3, Part 2 & Part 1
This is a great series of blog posts on SSRF. It’s very practical and explains the types of SSRF bugs, how to exploit them, how to bypass filters, and example of vulnerable sites.
FIY, some of the vulnerable sites were found with Shodan. These bugs were probably not disclosed to the sites’ owners which I think is illegal. So please do not exploit them.
4. Challenge of the week
DomGoat Client XSS exercises
DOM XSS can be harder to detect and exploit than traditional XSS. This is because everything happens client-side. The payload isn’t sent to the server and reflected back in the response. So the best way to detect them is reviewing code and most tools aren’t that good at it (at least not as good as manual code analysis).
This challenge can help you understand sources and sinks usually involved in the exploitation of DOM XSS bugs. There are 10 exercises with the vulnerable code highlighted.
5. Non technical item of the week
Tips on how to live with imposter syndrome
A lot of hackers suffer from imposter syndrome, me included. I think it’s because the more we learn, the more we know we don’t know. We also have to be both versatile and specialists, which is hard because infosec/hacking has so many different vast subcategories.
If you get imposter syndrome too, then I recommend this article. It offers advice and practical tips to manage it and don’t let it hold you back.
Other amazing things we stumbled upon this week
Medium to advanced
Pentest & Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
More tools, if you have time
- Sn0int: Semi-automatic OSINT framework and package manager
- Open-source vulnerability assessment tool: The officially recommended open-source scan tool for Java applications at SAP. Analyses Java & Python apps for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy
- Beemka: Basic Electron Exploitation
- Aztarna: A footprinting tool to find vulnerable robots on the Internet
- Adapt: A tool that performs automated Penetration Testing for WebApps
- Pown Recon: A powerful target reconnaissance framework powered by graph theory
- XSS Chef: A web app (inspired by CyberChef) to help people create custom XSS Payloads when on pentests, rather than having to keep referring back to old scripts from past tests
- XLESS: The Serverless Blind XSS App
- Buildscript: Wrapper around Nmap & NSE scripts
- Blackbuntu Linux: Pentest distribution based on Ubuntu
Misc. pentest & bug bounty resources
Bug bounty news
Breaches & Vulnerabilities
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/25/2019 to 02/01/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.