Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 1 to 8 of March.
Our favorite 5 hacking items
1. Tool of the week
Rescope & Introduction
Wow, I love this tool! Have you’ve ever experienced the discomfort of adding several targets one by one or playing with regexes to configure your Burp scope? If yes, worry no more!
It is now possible to copy a bug bounty program’s scope from their page, paste it to a .txt file, and convert it to Burp scope using one command.
Rescope takes as input a file containing your target domains, subdomains, IPs, wildcard subdomains, etc. And outputs a JSON file that you can import in Burp to automagically configure your scope. In one shot, and no regex required.
Here’s an example input file:
Critical *.dev.example.com and *.prod.example.com
High 192.168.0.1-2 (internal testing)
Out of Scope:
It can contain any text and descriptions. The tool extract targets wherever they are. The only thing to remember is to put !EXCLUDE before to list your exclusions, because by default all targets found are considered included.
2. Writeup of the week
Facebook Messenger server random memory exposure through corrupted GIF image ($10,000)
This is one weird bug in Facebook Messenger for Android: @vulnano uploaded a corrupted GIF file with missing content body. The image displayed back contained data from previously used memory buffers. It was leaking data from memory! He noticed it because the image display had white noise, while it was supposed to be blank.
Also, when the images were uploaded with Facebook Messenger for Android, nothing happened. The weird images were only visible from the Facebook Web app.
Another takeaway is to not rely on tools without understanding what they do and how to do the same job yourself. @vulnano first generated corrupted images with Gifoeb
, but they caused the app to crash. So he studied the GIF image format and generated his own images.
3. Tutorial of the week
Hacking Web Sockets: All Web Pentest Tools Welcomed
Web sockets testing is an area where dynamic testing tools are lacking. This tutorial introduces a great way to fill this gap.
It shows you how to use existing tools like SQLmap, Burp Pro active scanner or Commix to pentest Web sockets. This is done through a Web socket harness: a python script which acts like a proxy between the Web socket and the tool you want to run against it. It gets HTTP traffic from the tool, transforms it into Web socket traffic and sends it to the socket. Then does the opposite with the Web socket’s response.
This opens a whole new world for fuzzing and automated testing of Web sockets!
4. Non technical item of the week
How to write a report
This is a great article on writing good quality bug bounty reports. Whether you have experience in bug reporting or not, I highly recommend going through the article and thinking of what could be improved in your reports.
It could help you gain more reputation points and avoid being asked for more details because the explanations weren’t detailed or clear enough.
On this same topic, also check out the bug bounty writeups below. Some of them (especially those by Jobert Abma) are good examples of really well written reports.
5. Slides/Workshop material of the week
Using Docker with Kubernetes for automating Application Security and OSINT workflows
Automating Application Security Bug Hunting: Improving coverage with better automation
Lately, I’ve been thinking about automation a lot. Using custom scripts to automate your recon is one thing, but automation Bounty Machine style is at a whole other level. It involves tools like Kubernetes, Docker, Argo and Golang (for speed).
That’s why I’m so excited about studying these two new resources:
The workshop material explains how to set up Docker with Kubernetes for automated testing. It includes source code and documentation in the form of a Gitbook.
And the slides introduce the framework Intrigue-core which has an interesting Web UI and API.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- WebTech & Introduction: Identify technologies used on websites
- Check.subs.sh: @Blurbdust’s script for enumerating subdomains & checking them for subdomain takeover
- Data-Over-DNS & Introduction: Tool for tunnelling data over DNS as part of a blind XSS attack
- SPAudit & Introduction: Chrome extension for scanning SPAs (Single Page Applications)
More tools, if you have time
- GitHub Wiki Auditor: Python script to check GitHub accounts for world-editable wiki pages
- Domainker: BugBounty helper tool, includes plugins to automate testing for CRLF, check if target is hosted on Amazon, and get host CNAME and response codes
- G-suite-check: Checks if the domains MX records point at G-suite
- Shr3dKit](https://github.com/shr3ddersec/Shr3dKit): Red Team Tool Kit
- Decker: Declarative penetration testing orchestration framework & Reddit discussion
- Sheepl: Creating realistic user behaviour for supporting tradecraft development within lab environments (useful for creating red team/blue team AD network environments)
- ShellCheck](https://github.com/koalaman/shellcheck): A static analysis tool for shell scripts
- Subzy](https://github.com/LukaSikic/subzy): Subdomain takeover tool which works based on matching response fingerprings from can-i-take-over-xyz
- Subtake: Automatic finder for subdomains vulnerable to takeover. Written in Go, based on @haccer’s subjack
- Legion: Open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems
- CVE-2005-1794-check.py: Easy way to test for RDP hard coded RSA key MiTM vulnerability, without actually performing the MiTM
Misc. pentest & bug bounty resources
Bug bounty news
Breaches & Vulnerabilities
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/01/2019 to 03/08/2019.