Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 8 to 15 of March.
Our favorite 5 hacking items
1. Conference of the week
OWASP AppSec California 2019, especially:
– An Attacker’s View of Serverless and GraphQL Apps & Slides
– Endpoint Finder: A static analysis tool to find web endpoints, Slides & EndpointFinder
– Pose a Threat: How Perceptual Analysis Helps Bug Hunters & Slides
– Creating Accessible Security Testing with ZAP & Slides
– Cache Me If You Can: Messing with Web Caching & Slides
– Automated Account Takeover: The Rise of Single Request Attacks & Slides
– Open-source OWASP tools to aid in penetration testing coverage & Slides
– The Call is Coming From Inside the House: Lessons in Securing Internal Apps & Slides
OWASP AppSec conferences are great for anyone interested in (both offensive and defensive) Web app security. This one is particularly good, as you can judge from the list of talks above that I’m planning to watch!
Some of the topics addressed are: extracting endpoints from JS files, FaaS & GraphQL security, Web Caching vulnerabilities, scaling visual identification for bug hunters, new features in ZAP, interesting OWASP tools for white box pentesting…
The only thing missing is the video/slides from workshops which look really interesting. Gonna have to go there myself some day!
2. Article of the week
Exploiting CVE-2018-1335: Command Injection in Apache Tika
Have you ever found an open port on a target, and the service’s version had a CVE but no disclosed exploit? This might happen a lot, especially on (internal) pentests where the number of open ports is generally higher than during bug bounty.
This article is a great example of you how to reverse engineer the patched version and locate the vulnerability – an RCE in this case, using diff (or rcdiff).
3. Tool of the week
Sublert & Introduction
This is a new recon tool by @yassineaboukir who also wrote Asnlookup. They’re both very handy tools for bug hunters.
Sublert monitors changes in CT logs, and notifies you via Slack when a new SSL/TLS was issued for the organization you’re monitoring.
What’s new compared to existing CT monitoring tools like Facebook’s CT tool or CertSpotter is that it was created by a bug hunter for bug hunters. It won’t spam you with irrelevant results, you can enable DNS resolution, disable monitoring for specific domains, and since it’s in Python, you can integrate it with any bug hunting (automated) scripts you are already using.
4. Slides of the week
Pwning mobile apps without root or jailbreak
This is an awesome presentation if you’re into mobile app testing! It’s understandable even without video.
The question answered is: how do you test the security of an app if for some reason you can’t use a rooted/jailbroken device?
This happens when the app refuses to run on a rooted device, or when it requires an iOS version that doesn’t have a public jailbreak.
Solutions explained including commands and resources are:
- For Android, modify the APK, enable backups, enable debugging, repackage the app, bypass certificate pinning manually using grep, bypass root detection manually, or do the same thing using Frida
- iOS repackaging or use Frida
- Use Objection (wrapper around Frida)
5. Resource of the week
Bypassing XSS Detection Mechanisms
This is a great resource for learning how to bypass WAFs for XSS, by the author of XSStrike & Photon.
I often see people sharing complex XSS payload on Twitter. But without context, I don’t find them very useful. This paper is a much better resource for understanding what filters do and how to bypass them with a solid methodology, as opposed to randomly running a list of payloads.
The steps proposed are:
- Probing to determine the regex used
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Stepper: A natural evolution of the Repeater tool for Burp Suite! Create sequences of requests to simplify testing of multi-stage endpoints, and create regular expressions to define variables for use in later steps.
More tools, if you have time
Misc. pentest & bug bounty resources
Bug bounty news
Breaches & Vulnerabilities
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/08/2019 to 03/15/2019.