Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 15 to 22 of March.
Our favorite 5 hacking items
1. Conference of the week
This is an awesome trick for any bug hunter who uses Chrome. You can create shortcuts to query sites like Shodan, VirusTotal, RiskIQ, etc.
For instance, you can type s google (for https://www.shodan.io/search?query=org%3Agoogle).
To do this, go to Settings in Chrome, then Manage search engines. Add a new one with s as the Keyword and https://www.shodan.io/search?query=org%3Agoogle as the URL.
2. Writeup of the week
[Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure ($7,500)
This is a very interesting bug found on GrabTaxi’s Android and iOS apps. It’s the equivalent of an open redirect on mobile apps: some deeplinks missing validation “direct users to load any attacker-controlled URL within a webview”.
In case you’re wondering, a deep linking is a URI that links to a specific location within a mobile app rather than simply launching the app (Wikipedia definition).
One of the vulnerable deeplinks looks like this: grab://open?screenType=HELPCENTER&page=https://s3.amazonaws.com/edited/page2.html
The URL https://s3.amazonaws.com/edited/page2.html
, created by the bug hunter, contains code that calls getGrabUser, a method defined within the app which returns sensitive information on the user.
So using the vulnerable deeplink, it is possible to execute attacker-controlled code that steals the victim’s sensitive information.
3. Article of the week
New XS-Leak techniques reveal fresh ways to expose user information
I’ve encountered many articles on XS-Search this last couple of weeks. If, like me, you’re just hearing about this type of attack, this article is an excellent introduction.
It explains what it is briefly and references different publications about it. It’s worth to dive into each one, since XS-Search is said to be the next XSS.
4. Tool of the week
This is a simple vueJS app which generates commands based on what you choose: For example, you enter a target, select a wordlist and a list of extensions, and the app generates a complete dirsearch command for you.
Tis is great for anyone who uses several tools with different options each time (like nmap, sqlmap, dirsearch, wfuzz, massdns…).
A visual command generator allows for more flexibility than creating multiple aliases for the same command with different options.
But the app is meant to be customized to add tools based on your own testing workflow.
5. Resource of the week
P64labs: 365 DAYS OF PWN
This is a site by the author of the #365DaysOfPWN Medium articles I’ve been sharing in the previous newsletters.
The site is more organized and is updated at least once a day. It’s an amazing resource for pentesters and red teamers (and for OSCP)!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- PowerHub: A web application to transfer PowerShell modules, executables, snippets and files while bypassing AV and application whitelisting
- Anubis: Subdomain enumeration and information gathering tool
- NPK, Introduction & demo: A mostly-serverless distributed hash cracking platform that provides unprecedented password cracking capabilities
More tools, if you have time
- Pastebin_scraper & Introduction: Automated tool to monitor Pastebin for interesting information like emails and passwords. Project created after Dumpmon went dark last October
- RapidRepoPull: The goal of this program is to quickly pull and install repos from its list
- Bug Hunter: Tools for Bug Hunting
- InjectMate.py: Burp Extension that generates payloads for XSS, SQLi, and Header injection vulns (for Burp Pro)
- InjectMateCommunity: same thing minus collaborator (for Burp Community)
- Pocsuite3 & PoCs: Open-sourced remote vulnerability testing framework developed by the Knownsec 404 Team
- TrustMeAlready: Disable SSL verification and pinning on Android, system-wide
- APK Utilities](https://github.com/ViRb3/apk-utilities): Tools and scripts to manipulate Android APKs
- Hashboy-tool: A hash query tool
- Cloud Crack & Introduction: Crack passwords using Terraform and AWS
- AnsiblePlaybooks: A collection of Ansible Playbooks that configure Kali to use Fish & install a number of tools
- PoshNmap](https://github.com/justingrote/poshnmap): A Powershell Wrapper for Nmap
- Bettercap/hydra: Official Bettercap Web UI
- Kerbrute: A tool to perform Kerberos pre-auth bruteforcing. “A cross platform standalone binary for bruteforcing and enumerating AD users through Kerberos AS requests. Definitely the fastest way to brute force (or lockout 😉 a user in an AD domain”
- Cyberlens: Free ICS Asset Identification and Assessment tools for industrial cybersecurity
- Platypus: A modern multiple reverse shell sessions manager written in go
Misc. pentest & bug bounty resources
Bug bounty news
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/15/2019 to 03/22/2019.