Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 to 29 of March.
Our favorite 5 hacking items
1. Tip of the week
Bugbounty scope expanding
This paste presents a set of recon steps to expand your bug bounty scope. All of them are well known and documented in most articles on recon, except one which I haven’t seen anywhere before:
Once you have a first list of subdomains (using scraping or bruteforce), split them up to build a new list of subdomains to test for.
For example, let’s say you first found:
The new subdomains to try are:
It’s a simple idea but might allow you to find new “hidden” subdomains. It is very similar to what Altdns does, but I’m not sure splitting up subdomains like this is included in this tool.
2. Writeup of the week
IDOR on Yahoo ($5,000)
Wow, $5,000 for such a simple bug! But the difficulty was thinking about this test…
@JohnH4X00R saw a GET request to /ws/v3/users/fziy4wzxr41k4qwsgumu2v2qymynzat6kclqpwmc/items.
The part in bold was obviously encrypted and he had the feeling that it was his username. So, get this, he replaced it with his unencrypted username (/ws/v3/users/yahoo-username/items) and got a successful response containing his own notes.
Then, he replayed the same request and replaced his plain username with another account’s username, and also got a successful response with the other account’s notes.
This is a classic IDOR, but the genius of this bug was in completely bypassing encryption by replacing the encrypted string with its plain value.
3. Tool of the week
CommandoVM & Introduction
Finally a Windows-based distribution for pentesters! This is the equivalent of Kali Linux for Windows users. It includes many tools (more than 140) for all kinds of tests.
This will be handy if you prefer Windows or if, for some reason, you have to use Windows for a pentest. It happened to me on one or two missions: we had to use a Windows VPN client to remotely access the client’s internal network. And I didn’t have the time to install all tools and prepare a proper Windows attacking environment. This VM would have been really helpful!
4. Slides of the week
How to win big – Several Interesting Examples of Exploiting Financial & Gambling Apps
I would love to see the recording of this OWASP talk! But the slides by themselves are self-explanatory and provide some ideas for testing financial apps and games.
These are examples of how to abuse an app’s logic flow and play with parameters to bypass or manipulate payment, always win against a slot machine, etc.
5. Tutorial of the week
Abusing CORS (Improper Origin Validation)
This is an excellent tutorial if you want to learn about exploiting CORS.
Four pratical examples are given to understand what to do when access is granted to: any domain, the subdomain, the scheme, or when the “null” origin is used.
Also included are: external references, steps for exploiting each scenario, an exploitation payload, and how to set up a MiTM environment to exploit an unvalidated origin scheme.
Other amazing things we stumbled upon this week
- Security Now 707: Tesla, Pwned
- Absolute AppSec Episode #52 – Serialization Vulns, Career Growth, and Hacking your Happiness with Chris Gates / @carnal0wnage
- 7MS #354: Tales of Internal Pentest Pwnage – Part 2
- 7MS #355: Mousejacking!
- The Many Hats Club Ep. 36, Scared already? You ain’t heard nothing yet (with Thugcrowd)
- The Many Hats Club Ep. 37, Snow in Summer and being a Social Engineer (with Snow)
- Building a Community of Hackers with Ted Kramer
- Ep. #18, Collaborative Security with HackerOne’s Marten Mickos
- Application Security Podcast: Georgia Weidman — Mobile, IoT, and Pen Testing
- Smashing Security 121: Hijacked motel rooms, ASUS PCs, and leaky apps
- Sophos Podcast Ep. 025 – Business Email Compromise and IoT surprises
- Paul’s Security Weekly #599 – OceanLotus, Russia, & Google
Webinars & Webcasts
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- HTTP Request Translator: Translate curl commands or HTTP/Json requests to Python Requests code or JSON
- Find Security Bugs: The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Groovy and Scala projects
- SSRFTest: Tool by @daeken to greatly simplify exploitation of SSRF bugs, including automatic AWS credential pulling where possible + Some open issues if you want to contribute to this open source project
- Shodan Monitor: Setup network alerts for specific networks or IPs & get a notification when something new shows up
More tools, if you have time
- Black Hat Asia 2019 – Arsenal, including:
- Mallet: A framework for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic
- Real time scrapper (RTS): A tool developed to scrap all pasties,github,reddit..etc in real time to identify occurrence of search terms configured & send email notifications
- MQTT-PWN: Framework for IoT pentesting (specifically attacking/exploiting the MQTT protocol
- Nmp-scan: An extensible, heuristic-based vulnerability scanning tool for installed npm packages (to detect malicious code
- Shodmon: Monitor shodan listed servers based on the filter you provided & get email notifications when something new pops up. Useful if you want to monitor more resources than what Shodan Monitor (mentioned above) allows
- Instantbox: Get a clean, ready-to-go Linux box in seconds
- WordPress (<4.9.10, <5.0.4, <5.1.1) CSRF PoCs
- Gofuzz: Aims to reproduce wfuzz’s functionality and versatility. Based on gobuster
- Linux Exploit Suggester 2: Next-Generation Linux Kernel Exploit Suggester
- Dnssecchef: A DNS/DNSSEC interception proxy for penetration testers and security researchers (based on DNSChef
- Knary: A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support
- Automated-pentest: Minimal docker container of Parrot OS for running an automated scan & pentest report
- Get-AdDecodedPassword.psm1: a basic PowerShell script for decoding common passwords stored in Active Directory properties. It’s based on information found on Domain Goodness – How I Learned to LOVE AD Explorer
- BloodHound-Tools: Miscellaneous tools for BloodHound
Misc. pentest & bug bounty resources
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/22/2019 to 03/29/2019.