Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 05 to 12 of April.
Better Exfiltration via HTML Injection, tl;dr by @fransrosen & sic (Sequential Import Chaining tool)
This is great example of how far collaboration can go for bug hunters, how to do research and invent a new attack.
André Baptista and Cache-Money found an HTML injection with clickjacking as the worst-case scenario.
The bug wasn’t an XSS because the target used DomPurify. But since DomPurify allows style tags by default, @donutptr started looked for a way to exfiltrate sensitive data using just a style tag.
It’s similar to a CSS injection but the new attack has less prerequisites and works even though the target limits the payload’s size.
The whole writeup is excellent to learn about CSS injection, and the kind of creativity/perseverence that makes you go from HTML injection to a 5 digit bounty despite many technical obstacles.
Dell KACE K1000 Remote Code Execution – the Story of Bug K1-18652
This is a writeup of the bug that made @MrTuxracer winner of HackerOne’s H1-3120 event.
It’s an RCE on an in-scope Dropbox vendor. I find his process fascinating:
During recon, he found a Dell Kace interface
The same software is now distribted by “Quest Software Inc”
The version detected is old. Free trials are only available for the last version of the app
He tried to social engineer Quest to get a free trial of the same old version of the app that he found
He still played with the latest version even though it was completely different from what he saw on the server
He analyzed the app’s source code and found a comment referencing a path traversal
His code analysis showed that there was also an arbitrary command injection
The bugs are fixed in the app’s last version but they worked when he tried them on his target which wasn’t up-to-date
Social engineering to get a demo app and taking the time to install an app locally and review its source code… remind me of this advice by @gwendallecoguic:
You just need to do what other people don’t, because they didn’t think about it or because they were lazy, success guarantee.
BurpFeed
I haven’t had the opportunity to test this tool, but I will definitely do it ASAP. It’s a Python script for mass feeding URLs to Burp suite’s sitemap/target tab.
This can be handy to transition from automated recon (and enumeration of live domains) to manual testing with Burp.
Linting For Bugs & Vulnerabilities
This is a nice introduction to static analysis of JavaScript code using ESLint with custom rules. It can help detect issues like DOM XSS.
You can also add rules to detect other vulnerabilities, and play with the OWASP Juice Shop to test them. I’d also combine such linting tools with manual anlysis because many bugs won’t be found with automation.
How did Masato find the Google Search XSS?
This is a follow-up video to last week’s explanation of the mutation XSS found by @kinugawamasato on Google.
This time @LiveOverflow provides insight into how Masato found that XSS, and the kind of research he was involved in that allowed him to find it.
It’s really interesting for anyone who wants to get into Web security research, or understand what make hackers like @albinowax, @sirdarckcat, @garethheyes or Mario Heiderich so good at research.
EU Commission is introducing EU FOSSA Bonuses for Keepass, glibc and Apache Tomcat. Up to a 50% bonus!
#EUFOSSA news: The European Commission raises bounty awards to challenge developers. Learn more at https://t.co/cK3sOvUGFr pic.twitter.com/Py4srNSYJq
— intigriti (@intigriti) 10 april 2019
Shop Apotheke has introduced new In-scope domains due to a major relaunch based on new architecture and a new underlying infrastructure. The new pages mentioned in the In-scope section are delivered by a brand new frontend. This is based on a brand new backend, which is also part of the scope and also mentioned in the In-scope section. These new software solutions have been implemented using new technologies and are hosted in a brand new infrastructure, completely independent of the existing e-commerce platform. Note: this is a registered only program!
Medium to advanced
Beginners corner
Challenge writeups
Pentest writeups
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Http-prompt: An interactive command-line HTTP client featuring autocomplete & syntax highlighting, built on HTTPie & prompt_toolkit
Git-Pwned: Wrapper around subfinder & git-dumper
Denumerator: Finds servers responding on port 80/HTTP
LFI-Enum: Scripts to exploit LFI & extract information from Linux servers
Dirble: Directory scanning & scraping tool in Rust, based on Dirb but faster
Domain-to-webapp: Web application Enumerator
EmailGen: Email Generation from Bing using LinkedIn Dorks
Adconnectdump: Dump Azure AD Connect credentials for Azure AD & Active Directory
PEPE (Post Exploitation Pastebin Emails) & Introduction: Collect information about email addresses from Pastebin for advanced credential stuffing
SharpExec & Introduction: Offensive security C# tool designed to aid with lateral movement
Articles
Other news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.
Curated by Pentester Land & Sponsored by Intigriti
