By Intigriti
April 16, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 05 to 12 of April.
Better Exfiltration via HTML Injection, tl;dr by @fransrosen & sic (Sequential Import Chaining tool)
This is great example of how far collaboration can go for bug hunters, how to do research and invent a new attack.
André Baptista and Cache-Money found an HTML injection with clickjacking as the worst-case scenario.
The bug wasn’t an XSS because the target used DomPurify. But since DomPurify allows style tags by default, @donutptr started looked for a way to exfiltrate sensitive data using just a style tag.
It’s similar to a CSS injection but the new attack has less prerequisites and works even though the target limits the payload’s size.
The whole writeup is excellent to learn about CSS injection, and the kind of creativity/perseverence that makes you go from HTML injection to a 5 digit bounty despite many technical obstacles.
Dell KACE K1000 Remote Code Execution – the Story of Bug K1-18652
This is a writeup of the bug that made @MrTuxracer winner of HackerOne’s H1-3120 event.
It’s an RCE on an in-scope Dropbox vendor. I find his process fascinating:
During recon, he found a Dell Kace interface
The same software is now distribted by “Quest Software Inc”
The version detected is old. Free trials are only available for the last version of the app
He tried to social engineer Quest to get a free trial of the same old version of the app that he found
He still played with the latest version even though it was completely different from what he saw on the server
He analyzed the app’s source code and found a comment referencing a path traversal
His code analysis showed that there was also an arbitrary command injection
The bugs are fixed in the app’s last version but they worked when he tried them on his target which wasn’t up-to-date
Social engineering to get a demo app and taking the time to install an app locally and review its source code… remind me of this advice by @gwendallecoguic:
You just need to do what other people don’t, because they didn’t think about it or because they were lazy, success guarantee.
I haven’t had the opportunity to test this tool, but I will definitely do it ASAP. It’s a Python script for mass feeding URLs to Burp suite’s sitemap/target tab.
This can be handy to transition from automated recon (and enumeration of live domains) to manual testing with Burp.
This is a nice introduction to static analysis of JavaScript code using ESLint with custom rules. It can help detect issues like DOM XSS.
You can also add rules to detect other vulnerabilities, and play with the OWASP Juice Shop to test them. I’d also combine such linting tools with manual anlysis because many bugs won’t be found with automation.
This is a follow-up video to last week’s explanation of the mutation XSS found by @kinugawamasato on Google.
This time @LiveOverflow provides insight into how Masato found that XSS, and the kind of research he was involved in that allowed him to find it.
It’s really interesting for anyone who wants to get into Web security research, or understand what make hackers like @albinowax, @sirdarckcat, @garethheyes or Mario Heiderich so good at research.
EU Commission is introducing EU FOSSA Bonuses for Keepass, glibc and Apache Tomcat. Up to a 50% bonus!
#EUFOSSA news: The European Commission raises bounty awards to challenge developers. Learn more at https://t.co/cK3sOvUGFr pic.twitter.com/Py4srNSYJq
— intigriti (@intigriti) 10 april 2019
Shop Apotheke has introduced new In-scope domains due to a major relaunch based on new architecture and a new underlying infrastructure. The new pages mentioned in the In-scope section are delivered by a brand new frontend. This is based on a brand new backend, which is also part of the scope and also mentioned in the In-scope section. These new software solutions have been implemented using new technologies and are hosted in a brand new infrastructure, completely independent of the existing e-commerce platform. Note: this is a registered only program!
Risky Business #536 — Mar-a-Lago arrest, ASUS supply chain attack and more
Sophos podcast Ep. 027 – Honeypots, GPS rollover and the MySpace data vortex
The Many Hats Club Ep. 56, I spy with my little SpyEar (with Rachel Tobac)
Insomni’hack 2019, especially:
BSides Rochester 2019, especially:
Medium to advanced
Leveraging Expression Language Injection (EL Injection) for RCE
Living Off the Land: Opening PowerShell When You Can’t Open PowerShell
An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit
An intro into abusing and identifying WMI Event Subscriptions for persistence
Beginners corner
A Pentester’s Guide – Part 1 (OSINT – Passive Recon and Discovery of Assets), Part 2 (OSINT – LinkedIn is not just for jobs) & Part 3 (OSINT, Breach Dumps, & Password Spraying)
Challenge writeups
Midnight Sun CTF (Challenges by @avlidienbrunn)
Pentest writeups
Responsible disclosure writeups
CVE-2019-0227: Expired Domain to Remote Code Execution in Apache Axis
Confluence Unauthorized RCE Vulnerability (CVE-2019-3396) Analysis
Bug bounty writeups
RCE on Gitlab ($12,000)
OAuth flaw on Twitter ($5,040)
Code injection on Starbucks ($4,000)
SSRF on GitLab ($3,000)
Logic flaw on Shopify ($1,837)
Information disclosure on HackerOne ($1,500)
Information disclosure on Slack ($1,500)
Logic flaw on Facebook ($1,000)
See more writeups on The list of bug bounty writeups.
Http-prompt: An interactive command-line HTTP client featuring autocomplete & syntax highlighting, built on HTTPie & prompt_toolkit
Git-Pwned: Wrapper around subfinder & git-dumper
Denumerator: Finds servers responding on port 80/HTTP
LFI-Enum: Scripts to exploit LFI & extract information from Linux servers
Dirble: Directory scanning & scraping tool in Rust, based on Dirb but faster
Domain-to-webapp: Web application Enumerator
EmailGen: Email Generation from Bing using LinkedIn Dorks
Adconnectdump: Dump Azure AD Connect credentials for Azure AD & Active Directory
PEPE (Post Exploitation Pastebin Emails) & Introduction: Collect information about email addresses from Pastebin for advanced credential stuffing
SharpExec & Introduction: Offensive security C# tool designed to aid with lateral movement
Can you hack your government?: A list of governments with Vulnerability Disclosure Policies
Microsoft publishes SECCON framework for securing Windows 10
The Unescape Room (source code): Source of the online XSS game by @jobertabma
Apple’s App-Site Association – The New robots.txt & aasa.sh (Script that generates URL list from App-Site Association file)
Online shoplifting – exploiting e-commerce basket and voucher faults for five-finger discount
Sudo_inject: New Linux privilege escalation technique abusing sudo token
Phar out: PHP deserialization techniques offer rich pickings for security researchers
App could have let attackers locate and take control of users’ cars: Hard-coded credentials
Some enterprise VPN apps store authentication/session cookies insecurely
Facebook app developers leaked millions of user records on cloud servers, researchers say
Microsoft: Hackers compromised support agent’s credentials to access customer email accounts
Berkeley High student tried to rig his own election, exposing flaw in district’s cybersecurity: A user’s email is always a his/her first and last name. The default password is “Berkeley” followed by the student’s identification number.
The international companies official newsletters are used to steal money from bank accounts
Other news
Android phones transformed into anti-phishing security tokens
Mar-a-Lago intruder had instant-malware-inflicting thumb drive
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.
Curated by Pentester Land & Sponsored by Intigriti