Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 05 to 12 of April.
Our favorite 5 hacking items
1. Resource of the week
This is a new content discovery wordlist by @nullenc0de, to use for file & directory bruteforce with tools like dirsearch, dirb, etc.
It’s based on @JHaddix’s content_discovery_all.txt dictionary but has 300k more directories/files.
As a comparison, here is the exact number of entries in these two and in dirsearch‘s default dictionary:
# wc -l content_discovery_all.txt
# wc -l /root/tools/dirsearch/db/dicc.txt
# wc -l content_discovery_nullenc0de.txt
2. Writeup of the week
IDOR on Shopify
This writeup is a gem for so many reasons! I highly recommend reading it and paying attention to all the details:
- How @_ayoubfathi_ used automation to get notifications of new API endpoints (and not only new subdomains!)
- How he created script on-the-fly to during bug hunting to solve specific issues (like building a list of valid Shopify stores)
- How he leveraged a passive DNS database to get a bigger list of Shopify stores
- How he kept trying new approaches over weeks and solving one issue after the other until he confirmed the bug
- How he adapted a BASH script to bypass rate-limiting (WAF) even if it meants that the script would take days to run
- The mistake he made that rendered this awesome finding not eligible for a bounty
3. Non technical item of the week
Want to learn a new skill? Take some short breaks
Taking breaks from the computer is something at which I’m so bad! I get kind of obsessive when working on anything security related.
But this study really motivates me to start taking more breaks. Researchers found that taking a short rest helps our brains retain more information learned a few seconds earlier.
So instead of thinking that rest is a waste of time, it’s better to think that it plays a critical role in learning. More rest = More productity.
4. Video of the week
I accidentally started a live stream and it turned into #askstok
I love this live stream by @stokfredrik! Being relatively new to bug bounty and already getting good results (at least financially), he has a unique perspective. I think that’s why newcomers can easily relate to his advice/experience.
So if you’re learning bug hunting, and want to get practical advice in an entertaining format (he started live-streaming by accident!), this is the right video to watch. He answers questions like: Can you live out of bug bounty? Do you need to know programming? Is 2019 too late to start bug hunting?…
Let’s hope he makes other Q&As. I love peeking at what other hunters are doing and the live interaction is a great opportunity to get instant feedback/answers.
5. Slides of the week
Last tuesday, I was thinking about critical server-side issues and decided to switch my focus to SSRF for the next weeks. The day after that, @Alyssa_Herrera_ tweeted about this presentation!
It’s a great introduction to this vulnerability class, including both theory and an example of SSRF found on a DoD site.
Just make sure to check out the comments below each slide (they won’t appear if you download the file as PDF).
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Brute53: A tool to bruteforce nameservers when working with subdomain delegations to AWS
- PyWhatCMS: Unofficial WhatCMS API package
- Web-cve-tests & Introduction: A simple framework for sending test payloads for known web CVEs
- w12scan: An asset discovery engine for cybersecurity. Seems interesting but it’s in Chinese :/
- SharpGPO-RemoteAccessPolicies: A C# tool for enumerating remote access policies through group policy. Useful for targeted lateral movement
- Vampire: Vampire is an aggressor script which adds a “Mark Owned” right click option to beacons. For better Cobalt Strike organization during pentests/red teams
Misc. pentest & bug bounty resources
Bug bounty news
Breaches & Attacks
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.