Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 19 to 26 of April.
Our favorite 5 hacking items
1. Challenge of the week
I haven’t had the time yet to do this CTF, but it’s on my todo list because it seems different. It’s a Web CTF that involves multiple subdomains, directory bruteforce, and different attack vectors.
So it’s a nice opportunity to practice recon. But make sure to respect the rules (attacking the infrastructure/ports other than 443 is not allowed).
2. Writeup of the week
Session fixation on Shopify ($5,000)
This is an excellent session fixation report. It is well-written, detailed and a good example of a real-life session fixation attack. So it’s a goodread if you want to learn about this kind of bugs.
Also, it’s interesting to see how @filedescriptor found the bug and chained it with an out of scope vulnerability: He found an XSS but XSS was out of scope. So he kept playing with the apps and noticed that some session IDs generated didn’t change after logging in, which meant session fixation. So he leveraged the XSS to exploit the session fixation.
3. Article of the week
“CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter
A list of the most common [secure] variables from 5,302,677 build logs on Travis CI
This is awesome research and collaborative work! I loved reading about:
- How they came up with this research topic
- How they started with a list of bug bounty programs, found their Github organizations (using Google), then their Travis CI projects (using a bookmarklet)
- How they grepped through the sizeable data retrieved (using Ripgrep)
- How the tools they used to fetch build logs were created with availability in mind (to avoid causing any service disruption)
- Which kind of information to look for when analyzing Travis CI logs
- Several examples of bugs found on bug bounty programs
4. Resource of the week
Keyhacks is a Github repo listing ways in which API keys can be checked to see if they’re valid.
It can be handy to quickly show the impact of API keys leaked by bug bounty targets. It’s particularly interesting after reading the research about finding sensitive information in Travis CI logs.
5. Tutorial of the week
How to Hunt Bugs in SAML; a Methodology – Part I, Part II & Part III
If you’ve come accross SAML during testing and didn’t know which kinds of bugs to look for, these tutorials are for you!
They’re a good introduction including how SAML works, common vulnerabilities, tools, a testing methodology, and resources.
5. Tutorial of the week
6. Intigriti News
6.1 XSS Challenge
6.2 Program of the Week
Torfs – the well-known shoe retailer in Belgium – is still a 100% family business today. This family character guarantees a number of important values within the company where employees are central. With more than 80 stores in Flanders, 2 shops in the French part of Belgium and a growing online shop in Belgium, The Netherlands and several marketplaces, Torfs wants to be and remain the most customer-friendly optichannel shoe store chain. They pay up to €5000 and have their full online store in scope. Go have a look!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
- X41 BeanStack & Introduction: Java Fingerprinting using Stack Traces
- SmartProxy: SmartProxy will automatically enable/disable proxy for the sites you visit, based on customizable patterns
- BugHunter: A Bug management project for Bug Hunters
- RCEvil.NET & Slides: A tool for signing malicious ViewStates with a known validationKey
- Viewgen: ASP.NET ViewState generator, When to use it & Related research
- Thief: Subdomain hijack automation. Wrapper around Sublist3r & Subjack
- Findomain: A tool that use Certificate Transparency logs to find subdomains
- Reverie: Wrapper around pentest tools with automated reporting (for Parrot Linux)
- GitHacker: A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers’ mind
- Csp-analyzer.py: Python script that displays the Content-Security-Policy of a given url
- Netmap.js: Fast browser-based network discovery & port-scanning module
- Termshark: A terminal user-interface for tshark
- SAP Gateway RCE exploits
Misc. pentest & bug bounty resources
Bug bounty news
Breaches & Attacks
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.