Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 3 to 10 of May.
Our favorite 5 hacking items
1. Challenge of the week
Authentication Lab (online), Source code & Walkthroughs
This is a great lab if you want to practice finding authentication vulnerabilities. There are 5 bugs: IP based authentication bypass, Timing attack, Client side auth, Leaky JWT and JWT Signature Disclosure (CVE-2019-7644).
Also, if stuck, check out the walkthroughs. I don’t want to read them before doing the challenges but they seem detailed (like 5 articles in 1!).
2. Writeup of the week
Information disclosure on Shopify ($802.20)
This is a fun report! The vulnerability is that a GraphQL endpoint reveals sensitive information without authentication: that’s the internal beer consumption (brands & quantities left) at Shopify’s offices.
What’s interesting is how @eraymitrani found the vulnerable GraphQL endpoint. I highly recommend reading the summary where he explains it.
Basically, he saw in a previous report by @rijalrojan that Shopify had an exposed GraphQL endpoint. So he set out to find other exposed endpoints, following these steps:
- Subdomain enumeration
- Request /graphql on all subdomains using wfuzz
- Filter by 200 responses
- Send introspection queries to all of them in Burp Repeater
- Got “query string not present” error
- Solve it by adding the “content-type:” header to the post request
- Look for a domain that leaks private information
3. Article of the week
Bug Chain Tales: P5+P5=P3
If you’re always hearing about chaining bugs and wondering how to do it in practice, this is a good example.
Self-XSS and login CSRF are generally not paying bugs by themselves. But, combined, they become more dangerous and worthy of a bounty.
The attack scenario in this case is to enter the XSS payload in the address details of the attacker’s account, and make the victim open this account using the login CSRF. When the victim buys something and wants to select the delivery address, the XSS payload is triggered.
4. Resource of the week
As its name indicates, this is an awesome asset discovery list. In other words, it’s a list of resources to help find all kinds of assets for organization: IP addresses, (sub)domains, emails, open ports, cloud infrastructure, business communication infrastructure, data leaks, source code aggregators, and more.
Some of the tools mentioned are classics that you probably already use, but you might also discover something new!
5. Slides of the week
Bug bounty – Work smarter not harder
This is a nice introduction to bug bounty. But even if you’re not a beginner, some resources mentioned might be helpful. Personally, I didn’t know of dkimsc4n (a DKIM scanner) and can’t wait to try it.
Also, thanks for mentioning Pentester Land @vavkamil!
6. Intigriti News
6.1 Platform Updates
We’ve added several new features to our platform:
- The submission title length is increased up to 50 characters.
- Researchers are now able to specify a preferred payment method (invoice, wire, Payoneer, Paypal) and enter their details. This setting is made available in the payout overview
- Researcher are now able to start their vetting procedure by one click via the profile view.
A blogpost about the platform’s new features will be posted soon!
6.2 New Bug Bounty Tips
This week we received two bug bounty tips:
- Use Exiftool to extract metadata from documents. It might reveal vulnerable htmlopdf generators.
- The Birthday Trick: If you sign up for a target, set your birthday to today or tomorrow! Then use birthday discount vouchers in your inbox to buy gift cards. Repeat!
Other amazing things we stumbled upon this week
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- awesome-jenkins-rce-2019: There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
- Natlas: Scaling Network Scanning
- ggroup.py: Check for public Google groups given a list of domains
- Horn3t: Powerful Visual Subdomain Enumeration at the Click of a Mouse
More tools, if you have time
- doNmap.sh: Bash wrapper for nmap scans
- Final Recon: OSINT Tool for All-In-One Web Reconnaissance
- awsEmailCheck.py: Determines if there is an AWS account associated with a given email address
- Scan.sh: Initial recon automation (masscan + nmap import into metasploit db)
- wpBullet Build Status: A static code analysis for WordPress Plugins/Themes (and PHP)
- autOSINT: Recon tool. Uses recon-ng & hunter.io
- ReconT: Reconnaisance, footprinting & information disclosure
- Shiva: An Ansible playbook to provision a host for penetration testing and CTF challenges
- QRGen: Simple script for generating Malformed QRCodes
- Jalesc: Just Another Linux Enumeration Script: A Bash script for locally enumerating a compromised Linux box
- LDAP_Search: Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
- SharpClipHistory: A .NET application written in C# that can be used to read the contents of a user’s clipboard history in Windows 10 starting from the 1809 Build
Misc. pentest & bug bounty resources
- Nina Zakharenko’s Fundamentals & Intermediate Python Courses (Free Until May 16th), learnpython.dev (Accompanying website) & Repo
- OSINT Collection Tools for Pastebin
- All in one Recon Methodology PDF: PDF bundle of multiple recon presentations listed here
- Church of Hackers
- APIsecurity.io Issue 30: 5G going to REST. Breaches in Dell, Cisco, WebLogic, DockerHub, JustDial, iLnkP2P
- Infosec – Infographics
- Android Security & Malware: Telegram channel by @LukasStefanko on “Security & privacy, malware on Google Play, vulnerabilities, bug bounty hunting, security tips, tutorials, penetration testing..”
- Active Directory Kill Chain Attack & Defense
- Mobile App Sec Assemble: Slack workplace for people interested in Mobile Application Security
- Kaonashi: Wordlist, rules and masks from Kaonashi project (RootedCON 2019)
Bug bounty / Pentest news
Breaches & Attacks
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/03/2019 to 05/10/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.