Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 14 to 21 of June.
Our favorite 5 hacking items
1. Conference of the week
VIM tutorial: linux terminal tools for bug bounty pentest and redteams with @tomnomnom
Oh my! We’re really spoilt this week between this video tutorial with @tomnomnom and @nahamsec’s recon tips video (see below).
@tomnomnom shares so many tips that are worthy to discover whether your are a beginner or seasoned bug hunter. This includes the tools he uses for recon (including custom ones like assetfinder and html-tool), BASH basics, how to manually search for secrets in Git repos, how to use (and exit) VIM and a lot more.
This is a must watch if you’re into Web app security!
2. Writeup of the week
Using Burp Suite match and replace settings to escalate your user privileges and find hidden features ($500)
@jon_bottarini shares here a technique that allowed multiple times to access unreleased beta and admin features (i.e. escalate his privileges).
The idea is that if you see the server always returning some “false” value, you can use Burp Suite’s match and replace rule to change the server’s response body from “false” to “true”. Sometimes this triggers client-side code that was hidden or unaccesible.
Similarly, you can replace “userlevel”:READONLY with “userlevel”:ADMIN, or “subscriptionlevel”:”BASIC” with “subscriptionlevel”:”PROFESSIONAL”.
Pretty straightforward. Must try now!
3. Resource of the week
Collection of bug bounty tips
This is a remarkable Twitter feed initiated by @intigriti who asked hackers to share their best bug bounty tip. A lot of people chimed in. Here are some of my favorite responses:
- “Sometimes your target asks you to pay to access an account/premium features. If they use services like “Stripe”, try paying with “test cards” and check if you can have a premium account/features, for free!”
- “Change the host header to “localhost”, its IPv4/IPv6 equivalents or even better the internal IP of the server!” and “if you get a 403 with that, adding X-Fowarded-For:localhost might do the trick! :)”
- “If http://bugbountytarget.com does not verify e-mail addresses, try signing up with a @bugbountytarget.com email address! You may get access to special features or discounts!”
4. Tool of the week
If you’re currently doing your recon manually, this will be a very handy tool. It’s a wrapper around many staple tools and looks like a good basis to build upon and customize to your own needs.
I already have a custom recon tool. But regular readers of this newsletter know by now that I lo-o-ove going through repos like this one. I look for any good ideas that can be replicated and improve my own scripts.
5. Tutorial of the week
How to: Burp ♥ OpenVPN
Bookmark this one. It will be really helpful if you need to direct all (and only) your Burp traffic through a remote VPN.
This is a little more complicated than running a VPN on your local machine, but sometimes you don’t have a choice. Bug bounty program and pentest client can require that you use a remote VPN.
So check out this awesomly detailed guide. You will need PuTTY, OpenVPN, one VPS or two (if you have a dynamic IP) and the Switchy Omega browser extension.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Redirector: Online open redirect / SSRF payload generator
- Droidstatx: Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis. The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment.
- Konan: Advanced Web Application Dir Scanner
- Prithvi: Report Generation Tool
- T1tl3: A simple python script which can check HTTP status of branch of URLs/Subdomains and grab URLs/Subdomain title
- Detect-techs.py: A simple tool written in python3 used to read a list of websites and enumerate WordPress sites, you can change WordPress to any other technology and use it
- EnumUserInFiles.sh: Script for searching usernames in files (nearly all filesystem) for getting sensitive files
- 0xsp-Mongoose: Privilege Escalation Enumeration Toolkit (ELF 64/32 ) , fast , intelligent enumeration with Web API integration
- Constole: Scan for and exploit Consul agents
- Sliver: A general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), & DNS
- Slackor & Introduction: A Golang implant that uses Slack as a command and control server
Misc. pentest & bug bounty resources
Bug bounty news
Breaches & Attacks
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/14/2019 to 06/21/2019.
Subscribe to the newsletter here!
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.