Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 12 to 19 of July.
Our favorite 5 hacking items
1. Tutorial of the week
Using Wireshark over SSH (WS on Windows traffic on Linux)
This is a short how-to for using Wireshark over SSH. It’ll be really handy if your main host is Windows, and you are using a Linux VPS for tests.
The steps described will allow you to run Wireshark locally, and use it to analyze traffic captured on the remote Linux server (even if you don’t have a GUI on the latter!).
2. Writeup of the week
Privilege escalation via mass assignment on New Relic
What a fun bug! @samwcyo bought a Tesla, tried to hack it, didn’t find anything, cracked his windshield, then accidentally triggered a blind XSS when he wanted to report the accident.
My takeaways are:
– Put blind XSS payloads everywhere
a Tesla one day
– Then damage it intentionally
to find new bugs
3. Video of the week
Understanding & bypassing filters with @zseano
@zseano walks us through why all XSSes are not low hanging fruits, and how he proceeds to find edge cases by bypassing filters.
If you want to stop trying random payloads grabbed from the Internet and learn how to manually find interesting XSSes like a pro, this is the video to watch!
Also, it’s a good idea to focus on one bug at a time. That’s what @zseano and @nahamsec did and recommend.
4. Conference of the week
SteelCon 2019, especially:
– SteelCon 2019: Hunting Sh\*T Up: Red Teaming With A Bug Hunter’s Mindset – Andy Gill
– TLS 1.3 For Penetration Testers
– WordPress Isn’t A Security Dumpster Fire, Fight Me!
These talks go to my top list of things to watch really soon. Especially the one by Andy Gill because it’s about three aspects of offensive security in which I’m very interested: Pentesting, Bug bounty and Red teaming.
Applying a bug hunter’s mindset to pentest and red teaming can only be a good idea: bug hunting pushes you to automate as much as you can, go for the most impactful bugs and PoCs, work fast by using report templates, use/create the best tools… But many tools used for Web security today were created by bug hunters and aren’t known by many pentesters.
So I can’t wait to learn Andy’s take on this subject, and learn about TLS 1.3 and WordPress security.
5. Non technical item of the week
Web Application Penetration Testing: Minimum Checklist Based on the OWASP Testing Guide
This article is aimed at QA specialists. But I think it’s also a good read for beginner pentesters who don’t have the time to go trough the whole OWASP Testing Guide and need a quick summary.
Not that I don’t encourage reading the whole thing (on the contrary!). But it can be overwhelming when you’re just starting out.
The cheatsheet is useful to use during tests or as a basis for your own customized cheatsheet. I love how each test is accompanied with a concise comment that’s like the most important thing that you need to know about that test.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Race condition on Facebook (Instagram) ($30,000)
- Subdomain takeover on Facebook ($500)
- CSRF on Facebook ($3,000)
- Stealing CSRF token with Clickjacking ($1,250)
- CSRF through GraphQL on Tokopedia
- IDOR, SSRF, Information disclosure & CORS misconfiguration ($9,000)
- MiTM on Slack ($500)
- Logic flaw on Uber ($1,500)
- Authorization flaw on GitLab ($1,000)
- RCE / Browser extension flaw on Grammarly & PoC ($1,500)
- RCE on GitLab ($12,000)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- GitGot& Introduction: Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets
- Git-Scrapers: Collect OSINT from git repositories
- Entro.py: Tool that recursively searches directories for files containing strings with high shannon entropy (by @healthyoutlet) & How to reduce false positives
- git-ls: List (or plunder) private repos/gists to which a token has access, including those of other users
- Git-hound: Find exposed keys across GitHub using code search keywords. Git Hound is a pattern-matching, batch-catching secret snatcher.
- jLoot: JIRA Secure Attachment Looter
- RacePWN (Race Condition framework) & Introduction: Race Condition framework
- XSpear: Powerfull XSS Scanning and Parameter Analysis tool&gem
- RedGhost: Linux post exploitation framework designed to assist red teams in gaining persistence, reconnaissance and leaving no trace
- Very Complete Management (VCM): A small script to automate project folder management and basic tool output
- ReportingTool: PHP Laravel Based Pentesting Report Writing Tool
- Kali-ptf: A Kali container with custom set of tools installed
- Revssl: A simple script that automates generation of OpenSSL reverse shells
- Find-LOLBAS & Introduction: Simple powershell script to find living off land binaries and scripts on a system
- Vulnrep: Java tool that collects vulnerabilities (from vulners.com and/or wpvulndb.com) for defined keywords generates an HTML report
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Tell @naffy what you’d like to hear him explain / cover in Live streams
- Real-World Bug Hunting: A Field Guide to Web Hacking, Peter Yaworski @yaworsk’s new book is out
- Burp Suite Pro/Community 2.1.01 released, with support for WebSockets in Burp Repeater & Here’s how to use Burp Repeater with WebSockets
- Google deprecates XSS Auditor for Chrome
- End of Sale Announced for Metasploit Community
- Kali NetHunter App Store, a new Android store dedicated to free security apps
- Live Hacking Events: Stats, invitations, and what’s next & @luketucker answering live hacking questions on Twitter
- Bigger Rewards for Security Bugs: Google is tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000
- Equifax launches a vulnerability disclosure policy, the first major credit reporting agency to do so
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/12/2019 to 07/19/2019
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.