Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 30 of August to 06 of September.
Our favorite 5 hacking items
1. Conference of the week
DerbyCon 9, especially:
– To CORS! The cause of, and solution to, your SPA problems! & CORS Exploitation Framework (CEF)
– REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure
– Assumed Breach: A Better Model for Penetration Testing
– Kerberoasting Revisited
– Old Tools, New Tricks: Hacking WebSockets
– Full Steam Ahead: Serverless Hacking 101
– Red Team Methodology: A Naked Look
– API Keys, Now What?Taking the Pen Test Into the Amazon Cloud
– Red Team Level over 9000! Fusing the powah of .NET with a scripting language of your choosing: introducing BYOI (Bring Your own Interpreter) payloads
DerbyCon 9 had so many good talks! I’m particularly interested in the ones on CORS, Kerberoasting, WebSOckets, GraphQL, Serverless, API security & red teaming, but many other topics were discussed.
Too bad, this was the last DerbyCon conference!
2. Writeup of the week
Add new user with Admin permission and takeover the organization
This is the writeup a privilege escalation on a private program. Starting with a limited user account and no API documentation, the author was looking for admin endpoints.
He tried common ones like /api/v2/member/, /api/v2/members/, /api/v2/users/, /api/v2/user/… And noticed that existing and non-existing endpoints returned different HTTP codes.
api/v2/user returned a 405 (the method is not allowed). Changing the method from GET to POST, and adding all parameters reported missing by the server, he was able to construct a valid POST request and create a new user. But the reset password functionality didn’t work for that user until he passed the right value (found by bruteforce) to a specific parameter during user creation.
Then he was able to create an admin user by adding “role”=”admin” to the request.
This whole process isn’t complicated but I love how the author relies on parameters guessing and bruteforce, and also chains multiple actions to find hidden functionality and overcome any obstacle faced.
3. Article of the week
Same-Origin Policy: From birth until today
The Same Origin Policy is an essential concept for Web app testers. This article presents the results of research on SOP and CORS on different browsers, as well as 2 CSRF bugs and how CSRF and SOP are related.
The author’s conclusion: “do not use IE or Edge”… They violate the SOP standard, which makes them more vulnerable.
4. Tool of the week
This is a great tool for Github recon. I’ve never seen one like it for two reasons: it does live monitoring with Slack notifications, and it searches all Github not only organization repositories. So even if a developer has a profile that is not explicitly linked to your target organization, gitGrabber will still search for secrets in this repository.
The syntax is basically gitGraber.py -k KEYWORDSFILE -q QUERY, where QUERY can be your target organization (e.g. yahoo) and KEYWORDSFILE is a file containing keywords like access_key, password, auth…
The tool looks for sensitive data for several online services (Google, Amazon, Paypal, Github, Mailgun, Stripe…) based on regexes and notifies you when potentially sensitive information is found.
5. Videos of the week
TomNomNom answers questions for 4 hours straight
8/25/2019 – Live Bug Bounty Recon Session w/ @FransRosen
This livestreaming trend by bug hunters is getting crazy! I find it harder and harder to keep up with the pace. But these two videos are on the top of my list of things to watch this week.
@tomnomnom answers questions for more than 4 hours. They touch on everything from his peanut butter preferences to why he doesn’t do bug bounty full-time, burnout, VIM, getting into bug bounty, etc.
The stream by @NahamSec covers topics like asset discovery and API fuzzing, and a ~1 hour interview with @fransrosen. I’m a big fan of his, so it’s awesome to hear about his recon approach, research he’s working on, why he doesn’t automate everything, etc.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- TorIpRotate: Simple burp extension for routing traffic over tor. It instruments tor to switch to a new circuit after every N requests.
- Requests-Racer & Introduction: A Python Library for Exploiting Concurrency-Related Vulnerabilities in Web Applications
- massNS: A tool that turns the authoritative nameservers of DNS providers to resolvers and resolves the target domain list
- Encoderama: String or worldlist encoder for use in fuzzing or web application testing
- Liffier: Tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL
- C3 & Introduction: Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits
- SharPersist & Introduction: Windows Persistence Toolkit in C#
- ActiveReign: A Network Enumeration and Attack Toolset. Similar to CrackMapExec with less functionalities but with a few modifications that might be handy
- Httptools: A python package that lets you to capture, repeat and live intercept HTTP requests with scripting capabilities, built on top of mitmproxy
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/30/2019 to 09/06/2019
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.