Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 13 to 20 of September.
Our favorite 5 hacking items
1. Tutorial of the week
How to find more IDORs
This tutorial explains how to find IDORs that are less obvious than just incrementing an ID. The techniques mentioned can be very helpful especially in the context of bug bounty.
Some of them are testing encoded & hashed IDs, adding an ID to the request even if the app didn’t ask for it, changing the request method, etc.
Also, IDOR and self-XSS combined can lead to stored XSS, increasing the impact of the IDOR.
2. Writeup of the week
Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)
@YoKoAcc, @JRs_Faisal and Tomi teamed up and found a whole bunch of bugs on a private program. They share multiple writeups that each explains different bugs.
This one is interesting because of the weird race condition. Here are my main takeaways:
They couldn’t find any flaws in the main file upload functionality. But the file edit functionality allowed them to change already uploaded files to any extension (including PHP!). Nice way to get unrestricted file upload…
So they could upload Web shells, but didn’t get RCE because uploaded files were moved to AWS after 2 seconds! And here is the weird part: for some reason, the request that modified the uploaded file was vulnerable to a race condition. By sending multiple requests, the server returned the file’s location (before it is moved to AWS). So in the short window where the file was still on the server, they got a reverse shell by requesting the file in a browser.
Not sure why this is happening, but it’s interesting to see a race condition help get RCE via file upload!
3. Tool of the week
Most tools that help with XSS detection are limited because they rely on server response reflection.
The only other tool I’ve seen efficiently help with this was DOMinator Pro, but it was commercial and I can’t find it online anymore. So it is awesome to have a free open source alternative!
4. Non technical item of the week
Problems I have faced in Bug Bounty
I really enjoyed reading this article. After 2 months of bug hunting, @Unknownuser1806 shares 6 problems he faced and how he solved them.
They revolve around productivity and mental health. I feel that we can easily lose sight of these topics when we get engrossed in hacking. Burnout is never that far… So the refresher is great! It’s also nice to see the specific tools a fellow bug hunter found helpful: Engross App, Habitica, Evernote/Diary, Morning habits, meditation & exercise.
5. Tips of the week
– While registering account there’s no fields like address or about me, but they’re exist on the page where you can edit your info after registering account. Try to add them while registering another account and paste payloads in values, this can bypass (XSS/injection) protection
There’s not much to comment here, the tips are self-explanatory.
I’ve never encountered these ideas before and think they’re worth adding to any Web testing methodology!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Pixload: Image Payload Creating/Injecting tools
- Bass: A tool that combines valid DNS resolvers from various DNS Providers of your target and generates a maximum final list of DNS resolvers. Add anywhere from 100-4k resolvers to your ‘resolver.txt’ (TL;DR)
- Docem: Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
- Curryfinger & Introduction: A Go tool for finding the server behind popular CDNs through SNI & Host header spoofing
- Dupe Key Injector: A Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 “SSO Wars: The Token Menace” presentation
- G-Calendar-Audit: A Python script to check for public Google calendars
- Lockdoor Pentesting Framework: A Penetration Testing framework with Cyber Security Resources
- Dnmasscan: A script that can resolve an input file of domains & scan them with masscan
- EZDomain: Python script for subdomain, file, directory & S3 bucket bruteforce
- Dr Robot: A tool for Domain Reconnaissance and Enumeration
- Dolos Cloak: Automated 802.1x Bypass
- Cryptbreaker & Introduction: A cloud-backed password cracking and assessment tool
Misc. pentest & bug bounty resources
Articles & Papers
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/13/2019 to 09/20/2019.
Curated by Pentester Land & Sponsored by Intigriti
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.