Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 25th of October to 1st of November.
Our favorite 5 hacking items
1. Podcast of the week
Episode #1 ft. STÖK
This podcast is made by Fisher and is A-M-A-Z-I-N-G! It makes you feel like you are at a live hacking event, sitting with two seasoned bug bounty hunters discussing all kinds of subjects. The podcast is about how to pronounce CSRF, how @stokfredrik overcame his depression, his research on race condition vulnerabilities and much more.
It is perfect for you when you feel like listening to something relaxing but still informational and related to bug bounties.
2. Writeup of the week
Abusing HTTP hop-by-hop request headers
This is some cool research on hop-by-hop headers. These are headers that are used by proxies and not forwarded to the end server.
@nj_dav discovered a way to abuse them and basically remove other request headers. This can have unexpected results like authentication bypass, Cache poisoning DoS, etc.
The premise is simple to understand, but it would be interesting to practice this attack and take the research further by testing on common WAFs.
3. Tips of the week
What do you do when doing blackbox web testing that may be obvious to you but not so obvious to other people?
This is an excellent question asked by @nnwakelam. Doing “not so obvious” tests is the best way to differentiate yourself and avoid duplicates.
The thread includes some very interesting responses, for instance: “Continuously scanning for surface will net you more $$$ in the long run. Looking at an asset once defeats the purpose of a BB, it might as well be a penetration test at that point”.
It’s good to know all these strategies and test them especially if stuck in dup’zone.
4. Video of the week
Live Bug Bounty Recon Session on Verizon Media’s Yahoo.com W/ @Securinti
@securinti is most known for his crazy logic bugs. Since he is killing it at live hacking events and mostly shares unique creative bugs, it is interesting to get to know his mindset and approach. A recommended watch!
5. Conferences of the week
– Global AppSec Amsterdam 2019
– SAINTCON 2019
– Security@ 2019
Wow, there are too many interesting talks to list and comment on here.
Let’s just say that Global AppSec and SAINTCON both offer a lot of talks on a large variety of topics and many of them are really captivating.
Security@ has two panels I find interesting for bug bounty hunters: one with bug bounty millionaires @nnwakelam, @thedawgyg and @santi_lopezz99. And another one on hacking the talent gap with @d0nut and @yaworsk.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- BugReplay: Browser extension to record bugs with network traffic and JS console (commercial tool)
- XORpass: Encoder to bypass WAF filters using XOR operations
- Femida: Burp extension for automated blind-xss testing (both passive & active)
- UhOh365: A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled and is useful for social engineering assessments to find which emails exist and which don’t. See Reddit discussion on the weakness exploited by this tool
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/25/2019 to 11/01/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.