Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 01 to 08 of November.
- We’ve launched our brand new platform, check it out!
- KULeuven launched 2 new public programs:
Our favorite 5 hacking items
1. Conference of the week
Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks – Alyssa Herrera & Other Hack.lu 2019 talks
The slides for this talk were published months ago, and I was really hoping for the talk to be public too. Alyssa is known for focusing on server-side bugs, especially SSRF.
So, this is a must watch for anyone who wants to learn about this bug class. It is also a good example on the kind of thinking and focus you need to find critical bugs and become an expert at a specific topic.
2. Writeup of the week
Bypassing GitHub’s OAuth flow & TL;DR ($25,000)
Who would have thought that playing with HTTP methods could bypass OAuth on GitHub and yield a $25,000 bounty?!
The bug exists because the same controller handles both GET & POST requests, and using a HEAD request instead is unexpected.
The controller relies on the HTTP method to determine whether it will grant access to the app or serve an OAuth authorization page. @not_aardvark used the HEAD method. It was routed as GET (Rails behavior) and at the same time, the controller treated it as an authenticated POST request, bypassing authorization.
3. Non technical item of the week
Deliberate Practice: What It Is and How to Use It
It is very easy for hackers to get distracted by all the information and topics out there and keep hopping from one subject to another. If you think you have the Shiny Object Syndrome, or if you find yourself spending a lot of time learning and practicing without seeing the results you would expect, then you probably need “deliberate practice”.
This article is a great introduction to this concept, with many resources to go further.
4. Tip of the week
I get asked how I manage a full time job, content, steam, hacking on top of my personal life. I’m going to answer this once and only once: if you have time to waste on YouTube/Reddit you have time to learn how to hack. I go to bed an hour later and wake up an hour earlier by @nahamsec
Every time I hear of some accomplishement by bug hunters like @nahamsec, @stokfredrik, @nnwakelam, etc, I can’t help but wonder how they do it all.
A lot of bug hunters juggle between multiple jobs and/or passions. It is what I do myself, but self-doubt creeps up sometimes: Why does it take me so much time to learn X? It seems easier for Y person… Is it just about the talent/intelligence you’re born with? Is it because they don’t have a family life like you? Or because they don’t need to sleep as much as you do?
@nahamsec shares his unambiguous take on the matter: sleep one hour later and wake up an hour earlier. Make the time and stop with the excuses!
5. Resource of the week
This is not a new site, but I’ve just discovered it while looking for good OSINT resources. And it is amazing whether you do OSINT, or reconnaissance for pentest/bug bounty.
It has a lot of categories: Email, Domain, IP, Username, Person, Phone Number, File… For each one, you can find a lot of tools at the same place and search them all at once.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Jandroid & Introduction: A tool for template matching against apps. Current use case is to identify potential logic bug exploit chains on Android
- LiveTargetsFinder: Generates lists of live hosts and URLs for targeting, automating the usage of MassDNS, Masscan and nmap to filter out unreachable hosts and gather service information
- Github-endpoints.py: Search endpoints on GitHub for a given (sub)domain
- Getallurls: Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl
- BlackWidow: A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website (by the creator of Sn1per)
- Paramuda: A python tool designed to enumerate hidden parameters on a target URL through a wordlist. It is designed to scan for URL by counting the existence of the payload in the response body
- SRLabs Gobuster: File & directry bruteforcer based on Gobuster with enhanced false positives detection
- Frida Android Helper: Several handy commands to facilitate common Android pentesting tasks
- Droidlysis: Property extractor for Android apps. It automatically disassembles apps and looks for various properties within the package or its disassembly
- WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier
- NTLM Challenger: Parse NTLM over HTTP challenge messages
- ꓘamerka GUI & Introduction: Internet of Things/Industrial Control Systems reconnaissance tool
- PostMessage_Fuzz_Tool & PostMessage Xss Fuzz using Chrome App
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/01/2019 to 11/08/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.