Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 29 of November to 06 of December.
Our favorite 5 hacking items
1. Tutorial of the week
Exploiting XSS with 20 characters limitation
What I love about this tutorial is that it goes further than theory: in practice most short domains are taken or very expensive. Using Unicode, it is possible to redirect to domains like ℡㏛.pw (5 characters) which expands to telsr.pw (8 characters).
Two excellent resources for working with Unicode are also shared.
2. Writeup of the week
– Account takeover via leaked session cookie on HackerOne ($20,000)
– HTTP Request Smuggling + IDOR
These writeups are both worth reading for different reasons. The HackerOne account takeover was the most shared/debated this week. @haxta4ok reported a false positive
, but the triager’s response included their valid session cookie. $20,000 for human error (and an initial false positive)! HackerOne have added mitigations
to prevent this happening again, but it could happen to employees that don’t use HackerOne’s triage or triagers from other companies.
The second writeup shows how you can chain HTTP Request Smuggling with IDOR for increased impact.
3. Resource of the week
One-time Mobile ☎️ Numbers Thread
This is a collection of websites for receiving SMS online for free. I haven’t had the occasion to test them yet, but I’m bookmarking this for future pentest engagements and bug bounty. They will be handy for SMS verification and 2FA.
4. Conference of the week
Wild West Hackin’ fest (WWHF) 2019
This looks like a fun conference to attend. Topics range from Burp Suite collaboration to hacking your career, Google Calendar attack surface, social engineering, building an escape room, Kerberos, etc. There is probably something that woud interest you whether you’re into pentest, red team, bug bounty, physical security, social engineering or incident response.
5. Article of the week
Server Side Request Forgery (SSRF) and AWS EC2 instances after Instance Meta Data Service version 2(IMDSv2)
Following the Capital One breach, AWS EC2 recently introduced new changes to the way metadata information is retrieved. This prevents SSRF exloitation and may leave you wondering whether you should stop looking for SSRF on EC2.
This article is a nice summary of the new changes and what they mean for hackers/bug hunters.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Automatic API Attack Tool & Introduction: Imperva’s customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output
- Barq & Introduction: AWS Cloud Post Exploitation framework. Useful for attacking EC2 instances without having the original instance SSH keypairs
- CodeCat: Tool to help in manual analysis in codereview
- Issue2report: Generate pentest reports based on github issues
- Crtsh: Go script that shows the result of crt.sh with different optional filters
- Subdomain Extractor: Burp extension for extracting subdomains. Usage: Go to your Site Map -> Select All -> Right click -> Copy sub domains
- Awspx & Introduction: A graph-based tool for visualizing effective access and resource relationships in AWS environments (meaning Bloodhound for AWS)
- Mitaka: A browser extension for OSINT search
- Zap-operator: ZAP plugin that helps to attack your Kubernetes applications in production
- bountyRecon: Just an initiative for automating bug bounty recon
- Bug-bounty-kit: Recon setup + automation
- Blue eye: A python Recon script
- Fetcher.sh: Oneliner to quickly check the status code of 1000 urls or more
- Chepy: A python library with a handy CLI that is aimed to mirror some of the capabilities of CyberChef
- NTLMRecon: A fast NTLM reconnaissance and information gathering tool without external dependencies
- Caligo & Introduction: A simple C2 for hostile “dropbox” devices management used in physical security assessments
- JA3Transport & Introduction: A Go library for impersonating JA3 signatures
- Lsassy & Introduction (in French): Remotely parse lsass dumps and extract credentials
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/29/2019 to 12/06/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.