Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 27 of December to 03 of January.
Our favorite 5 hacking items
1. Video of the week
Finding Your First Bug: Goal Setting / Remote Code Execution (RCE)
This title is voluntarily misleading. The video is not exactly about finding RCEs, rather how to use goal setting and motivation to learn and eventually get your first RCE.
This comes at a perfect time when many hackers (especially bug hunters) are sharing their goals for the new year.
But there is a huge different between a goal expressed as a wish, and measurable and realistic goals accompanied by an actionable plan.
So, this is an absolutely must watch if you want to learn about goal setting (using the S.M.A.R.T. method) applied to bug bounty, how to create an action plan (using the GROW method), non technical skills you need to develop as a hacker, and much more.
If I could like this a hundred times, I would! Thanks @InsiderPhD ♡
2. Writeup of the week
Account takeover via HTTP Request Smuggling
This is an excellent walkthrough of a HTTP Request Smuggling attack. It goes beyond detection and shows how to confirm and exploit the vulnerability for account takeover.
This is interesting because simple detection with Burp’s Request Smuggler plugin is not enough, as it is prone to false positives.
3. Tools of the week
– Hakrawler & Introduction
These are two nice additions to a Web app tester’s arsenal.
Hakrawler is described as a simple, fast web crawler designed for easy, quick discovery of endpoints and assets. It is similar to Photon but written in Go and made for crawling large lists of domains. It also has an option to export the results for chaining with other tools like Sqlmap.
4. Resource of the week
Lesser-known Tools for Android Application PenTesting
Amazing article by @CaptMeelo for anyone interested in testing the security of Android apps.
It’s about some tools he finds helpful for assessments. They are useful for:
- Bypassing protections against screenshots
- Byassing Root detection
- Using ADB over Wifi
- A better method for retrieving logs (simplified and colorful output)
- Removing the terminal size limitation when using ADB shell
The first link is a cool tutorial by @spaceraccoonsec on finding credentials and secrets in iOS apps. Methods explained include both static and dynamic analysis.
These are the basics that can help snag heasy bounties or help with traditional penetration testing. Very helpful indeed!
The second tutorial by @n00py1 goes through a situation where using Burp Macros was necessary. The login functionality he was testing used a CSRF token. So, it was not possible to test it with Intruder without setting up a macro and creating a session handling rule. The article shows exactly how to do that.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Parsuite & Introduction: Simple parser framework
- Random_user-agent.py: Script to make every request through Burp have a random User-Agent. Combined with the Python Scripter Burp Extension & proxycannon-ng, your traffic will be tougher to fingerprint
- Turbolist3r: A fork of the sublist3r subdomain discovery tool. In addition to the original OSINT capabilties of sublist3r, turbolist3r automates some analysis of the results, with a focus on subdomain takeover.
- Dirlstr: Finds Directory Listings or open S3 buckets from a list of URLs
- Kostebek: A reconnaissance tool which uses firms’ trademark information to discover their domains
- IotShark: Monitoring and Analyzing IoT Traffic
- PENIOT: Penetration Testing Tool for IoT
- PHP Version Audit: Audit your PHP version for known CVEs and patches
- HiddenEye: Modern Phishing Tool With Advanced Functionality And Multiple Tunnelling Services
- TrelloC2: Simple C2 over the Trello API
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/27/2019 to 01/03/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.