Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 10 to 17 of January.
Our favorite 5 hacking items
1. Webinar of the week
SEC642: Killing snakes for fun, Flask SSTIs and RCEs in Python (Free registration required)
This is an excellent course on SSTIs with a focus on Python frameworks.
I love that it does not only explain how SSTIs work and how to escalate them to RCE, but it also mentions a lot of background information to understand the big picture: Why Python frameworks were created, how they work, the history of Python and Flask, etc.
2. Writeup of the week
Advisory | Seagate Central Storage Remote Code Execution 0day
This is a nice example of RCE found using security code review with a bottom-up approach. It also shows how to reverse and analyze the firmware of a NAS.
Both RCE and code review can be intimidating. But the way everything is broken in this writeup makes them seem easy to follow even for beginners.
3. Challenge of the week
There is a plethora of XSS challenges but labs for GraphQL bugs, JWT, SSRF, SSTI, lack of rate limiting, etc, are rarer. So, these labs are perfect if you want to play with these vulnerabilities and many others.
The best part is that detailed walkthroughs are provided for each bug.
4. Video of the week
Finding Your First Bug: Finding Bugs Using APIs
As always, a great tutorial video by @InsiderPhD! I think this is the best introduction to APIs I’ve ever seen. It covers everything you need to start exploiting them ASAP: What APIs are, how to find and enumerate them, types of APIs (REST, SOAP, GraphQL), what is JSON, what bugs to look for, how to take notes, etc.
5. Tutorial of the week
Intruder and CSRF-protected form, without macros
Did you know that macros are not the only way to deal with CSRF tokens in Burp?
@Agarri_FR shows in great detail how to use Intruder Pitchfork to mimick manually replacing the CSRF token with the latest value sent by the server, and the advantages over macros.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- xpasn: Expands an autonomous system (AS) number into prefixes or individual host IP addresses
- Velocity: DNS caching library for Python. Helps speed up network connections (applies to everything from sockets to HTTP requests)
- SWFPFinder: SWF Potential Parameters Finder
- GDA-android-reversing-Tool & Wiki: GDA is a new decompiler written entirely in c++, so it does not rely on the Java platform, which is succinct, portable and fast, and supports APK, DEX, ODEX, oat.
Misc. pentest & bug bounty resources
Unusual Patch Tuesday
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/10/2020 to 01/17/2020.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.