Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 17 to 24 of January.
Our favorite 5 hacking items
1. Conference of the week
Frans Rosén Keynote at BSides Ahmedabad
This is a talk I’ve been impatiently waiting for since it was announced. @fransrosen shares his methodology for breaking Web apps/APIs by using fuzzing and information disclosure.
He uses an imaginary app to show practical examples of building custom API wordlists, finding hidden endpoints, etc. An absolute must watch if you’ve ever come accross tips on Web app fuzzing and did not know how to apply them in practice.
2. Writeup of the week
A Less Known Attack Vector, Second Order IDOR Attacks
This writeup shows two instances where an app seemed safe but was actually vulnerable to IDOR.
In one case, trying to access another account’s info returned an error but the information was displayed in a different location.
The second example seems weird. It involves many steps, so I am not going to try to sum it up in a sentence. But it is definitely something I will start testing for.
3. Video of the week
@Jhaddix Talks About Defcon, Burp Suite, Hacking, Bug Bounties and How He Does Recon!
This is a cool interview with @Jhaddix. Watch if you want to know how he increased his bug bounty payouts and how he deals with companies that silently fix bugs as soon as they detect that he found them. He transformed an N/A report into a 15K bounty using reporting wizardry😱
4. Tools of the week
– Recon-pipeline & How to Build an Automated Recon Pipeline with Python and Luigi – Part VI (Wrapping Up)
The recon pipeline is an awesome example of recon automation using Python. The tutorials are fantastic for anyone who want not only a recon tool, but mostly how to build your own.
5. Resources of the week
– Bug Bounty Checklist for Web App
– Rewrote my recon bot to output to markdown and upload to a git server
These are cool examples of leveraging markdown to save recon results in a Git repository and to create a testing checklist (in any Markdown note-taking app like Joplin).
It seems so obvious now but when I started using Markdown, I did not think that it could help with these two situations.
In both cases, markdown allows you to take notes that are easy to backup and are displayed in a human-friendly format.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- ccrawlen: Python script that uses the CommonCrawl dataset API (petabytes of data!) to extrat subdomains and crawl the data to get interesting endpoints and js files
- Top-Port-Slicer: Python script to give you subsets of the nmap “top-ports”. For example, I want the 10th to 100th most common TCP ports. Spits out a comma separated list you can copy into -p arg for nmap or masscan
- Playwright: Node library to automate Chromium, Firefox and WebKit browsers
- Rusty Hogs: A suite of secret scanners built in Rust for performance. Based on TruffleHog (https://github.com/dxa4481/truffleHog) which is written in Python
- Scanner/Poc for CVE-2020-0609 & CVE-2020-0610 (BlueGate): by @MalwareTechBlog & by @ollypwn
- Naabu: A fast port scanner written in go with focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
- Peirates: Kubernetes Penetration Testing tool
- S3 Bucket Scraper: A tool for scraping S3 buckets on AWS
- Blinder: A python library to automate time-based blind SQL injection
- Pullit: Find leaked credentials on Github
- ApplicationInspector: A source code analyzer by Microsoft for almost any modern language
- Satellite & Introduction: A Payload and Proxy Service for Red Team Operations
- SharpCookieMonster & Introduction: C# tool that dumps cookies from Chrome for all sites, even those with httpOnly/secure/session flags
- Pcapinator: A tool for processing a lot of pcaps using tshark
- TAS: Framework for easily manipulating the tty and creating fake binaries. Useful as a post-exploitation technique to perform privilege escalation and information gathering
- Grouper2: Find vulnerabilities in AD Group Policy
- Red_Team: Some scripts useful for red team activities
- Zipper: A CobaltStrike file and folder compression utility
Misc. pentest & bug bounty resources
Articles & Papers
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/17/2020 to 01/24/2020.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.