Bug Bytes #56 – Pwning A Pwned Citrix, Upgrading Your Recon with Discord & Tip of the week by @jobertabma

bugbytes 56Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 24 to 31 of January.

Our favorite 5 hacking items

1. Tip of the week

Hacker tip: when you’re looking for IDORs in a model that references another model, try storing IDs that don’t exists yet. I’ve seen a number of times now that, because the model can’t be found, the system will save the ID. Because authorization checks often only happen on write, you can come back after the ID was created. Because the model references a model that isn’t yours, you may be able to bypass authorization, often leading to information disclosure.

Awesome IDOR technique by @jobertabma! The idea is to replace an ID with one that does not exist yet (e.g. ID+1). Wait for ID+1 to exist and see if you can access its information.

Now to revisit old programs to test for potentially missed IDORs/info disclosures…

2. Writeup of the week

Pwning A Pwned Citrix

This is an excellent writeup on Shitrix (CVE-2019-19781). It shows how to exploit the vulnerability “manually” when public exploits are not working. In this case, the NOTROBIN malware had infected the target and made changes to prevent other exploitation attempts.

Knowing how to bypass it can be helpful for penetration tests.

3. Podcast of the week

The Bug Bounty Podcast Episode #2 ft. 0xacb

Yay! My favorite bug bounty podcast is back, with @0xacb this time. No spoilers, let’s just say that it is worth listening to if you’re into bug bounty and want to know how to reach “cosmic brain level 10”.

4. Articles of the week

Samesite by Default and What It Means for Bug Bounty Hunters

Bug Business #1: Inside Logic Flaws with EdOverflow

The first article is awesome work but will break a few hearts! It explains the impact of Samesite cookies beyond CSRF. Many other client-side bugs are affected including Clickjacking, XSSI, XSLeaks, Cross-Site WebSocket Hijacking…

The second article in an awesome interview with @EdOverflow. Among other things, he shares insight on finding logic flaws and discovering “goldmines” (untapped areas of research).

5. Tutorial of the week

Upgrading Your Recon with Discord

 

This is a great tutorial on leveraging Discord WebHooks for automated recon. This feature makes it easy to send notifications to Discord from Bash scripts.

A subdomains monitoring example is also given. It has never been so easy!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Wordlistgen: Quickly generate context-specific wordlists for content discovery from lists of URLs or paths
  • Burp-teams: A Burp extension to enable teams of people to share repeater tabs and data
  • XSS tag_event analyzer & : Python script for detecting valid tags/events on XSS exploitation
  • GoLinkFinder: A fast and minimal JS endpoint extractor
  • Dom-red: Python script to check a list of domains against open redirect vulnerability
  • Chain Reactor & Introduction: Open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints
  • StickyReader & Introduction: Powershell script to read Sticky Notes from compromised Windows 10 hosts
  • Socialscan: Check email address and username availability on online platforms with 100% accuracy
  • Prettyloot: Convert the loot directory of ntlmrelayx into an enum4linux like output
  • Red_Team: Some scripts useful for red team activities
  • TikTokOSINT: Python script that dumps public data of any user
  • Content Security Policy Evaluator
  • MoveKit, StayKit & Introduction: Cobalt Strike lateral movement & persistence kits

Misc. pentest & bug bounty resources

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/24/2020 to 01/31/2020.

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

Curated by Pentester Land & Sponsored by Intigriti