Bug Bytes #57 – Th3G3nt3lman’s Secret Recon Methods, Checkmarx VS API’s & Vulns in React Native Apps

bugbytes-57

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 31 of January to 07 of February.

Our favorite 5 hacking items

1. Tools of the week

Quiver & Introduction
PlaystoreDownloader

The first tool tries to solve the inconvenience all bug hunters and pentesters face: Having to use so many different tools, to remember their command line options, to juggle between terminals and note-taking apps, copy-pasting commands…
Quiver allows you to run recon scripts or single commands organized into categories with auto-completion, and to access markdown notes from the terminal. This last feature is really interesting. It makes it possible to manage a markdown knowledge base that can be accessed from both GUI (with an app like Joplin) and CLI.
The second tool is handy for Android application tests. It helps download APKs directly from the Google Play Store using the command line. Practical if you want to automate APK downloads.

2. Video of the week

@Th3G3nt3lman Shares His Recon Methodology and How He Consistently Collects $15,000 Bounties! & Summary notes

This is a must watch if you want to up your recon game. @Th3G3nt3lman shares so many good gems, especially on how he differentiates himself, and finds assets/bugs that everyone has missed.
He has a full-time job and hunts for only 4/5 hours a week. Using strategies like quick/smart assets enumeration (e.g. building custom short lists) helps him make the most of his time.  This clearly shows that time is no excuse!

3. Tutorial of the week

Expanding the Attack Surface: React Native Android Applications

Assetnote’s specialty is reconnaissance. So it is worth listening when they’re talking about expanding attack surface.
This tutorial shows how to extract JavaScript from React Native Android apps (without decompiling with dex2jar). Then how to analyze it and find juicy information (think endpoints, API keys, Firebase credentials, etc).

4. Conference of the week

Meetups at Checkmarx: API Security Concerns (Part II)

This is an excellent talk about API security testing. @InonShkedy covers multiple vulnerability types including mass assignments, CSRF (and how to combine them), BOLA, 2 complex account takeovers he found, etc.
The company he works for, @traceableai, also shared 31 tips on API security & pentesting.
These are both awesome resources for anyone who wants to dive into API security.

5. Tip of the week

When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past

Cool SSRF technique shared by @thedawgyg. Switching to HTTP/0.9 allows you to remove the Host header (because it is not required in this version as opposed to HTTP/1.1). This can help bypass fixes.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • SEcraper: Search engine scraper tool in Bash. Uses Ask, Bing & Yahoo search engines
  • Wildcheck: A Go script for detecting wildcard domains based on Amass’s wildcards detector
  • Gwdomains: Subdomain wildcard filtering tool
  • Dufflebag: Search exposed EBS volumes for secrets
  • Codeza: Python script that scans URLs listed in a file and returns Content-Length, Status-Code, Title, Forms & those potentially vulnerable to DOM XSS
  • Codict & Introduction: A framework to learn and assess source code
  • Eslinter: A Burp Suite extension that extracts JavaScript and lints them with ESLint
  • FockCache: Minimalized Test Cache Poisoning
  • Injectus: CRLF and open redirect fuzzer
  • Berserko: Burp Suite extension to perform Kerberos authentication
  • PrivescCheck: Privilege Escalation Enumeration Script for Windows
  • OverwriteStrings & Introduction: Overwrite Strings in an executable to avoid detection

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/31/2020 to 02/07/2020.

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

Curated by Pentester Land & Sponsored by Intigriti