Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 31 of January to 07 of February.
Our favorite 5 hacking items
1. Tools of the week
– Quiver & Introduction
The first tool tries to solve the inconvenience all bug hunters and pentesters face: Having to use so many different tools, to remember their command line options, to juggle between terminals and note-taking apps, copy-pasting commands…
Quiver allows you to run recon scripts or single commands organized into categories with auto-completion, and to access markdown notes from the terminal. This last feature is really interesting. It makes it possible to manage a markdown knowledge base that can be accessed from both GUI (with an app like Joplin) and CLI.
The second tool is handy for Android application tests. It helps download APKs directly from the Google Play Store using the command line. Practical if you want to automate APK downloads.
2. Video of the week
@Th3G3nt3lman Shares His Recon Methodology and How He Consistently Collects $15,000 Bounties! & Summary notes
This is a must watch if you want to up your recon game. @Th3G3nt3lman shares so many good gems, especially on how he differentiates himself, and finds assets/bugs that everyone has missed.
He has a full-time job and hunts for only 4/5 hours a week. Using strategies like quick/smart assets enumeration (e.g. building custom short lists) helps him make the most of his time. This clearly shows that time is no excuse!
3. Tutorial of the week
Expanding the Attack Surface: React Native Android Applications
Assetnote’s specialty is reconnaissance. So it is worth listening when they’re talking about expanding attack surface.
4. Conference of the week
Meetups at Checkmarx: API Security Concerns (Part II)
This is an excellent talk about API security testing. @InonShkedy covers multiple vulnerability types including mass assignments, CSRF (and how to combine them), BOLA, 2 complex account takeovers he found, etc.
The company he works for, @traceableai, also shared 31 tips on API security & pentesting
These are both awesome resources for anyone who wants to dive into API security.
5. Tip of the week
When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past
Cool SSRF technique shared by @thedawgyg. Switching to HTTP/0.9 allows you to remove the Host header (because it is not required in this version as opposed to HTTP/1.1). This can help bypass fixes.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access (Facebook, $12,500)
- Responsible Disclosure: Breaking out of a Sandboxed Editor to perform RCE (HackerEarth)
- Exploiting Insecure Firebase Database! & Insecure-Firebase-Exploit script
- An Unexpected Bounty — Email Bounce Issues
- Site wide CSRF on a popular program
- H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products (Shopify, $15,000)
- Gitlab (CodeQL) writeups: Netty HTTP Response Splitting ($1,500), CSRF in Spring apps ($1,800), LDAP injectionin Java ($3,000), Use of insecure protocol in Java (Maven) ($2,300)
- Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP (Shopify, $2,000)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- SEcraper: Search engine scraper tool in Bash. Uses Ask, Bing & Yahoo search engines
- Wildcheck: A Go script for detecting wildcard domains based on Amass’s wildcards detector
- Gwdomains: Subdomain wildcard filtering tool
- Dufflebag: Search exposed EBS volumes for secrets
- Codeza: Python script that scans URLs listed in a file and returns Content-Length, Status-Code, Title, Forms & those potentially vulnerable to DOM XSS
- Codict & Introduction: A framework to learn and assess source code
- FockCache: Minimalized Test Cache Poisoning
- Injectus: CRLF and open redirect fuzzer
- Berserko: Burp Suite extension to perform Kerberos authentication
- PrivescCheck: Privilege Escalation Enumeration Script for Windows
- OverwriteStrings & Introduction: Overwrite Strings in an executable to avoid detection
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/31/2020 to 02/07/2020.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.