Bug Bytes #60 -Bypassing AWS signing, @samwcyo’s secrets and WordPress leaks

bugbytes60

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 21 to 28 of February.

Our favorite 5 hacking items

1. Conference of the week

AppSec California 2020

So many good talks and prestigious speakers! Topics range from Web security to Cloud, Kubernetes, Credential stuffing, DevSecOps, Car hacking and more.

I’m starting with JWT Parkour – Louis Nyffenegger and Are You Properly Using JWTs? – Dmitry Sotnikov. What about you?

2. Writeup of the week

Write-up: AWS Document Signing Security Control Bypass ($1,000)

This is a writeup of an interesting bug found by analyzing a file upload functionality. It used AWS for storing documents uploaded, and AWS signing to authorize access to files.

By manipulating a request parameter, @ozgur_bbh was able to bypass the signing mechanism and access all documents in the S3 bucket.

3. Videos of the week

@zlz Talks About How He Got Started, Recon, Hacking @Tesla, and Working With @Theparanoids

How to Use Firefox Containers for Easy IDOR Hunting (With Demo!)

I don’t think I will ever get bored of watching interviews with hackers. This one is with @zlz. It is fascinating to learn about his thought process, his unique recon process, how he approaches full-time bug hunting, how he is able to get a sense of applications that are probably vulnerable based on past experience, etc.

The second video may be the fastest way to learn how to use Firefox Containers. They are very useful for both Web hacking (IDOR and authorization tests) and segregating accounts during normal navigation.

4. Article of the week

Gehaxelt – How WordPress Plugins Leak Sensitive Information Without You Noticing

This in an interesting read for anyone interested in doing research and submitting new modules to Detectify. @gehaxelt explains his process for analyzing the most popular WordPress plugins and finding information leaks.

5. Tutorial of the week

Bypassing OkHttp Certificate Pinning & Reddit discussion

This tutorial might be helpful if you are struggling with certificate pinning bypass. @CaptMeelo shows a nice trick he used when Xposed Modules and Frida were not working.

He looked at the system log while the app was running. Certificate fingerprints appeared in the log. He decompiled the app, identified where the fingerprints were located and added one for his Burp certificate. Recompiling the app and running this patched version allowed him to bypass certificate pinning without having to modify smali code.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Progress: Burp Suite extension to track vulnerability assessment progress
  • 1u.ms: A small set of zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities
  • shuffleDNS: Wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support
  • Jiraffe: One stop place for exploiting Jira instances in your proximity
  • PassiveHunter: Subdomain discovery using the power of ‘The Rapid7 Project Sonar datasets’
  • udp-hunter & Introduction: Network assessment tool for various UDP Services covering both IPv4 and IPv6 protocols
  • Weakpass_generator & Weak in, Weak out: Keeping Password Lists Current: Generates weak passwords to try in brute-force attempts, based on current date with a 90 day window.
  • IIS-Raid & Backdooring IIS Using Native Modules

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/21/2020 to 02/28/2020.

 

Curated by Pentester Land & Sponsored by Intigriti