Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 20 to 27 of March.
A new public bug bounty program has been launched for Deriv.com. Check it out here: https://go.intigriti.com/deriv
Our favorite 5 hacking items
1. Article of the week
Solving CAPTCHA using Burp suite proxy and mitmproxy
The first article shows a solution for testing Web apps that have a short session timeout and log you out everytime you trigger an exception, and that also require solving a captcha to log in. The captcha makes it complicated to use Burp macros, the traditional way of handling sessions.
@dinosn’s method is to chain Burp with mitmproxy, another proxy that detects logouts and calls a custom script to run tesseract OCR and solve captchas.
2. Tool of the week
Piper & Unix-style approach to web application testing
I haven’t had the time to properly test this tool, but judging from its documentation, it offers very interesting functionality. It is a Burp extension that allows you to easily use external tools that were not designed for Burp. You can pipe requests and/or responses with Linux tools like diff, head, cut, grep…
This can be used to show each response’s hash as a comment, which helps detect different responses that have the same length but a different hash. You can also apply a regex to requests and responses and add a comment if a pattern was detected. Many other uses cases are explained in the documentation that I invite you to check out.
3. Conference of the week
2019-12-11-Jan Masarik – Automating bug bounty + Opening ceremony, Slides, Master’s thesis & Bugshop
This is awesome work on bug bounty automation. @s14ve did a Master’s thesis on this topic and presents everything he came up with: Common bugs, existing tools for automation, and his own solution. This is in the form of a conference talk, slides, the thesis report, and the tool’s source code.
I’ve been intrigued by some of the paid/closed source tools he mentions, especially Bounty Machine. So, it is amazing to be able to play with this this free, open source, well documented alternative.
4. Tutorial of the week
Frida scripting guide for Java
This is a crash course on Java for the purpose of writing Frida scripts. If you’ve tried using existing scripts and wondered how to modify them for you own needs, this will help you quickly understand the syntax and most of what you need to know.
5. Resources of the week
– Stanford CS 253 Web Security
– Learn X in Y minutes
The fist resource is a neat Web security course taught last quarter at Standford. It is comprehensive and up-to-date. In addition to videos, slides and external links, you’ll also find asssignements and an exam!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Profile-picture name parameter with large value lead to DoS for other users and programs on the platform (HackerOne, $2,500)
- User input validation can lead to DOS (Twitter, $560)
- Getting lucky in bug bounty — shamelessly profiting off of other’s work ($3,200)
- I Want that Cookie !!!
- XSS WAF & Character limitation bypass like a boss
- Self XSS to Account Takeover
- Facebook CSRF bug which lead to Instagram Partial account takeover. (Facebook, 12,500)
- Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image)
- Exploiting magic links, critical bugs are one line away (Razer)
- $3,500 Bounty for SSRF (video) (Slack, $3,500)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- s3reverse: Go script that converts a list of S3 buckets addresses into the same format (that serve as input for other tools)
- InQL Scanner: Tool for speeding-up GraphQL security testing, can be used as a stand-alone script, or as a Burp Suite extension
- qsfuzz (Query String Fuzz): Go tool that allows you to build your own rules to fuzz query strings and easily identify vulnerabilities
- Zile: Extract API keys from file or url using by magic of python and regex
- Unicollider: A fun retro lookup tool to generate Unicode collisions based on the “Hacking Github with Unicode’s Dotless i” article
- Webpack Exploder: Client-side Webpack unpacking tool
- FProbe: Take a list of domains/subdomains and probe for working http/https server
- XXExploiter: Tool to help exploit XXE vulnerabilities
- AdvancedKeyHacks: API Key/Token Exploitation Made easy.
- Subra: A Web-UI for subdomain enumeration (subfinder)
- LeakLooker GUI & Introduction: Discover, browse and monitor database/source code leaks, using Binary Edge
- nullscan & Demo: A modular framework designed to chain and automate security tests
- Fuze: The easiest way to decrypt iOS applications
- CrackerJack: A Web GUI for Hashcat developed in Python that can be used for simple on-demand password cracking
- Envizon: Network visualization & vulnerability management/reporting
- yanp.sh & Introduction: Nessus CSV Parser and Extractor
- SharpML & Introduction: Password Hunting with Machine Learning in Active Directory
- IntelSpy: Perform automated network reconnaissance scans
- C2concealer & Introduction: A C2 Malleable Profile Generator for Cobalt Strike
- Ninja: Open source C2 server created for stealth red team operations
- InstaSave: Python script to download images, videos & profile pictures from Instagram
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/20/2020 to 03/27/2020.