Bug Bytes #64 – Hacking Captcha’s, Unix-Style Testing & New Public Bounty

bugbytes-64

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 20 to 27 of March.

Intigriti news

new-bounty-deriv

A new public bug bounty program has been launched for Deriv.com. Check it out here: https://go.intigriti.com/deriv

Our favorite 5 hacking items

1. Article of the week

Solving CAPTCHA using Burp suite proxy and mitmproxy

The first article shows a solution for testing Web apps that have a short session timeout and log you out everytime you trigger an exception, and that also require solving a captcha to log in. The captcha makes it complicated to use Burp macros, the traditional way of handling sessions.

@dinosn’s method is to chain Burp with mitmproxy, another proxy that detects logouts and calls a custom script to run tesseract OCR and solve captchas.

2. Tool of the week

Piper & Unix-style approach to web application testing

I haven’t had the time to properly test this tool, but judging from its documentation, it offers very interesting functionality. It is a Burp extension that allows you to easily use external tools that were not designed for Burp. You can pipe requests and/or responses with Linux tools like diff, head, cut, grep…

This can be used to show each response’s hash as a comment, which helps detect different responses that have the same length but a different hash. You can also apply a regex to requests and responses and add a comment if a pattern was detected. Many other uses cases are explained in the documentation that I invite you to check out.

3. Conference of the week

2019-12-11-Jan Masarik – Automating bug bounty + Opening ceremony, Slides, Master’s thesis & Bugshop

This is awesome work on bug bounty automation. @s14ve did a Master’s thesis on this topic and presents everything he came up with: Common bugs, existing tools for automation, and his own solution. This is in the form of a conference talk, slides, the thesis report, and the tool’s source code.

I’ve been intrigued by some of the paid/closed source tools he mentions, especially Bounty Machine. So, it is amazing to be able to play with this this free, open source, well documented alternative.

4. Tutorial of the week

Frida scripting guide for Java

This is a crash course on Java for the purpose of writing Frida scripts. If you’ve tried using existing scripts and wondered how to modify them for you own needs, this will help you quickly understand the syntax and most of what you need to know.

5. Resources of the week

Stanford CS 253 Web Security

Learn X in Y minutes

The fist resource is a neat Web security course taught last quarter at Standford. It is comprehensive and up-to-date. In addition to videos, slides and external links, you’ll also find asssignements and an exam!

The second resource is a cool cheatsheet/memo for most programming languages. It is helpful whether you are working with JavaScript, Bash, Python, Go, Rust or Ruby…

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • s3reverse: Go script that converts a list of S3 buckets addresses into the same format (that serve as input for other tools)
  • InQL Scanner: Tool for speeding-up GraphQL security testing, can be used as a stand-alone script, or as a Burp Suite extension
  • qsfuzz (Query String Fuzz): Go tool that allows you to build your own rules to fuzz query strings and easily identify vulnerabilities
  • Zile: Extract API keys from file or url using by magic of python and regex

More tools, if you have time

  • Unicollider: A fun retro lookup tool to generate Unicode collisions based on the “Hacking Github with Unicode’s Dotless i” article
  • Webpack Exploder: Client-side Webpack unpacking tool
  • FProbe: Take a list of domains/subdomains and probe for working http/https server
  • XXExploiter: Tool to help exploit XXE vulnerabilities
  • AdvancedKeyHacks: API Key/Token Exploitation Made easy.
  • Subra: A Web-UI for subdomain enumeration (subfinder)
  • LeakLooker GUI & Introduction: Discover, browse and monitor database/source code leaks, using Binary Edge
  • nullscan & Demo: A modular framework designed to chain and automate security tests
  • Fuze: The easiest way to decrypt iOS applications
  • CrackerJack: A Web GUI for Hashcat developed in Python that can be used for simple on-demand password cracking
  • Envizon: Network visualization & vulnerability management/reporting
  • yanp.sh & Introduction: Nessus CSV Parser and Extractor
  • SharpML & Introduction: Password Hunting with Machine Learning in Active Directory
  • IntelSpy: Perform automated network reconnaissance scans
  • C2concealer & Introduction: A C2 Malleable Profile Generator for Cobalt Strike
  • Ninja: Open source C2 server created for stealth red team operations
  • InstaSave: Python script to download images, videos & profile pictures from Instagram

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

COVID-19

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/20/2020 to 03/27/2020.

Curated by Pentester Land & Sponsored by Intigriti