Bug Bytes #66 – Abusing Slack’s TURN, Breaking AWS & Azure & @spaceraccoonsec SQLi secrets

bugbytes-66

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 03 to 10 of April.

Intigriti news

We launched another XSS challenge! Check it out and win a Burp Suite Pro license:


Our favorite 5 hacking items

1. Article of the week

Same Same But Different: Discovering SQL Injections Incrementally with Isomorphic SQL Statements

This is an excellent article on detecting SQL injections in a way that triggers less WAFs, and is more efficient than blindly firing random payloads.

The idea is to submit payloads that would have the same value if not properly sanitized (e.g. ?ID=1 and ?ID=2-1). If the output is the same, especially in multiple occurrences on the app, it indicates potential SQL injections. What can be automated is not the final payload, but testing for interesting behavior that calls for more manual tests.

This is not a new technique. @spaceraccoonsec shows examples of tools and research based on the same idea. But maybe this is the new way to test for injections in hardened targets.

2. Writeups of the week

How we abused Slack’s TURN servers to gain access to internal services ($3,500)
Exploiting xdLocalStorage (localStorage and postMessage)

The first writeup is about a bug similar to SSRF but not limited to HTTP-based protocols. Slack’s VoIP uses the TURN protocol (never heard of it before!). It could be abused to relay TCP and UDP traffic to the TURN server itself, and to internal addresses on Slack’s AWS infrastructure.

The tool used as PoC was not shared, but this writeup has the merit of shining a light on an uncommon protocol (at least in bug bounty).

The second writeup is about a known unfixed vulnerability in the xdLocalStorage library. It is a nice read if you want to learn about localStorage, postMessage, how they work and how to abuse them to exploit common vulnerabilities.

3. Challenge of the week

Breaking and Pwning Apps and Servers on AWS and Azure

@appseccouk open sourced their 3-day hands on training on hacking apps and servers on AWS and Azure. It is free, includes lessons for different topics, labs, and detailed documentation. A great opportunity to dive into cloud security!

4. Tutorial of the week

Bypassing Xamarin Certificate Pinning on Android & Xamarin Certificate Pinning Bypass

The author faced a Xamarin Android app that performed certificate pinning in managed .NET code. It was resistant to all certificate pinning bypass techniques he tried. So, he created a basic Xamarin app for testing, and was able to obtain a custom Frida script that bypasses certificate pinning.

If you like a challenge, install the app without reading the tutorial and try to do the same!

5. Conference of the week

VirSecCon2020: Hosted by NahamSec & TheCyberMentor w/ Talks on Bug Bounty, Mobile, Web, Recon &more!

Here is VirSecCon in a nutshell: 2 hackers came up with the idea to raise funds for @LLSusa and make the best of coronavirus lockdown, 11 hackers gave awesome talks on a variety of topics around Web/Mobile/IoT hacking, 1 CTF, and 14 sponsors among which 5 bug bounty platforms.

Like @Th3G3nt3lman says: ‘dropping knowledge with support of all “BB platforms” for a noble cause is just WOW .. no competition shit no marketing only for the community.’

Initiatives like this are why I fell in love with this community!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Nuclei: A fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use
  • Dnsprobe: A tool built on top of retryabledns that allows you to perform multiple dns queries of your choice with a list of user supplied resolvers.
  • Commit Stream: OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API
  • fzf & Introduction & Demo: A command-line fuzzy finder

More tools, if you have time

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Coronavirus

Zoom

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/03/2020 to 04/10/2020.

 

Curated by Pentester Land & Sponsored by Intigriti