Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 03 to 10 of April.
We launched another XSS challenge! Check it out and win a Burp Suite Pro license:
Our favorite 5 hacking items
1. Article of the week
Same Same But Different: Discovering SQL Injections Incrementally with Isomorphic SQL Statements
This is an excellent article on detecting SQL injections in a way that triggers less WAFs, and is more efficient than blindly firing random payloads.
The idea is to submit payloads that would have the same value if not properly sanitized (e.g. ?ID=1 and ?ID=2-1). If the output is the same, especially in multiple occurrences on the app, it indicates potential SQL injections. What can be automated is not the final payload, but testing for interesting behavior that calls for more manual tests.
This is not a new technique. @spaceraccoonsec shows examples of tools and research based on the same idea. But maybe this is the new way to test for injections in hardened targets.
2. Writeups of the week
How we abused Slack’s TURN servers to gain access to internal services ($3,500)
Exploiting xdLocalStorage (localStorage and postMessage)
The first writeup is about a bug similar to SSRF but not limited to HTTP-based protocols. Slack’s VoIP uses the TURN protocol (never heard of it before!). It could be abused to relay TCP and UDP traffic to the TURN server itself, and to internal addresses on Slack’s AWS infrastructure.
The tool used as PoC was not shared, but this writeup has the merit of shining a light on an uncommon protocol (at least in bug bounty).
The second writeup is about a known unfixed vulnerability in the xdLocalStorage library. It is a nice read if you want to learn about localStorage, postMessage, how they work and how to abuse them to exploit common vulnerabilities.
3. Challenge of the week
Breaking and Pwning Apps and Servers on AWS and Azure
@appseccouk open sourced their 3-day hands on training on hacking apps and servers on AWS and Azure. It is free, includes lessons for different topics, labs, and detailed documentation. A great opportunity to dive into cloud security!
4. Tutorial of the week
Bypassing Xamarin Certificate Pinning on Android & Xamarin Certificate Pinning Bypass
The author faced a Xamarin Android app that performed certificate pinning in managed .NET code. It was resistant to all certificate pinning bypass techniques he tried. So, he created a basic Xamarin app for testing, and was able to obtain a custom Frida script that bypasses certificate pinning.
If you like a challenge, install the app without reading the tutorial and try to do the same!
5. Conference of the week
VirSecCon2020: Hosted by NahamSec & TheCyberMentor w/ Talks on Bug Bounty, Mobile, Web, Recon &more!
Here is VirSecCon in a nutshell: 2 hackers came up with the idea to raise funds for @LLSusa and make the best of coronavirus lockdown, 11 hackers gave awesome talks on a variety of topics around Web/Mobile/IoT hacking, 1 CTF, and 14 sponsors among which 5 bug bounty platforms.
Like @Th3G3nt3lman says: ‘dropping knowledge with support of all “BB platforms” for a noble cause is just WOW .. no competition shit no marketing only for the community.’
Initiatives like this are why I fell in love with this community!
Other amazing things we stumbled upon this week
- H12004 Virtual Live Hacking Event
- Day 1: Virtual Live Hacking Event Kick-off
- Day 2: Hacker Couch with @STÖK, @Hacker_, @BugBountyHQ, Ramsexy, @LukeTucker
- Day 3: How To Get Started in InfoSec Panel with TheCyberMentor, zseano, STOK, Tomnomnom and jhaddix!
- Day 4: VirSecCon (See Conf of the week⬆️)
- Recon Sunday x Day 5: Top h1-702 Paid Hackers Dawgyg, Mayo, and cdl
- Live Recon x Day 6: HackerOne Community Team
- Day 7: How to Become a HackerOne Millionaire or MVH with @Inhibitor181, @Dawgyg, @0xacb, & @0xteknogeek
- Day 8: Closing Ceremonies
- Finding Your First Bug: Impact and Report Writing
- Let’s Nmap
- Google Dorks and DoD
- Complete tmux Tutorial
- The BEST Resource for your IT Career
- How to transition a suddenly remote company, lead teams, and change mindsets when working from home
- Learn Stuff with Yekki – Episode 2 – Using Responder (and not being a cardshark) & Article
- Penetration Testing Version 1
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Nuclei: A fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use
- Dnsprobe: A tool built on top of retryabledns that allows you to perform multiple dns queries of your choice with a list of user supplied resolvers.
- Commit Stream: OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API
- fzf & Introduction & Demo: A command-line fuzzy finder
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/03/2020 to 04/10/2020.