Bug Bytes #99 – Bypassing bots and WAFs, JQ in Burp & Smarter JSON fuzzing and subdomain takeovers

By Anna Hammond

December 2, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 22 to 29 of November.

Intigriti News

SEO ransomware, Vulnerability lifecycle & Stress blamed for email data breaches

Our favorite 5 hacking items

1. Conference of the week

Modern WAF Bypass Scripting Techniques for Autonomous Attacks

This is a talk for developers but hackers looking to bypass bot detection (for bruteforce, Web scraping, etc) will also probably find it insightful. @J0hnnyXm4s goes over several techniques used by WAFs to detect bots and how they can easily be bypassed.

2. Writeups of the week

Don’t Fear The Bark, Ts_rewrite To Dodge The Mark
CRLF injection & SSRF in git:// protocal lead to arbitrary code execution (GitLab)

The first writeup is about some obscure PostgreSQL features that helped bypass a WAF (probably BIGIP F5) and fully exploit a SQL injection. It could be of great help if you’re facing similar technologies.

The second writeup is a clever CRLF injection and SSRF in GitLab. They allow for abusing a Redis server and getting RCE.

3. Videos of the week

Finding DOMXSS with DevTools | Untrusted Types Chrome Extension
Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters

Remember @filedescriptor’s Untrusted Types, the Chrome extension for logging DOM sinks? He just released a short demonstration to show how he uses it to detect DOM XSS.

The second video is gold if you’re interested in subdomain takeovers. It is a type of vulnerability that is getting more and more difficult to find in bug bounties because of the competition and automation some use. So, @codingo_’s tricks are eye-opening.

4. Tools of the week

jdam
Burp JQ
Burp to Slack

These are three very practical tools for Web application security testing.

Jdam is a Go tool for JSON fuzzing. Contrary to most existing fuzzing tools, it keeps the JSON valid when replacing values with payloads for fuzzing.

Burp JQ is a Burp extension that adds a “JQ” tab to the HTTP message viewer. It allows you to apply JS queries to JSON content directly from Burp.

Burp to Slack is a Burp extension for sending notifications to Slack or a custom server based on responses matching a pre-defined condition. It is helpful when you want to be immediatly notified of a certain condition (e.g. a string found in a response in Intruder/Repeater/Proxy/Scanner) without keeping an eye on Burp.

5. Tutorial of the week

randomua – Inject random user-agent in pentest CLI tools

Randomua is a Ruby tool that generates random User-Agent strings of different types (desktop browser, mobile, email client, cloud platform…). It is not new but can help bypass WAFs. This tutorial shows how to use it in combination with other CLI tools like ffuf, sqlmap, testssl, nikto, etc.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • byp4xx.sh: Simple bash script to bypass “403 Forbidden” messages with well-known methods discussed in #bugbountytips

  • RESTler, REST API Fuzz Testing (RAFT) & Intro: Find security and reliability bugs through automated fuzzing

  • IntRudeX & Intro: Burp extension that provides an interface to generate Intruder payload positions based on results from a regex

  • S3 Objects Check: Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files

  • JARM & Intro: Easily Identify Malicious Servers on the Internet with JARM

  • jarm-go: A Go implementation of JARM

  • stats.rb & Intro: Metasploit plugin to displaying stats about the current workspace such as most popular ports, total hosts/services, etc

  • ADLab & Intro: Active Directory Lab Setup Tool

  • Cottontail: Capture all RabbitMQ messages being sent through a broker

  • NetworkSniffer: Log iOS network traffic without a proxy

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/22/2020 to 11/29/2020.

You may also like