Bug Bounty & Agile Pentesting Platform

Bug Bytes #104 – Cache poisoning DoS, Burp themes & A couple of Facebook account takeovers

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 27 of December to 03 of January.

Intigriti News

Congratulations to @MattiBijnens for winning four awards in our last Live Hacking Event!
SolarWinds authentication bypass, Corellium win for hackers & 2020 security retrospective

Our favorite 5 hacking items

1. Tools of the week

Burp Customizer
Lilly
ote (One Time Email)
BurpRequestCleaner

Here is a bunch of fantastic new tools you might find very useful!
@CoreyD97’s Burp Customizer is a Burp extension that provides 58 new themes to customize Burp.
Lilly by @Dheerajmadhukar leverages favicon hashes to help find the real IP behind CDNs/WAFs.
@s0md3v’s ote allows you to quickly generate temporary email addresses and get OTPs or confirmation links directly in your terminal.
Finally, BurpRequestCleaner by @StaticFlow is a Burp extension that redacts potentially sensitive information (e.g headers & parameters) using Shannon Entropy analysis. This is useful when you want to take and share screenshots without revealing your passwords or data.

2. Writeups of the week

Cache-Key Normalization – What could go wrong?
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers (Facebook, $30,000)
Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it (Facebook, $10,000)

The first writeup is about a new Denial of Service technique. @iustinBB leveraged Web cache poisoning to force a server to return 404 errors for existing pages, which is basically a DoS. A pretty smart and a very well explained finding!

The second writeup is about an account takeover @samm0uda found on Facebook. He discovered an XSS in an out of scope domain that can be chained with two other bugs to take over Oculus and Facebook accounts.

The last finding is also by @samm0uda. Web applications using the Facebook JavaScript SDK were vulnerable to information leaks and account takeovers because of a bad regex in the SDK’s cross-origination communication checks.

3. Conference of the week

Digital OWASP AppSec Israel 2020

Here’s a nice set of talks on a variety of Web security related topics: practical techniques to find bugs in GraphQL APIs, mutation XSS, Android hacking, CSP, race conditions, Web fuzzing, browser storage, etc.

4. Video of the week

Ziot Talks About Hacking Apple, Collaboration, Recon, and Getting Started in Hacking!

This is a cool interview with Brett Buerhaus (aka ziot aka @bbuerhaus)! @NahamSec and him chat about the usual topics, his background, bug bounty collaboration, recon, mentorship, bug hunting stories, imposter syndrome, etc. If you want to relax while getting inspired to hack, this is the perfect thing to watch.

5. Tutorial of the week

The Burp Extension No One Told You About & Burp-Send-To-Extension

burp-send-to is a Burp extension that allows you to send requests to any command line tool. If this reminds you of something, it might be piper but the two extensions work differently. Piper allows to run CLI tools and view the results inside Burp, while burp-send-to runs tools in a terminal. It saves you the hassle of copy-pasting requests from Burp to the terminal when you want to pass them to tools like sqlmap or ffuf.

Since burp-send-to when unnoticed when released, @fyoorer is sharing how he uses it and why you may want to!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Burp Customizer: Because just a dark theme wasn’t enough!
  • ote (One Time Email): Generate Email, Register for anything, Get the OTP/Link
  • burp-piper-custom-scripts
  • Mapper: A tool to help the distributed scannning of hosts
  • BurpRequestCleaner: Burp extension that redacts potentially sensitive header and parameter values from requests using Shannon Entropy analysis
  • blackrock-go: Golang port of the BlackRock cipher from the Masscan project
  • Clairvoyance: Obtain GraphQL API schema despite disabled introspection!
  • Lilly: Tool to find the real IP behind CDNs/WAFs like cloudflare using passive recon by retrieving the favicon hash. For the me hash value, all the possible IPs, PORTs and SSL/TLS Certs are searched to validate the target in-scope.
  • Javascript security analysis (JSA): A program for javascript analysis
  • Eyeballer Pytorch version: A reimplementation of Bishop Fox’s Eyeballer in PyTorch
  • Tamper DEV / Tamper Chrome: Extension by Google that allows you to intercept and edit HTTP/HTTPS requests and responses as they happen without the need of a proxy. Works across all operating systems (including Chrome OS).
  • Soxy: Multi-threaded socks proxy checker written in Go!
  • bountyRecon v2: Framework to automate Bug Bounty Reconnaissance
  • OpenCVE: Platform that alerts you about new vulnerabilities related to the CVE list (formerly known as Saucs)
  • ctf-collab: Create a collaborative programming environment inside GitHub Actions – like Google Docs for hacking competitions

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/27/2020 to 01/03/2021.

%d bloggers like this:
-->