Bug Bytes #12 – IDOR on Yahoo by @JohnH4X00R, Abusing CORS & @OWASP’s talk on How to Win Big

By intigriti

April 2, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 to 29 of March.

Our favorite 5 hacking items

1. Tip of the week

Bugbounty scope expanding

This paste presents a set of recon steps to expand your bug bounty scope. All of them are well known and documented in most articles on recon, except one which I haven’t seen anywhere before:
Once you have a first list of subdomains (using scraping or bruteforce), split them up to build a new list of subdomains to test for.
For example, let’s say you first found:



The new subdomains to try are:



It’s a simple idea but might allow you to find new “hidden” subdomains. It is very similar to what Altdns does, but I’m not sure splitting up subdomains like this is included in this tool.

2. Writeup of the week

IDOR on Yahoo ($5,000)

Wow, $5,000 for such a simple bug! But the difficulty was thinking about this test…
@JohnH4X00R saw a GET request to /ws/v3/users/fziy4wzxr41k4qwsgumu2v2qymynzat6kclqpwmc/items.
The part in bold was obviously encrypted and he had the feeling that it was his username. So, get this, he replaced it with his unencrypted username (/ws/v3/users/yahoo-username/items) and got a successful response containing his own notes.
Then, he replayed the same request and replaced his plain username with another account’s username, and also got a successful response with the other account’s notes.
This is a classic IDOR, but the genius of this bug was in completely bypassing encryption by replacing the encrypted string with its plain value.

3. Tool of the week

CommandoVM & Introduction

Finally a Windows-based distribution for pentesters! This is the equivalent of Kali Linux for Windows users. It includes many tools (more than 140) for all kinds of tests.
This will be handy if you prefer Windows or if, for some reason, you have to use Windows for a pentest. It happened to me on one or two missions: we had to use a Windows VPN client to remotely access the client’s internal network. And I didn’t have the time to install all tools and prepare a proper Windows attacking environment. This VM would have been really helpful!

4. Slides of the week

How to win big – Several Interesting Examples of Exploiting Financial & Gambling Apps

I would love to see the recording of this OWASP talk! But the slides by themselves are self-explanatory and provide some ideas for testing financial apps and games.
These are examples of how to abuse an app’s logic flow and play with parameters to bypass or manipulate payment, always win against a slot machine, etc.

5. Tutorial of the week

Abusing CORS (Improper Origin Validation)

This is an excellent tutorial if you want to learn about exploiting CORS.
Four pratical examples are given to understand what to do when access is granted to: any domain, the subdomain, the scheme, or when the “null” origin is used.
Also included are: external references, steps for exploiting each scenario, an exploitation payload, and how to set up a MiTM environment to exploit an unvalidated origin scheme.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • HTTP Request Translator: Translate curl commands or HTTP/Json requests to Python Requests code or JSON

  • Find Security Bugs: The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Groovy and Scala projects

  • SSRFTest: Tool by @daeken to greatly simplify exploitation of SSRF bugs, including automatic AWS credential pulling where possible + Some open issues if you want to contribute to this open source project

  • Shodan Monitor: Setup network alerts for specific networks or IPs & get a notification when something new shows up

More tools, if you have time

  • Black Hat Asia 2019 – Arsenal, including:

    • Mallet: A framework for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic

    • Real time scrapper (RTS): A tool developed to scrap all pasties,github,reddit..etc in real time to identify occurrence of search terms configured & send email notifications

    • MQTT-PWN: Framework for IoT pentesting (specifically attacking/exploiting the MQTT protocol

    • Nmp-scan: An extensible, heuristic-based vulnerability scanning tool for installed npm packages (to detect malicious code

  • Shodan client: Node.js/JavaScript Library for accessing the new Shodan API

  • Shodmon: Monitor shodan listed servers based on the filter you provided & get email notifications when something new pops up. Useful if you want to monitor more resources than what Shodan Monitor (mentioned above) allows

  • Instantbox: Get a clean, ready-to-go Linux box in seconds

  • WordPress (<4.9.10, <5.0.4, <5.1.1) CSRF PoCs

  • Gofuzz: Aims to reproduce wfuzz’s functionality and versatility. Based on gobuster

  • Linux Exploit Suggester 2: Next-Generation Linux Kernel Exploit Suggester

  • Dnssecchef: A DNS/DNSSEC interception proxy for penetration testers and security researchers (based on DNSChef

  • Knary: A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support

  • Automated-pentest: Minimal docker container of Parrot OS for running an automated scan & pentest report

  • Get-AdDecodedPassword.psm1: a basic PowerShell script for decoding common passwords stored in Active Directory properties. It’s based on information found on Domain Goodness – How I Learned to LOVE AD Explorer

  • BloodHound-Tools: Miscellaneous tools for BloodHound

Misc. pentest & bug bounty resources






Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/22/2019 to 03/29/2019.

Curated by Pentester Land & Sponsored by Intigriti

You may also like