Bug Bytes #15 – New Content Discovery Wordlist, IDOR on Shopify & #askstok Bug Bounty live stream by @stokfredrik

By Intigriti

April 23, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 05 to 12 of April.

Our favorite 5 hacking items

1. Resource of the week

Content_discovery_nullenc0de.txt

This is a new content discovery wordlist by @nullenc0de, to use for file & directory bruteforce with tools like dirsearch, dirb, etc.
It’s based on @JHaddix’s content_discovery_all.txt dictionary but has 300k more directories/files.
As a comparison, here is the exact number of entries in these two and in dirsearch‘s default dictionary:
# wc -l content_discovery_all.txt
373535 content_discovery_all.txt
# wc -l /root/tools/dirsearch/db/dicc.txt
6087 /root/tools/dirsearch/db/dicc.txt
# wc -l content_discovery_nullenc0de.txt
623103 content_discovery_nullenc0de.txt

2. Writeup of the week

IDOR on Shopify

This writeup is a gem for so many reasons! I highly recommend reading it and paying attention to all the details:

  • How @_ayoubfathi_ used automation to get notifications of new API endpoints (and not only new subdomains!)

  • How he created script on-the-fly to during bug hunting to solve specific issues (like building a list of valid Shopify stores)

  • How he leveraged a passive DNS database to get a bigger list of Shopify stores

  • How he kept trying new approaches over weeks and solving one issue after the other until he confirmed the bug

  • How he adapted a BASH script to bypass rate-limiting (WAF) even if it meants that the script would take days to run

  • The mistake he made that rendered this awesome finding not eligible for a bounty

3. Non technical item of the week

Want to learn a new skill? Take some short breaks

Taking breaks from the computer is something at which I’m so bad! I get kind of obsessive when working on anything security related.
But this study really motivates me to start taking more breaks. Researchers found that taking a short rest helps our brains retain more information learned a few seconds earlier.
So instead of thinking that rest is a waste of time, it’s better to think that it plays a critical role in learning. More rest = More productity.

4. Video of the week

I accidentally started a live stream and it turned into #askstok

I love this live stream by @stokfredrik! Being relatively new to bug bounty and already getting good results (at least financially), he has a unique perspective. I think that’s why newcomers can easily relate to his advice/experience.
So if you’re learning bug hunting, and want to get practical advice in an entertaining format (he started live-streaming by accident!), this is the right video to watch. He answers questions like: Can you live out of bug bounty? Do you need to know programming? Is 2019 too late to start bug hunting?…
Let’s hope he makes other Q&As. I love peeking at what other hunters are doing and the live interaction is a great opportunity to get instant feedback/answers.

5. Slides of the week

H

Last tuesday, I was thinking about critical server-side issues and decided to switch my focus to SSRF for the next weeks. The day after that, @Alyssa_Herrera_ tweeted about this presentation!
It’s a great introduction to this vulnerability class, including both theory and an example of SSRF found on a DoD site.
Just make sure to check out the comments below each slide (they won’t appear if you download the file as PDF).

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Brute53: A tool to bruteforce nameservers when working with subdomain delegations to AWS

  • PyWhatCMS: Unofficial WhatCMS API package

  • Web-cve-tests & Introduction: A simple framework for sending test payloads for known web CVEs

  • w12scan: An asset discovery engine for cybersecurity. Seems interesting but it’s in Chinese :/

  • SharpGPO-RemoteAccessPolicies: A C# tool for enumerating remote access policies through group policy. Useful for targeted lateral movement

  • Vampire: Vampire is an aggressor script which adds a “Mark Owned” right click option to beacons. For better Cobalt Strike organization during pentests/red teams

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.

Curated by Pentester Land & Sponsored by IntigritiSubscribe to the newsletter here!

You may also like