By Intigriti
April 23, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 05 to 12 of April.
This is a new content discovery wordlist by @nullenc0de, to use for file & directory bruteforce with tools like dirsearch, dirb, etc.
It’s based on @JHaddix’s content_discovery_all.txt dictionary but has 300k more directories/files.
As a comparison, here is the exact number of entries in these two and in dirsearch‘s default dictionary:
# wc -l content_discovery_all.txt
373535 content_discovery_all.txt
# wc -l /root/tools/dirsearch/db/dicc.txt
6087 /root/tools/dirsearch/db/dicc.txt
# wc -l content_discovery_nullenc0de.txt
623103 content_discovery_nullenc0de.txt
This writeup is a gem for so many reasons! I highly recommend reading it and paying attention to all the details:
How @_ayoubfathi_ used automation to get notifications of new API endpoints (and not only new subdomains!)
How he created script on-the-fly to during bug hunting to solve specific issues (like building a list of valid Shopify stores)
How he leveraged a passive DNS database to get a bigger list of Shopify stores
How he kept trying new approaches over weeks and solving one issue after the other until he confirmed the bug
How he adapted a BASH script to bypass rate-limiting (WAF) even if it meants that the script would take days to run
The mistake he made that rendered this awesome finding not eligible for a bounty
Taking breaks from the computer is something at which I’m so bad! I get kind of obsessive when working on anything security related.
But this study really motivates me to start taking more breaks. Researchers found that taking a short rest helps our brains retain more information learned a few seconds earlier.
So instead of thinking that rest is a waste of time, it’s better to think that it plays a critical role in learning. More rest = More productity.
I accidentally started a live stream and it turned into #askstok
I love this live stream by @stokfredrik! Being relatively new to bug bounty and already getting good results (at least financially), he has a unique perspective. I think that’s why newcomers can easily relate to his advice/experience.
So if you’re learning bug hunting, and want to get practical advice in an entertaining format (he started live-streaming by accident!), this is the right video to watch. He answers questions like: Can you live out of bug bounty? Do you need to know programming? Is 2019 too late to start bug hunting?…
Let’s hope he makes other Q&As. I love peeking at what other hunters are doing and the live interaction is a great opportunity to get instant feedback/answers.
Last tuesday, I was thinking about critical server-side issues and decided to switch my focus to SSRF for the next weeks. The day after that, @Alyssa_Herrera_ tweeted about this presentation!
It’s a great introduction to this vulnerability class, including both theory and an example of SSRF found on a DoD site.
Just make sure to check out the comments below each slide (they won’t appear if you download the file as PDF).
I accidentally started a live stream and it turned into #askstok
Zero to Hero Pentesting: Episode 5 – Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Risky Business #537 — Assange arrested, WordPress ecosystem on fire
Smashing Security 124: Poisoned porn ads, the A word, and why why why Wipro?
Sophos podcast Ep. 028 – SPEWS, Android security and scary Facebook messages
Medium to advanced
The “-” impact of Network Level Authentication on failed logon events – 4625
Antimalware Scan Interface (AMSI) — A Red Team Analysis on Evasion
Beginners corner
Challenge writeups
Pentest writeups
My Personal OSINT Techniques, Part 1 of 2: Key & Layer, Contingency Seeding
Drop-by-Drop: Bleeding through libvips & Automatic detection of image processing memory disclosure added to the upload-scanner Burp extension
How NOT to use the PAM trust – Leveraging Shadow Principals for Cross Forest Attacks
Responsible disclosure writeups
[ Special Case ] HerkoKuDns is Still vulnerable to Subdomain Takeovers ( Live PoC )
【CVE-2019-3799】:Directory Traversal with spring-cloud-config-server
Microsoft Edge Uses a Secret Trick And Breaks Internet Explorer’s Security: 0day in Internet Explorer that allows stealing users’ files
Bug bounty writeups
DOM XSS on Shopify ($5,000)
Domain & Twitter account hijacking on @EdOverflow’s BBP (0.00579259 BTC)
IDOR on private program ($5,000)
Authorization flaw on GitLab ($2,000)
Ticket trick / Authorization flaw on private program ($9,500)
File disclosure on private program: Steps for exploiting Dump.rdb files
See more writeups on The list of bug bounty writeups.
Brute53: A tool to bruteforce nameservers when working with subdomain delegations to AWS
PyWhatCMS: Unofficial WhatCMS API package
Web-cve-tests & Introduction: A simple framework for sending test payloads for known web CVEs
w12scan: An asset discovery engine for cybersecurity. Seems interesting but it’s in Chinese :/
SharpGPO-RemoteAccessPolicies: A C# tool for enumerating remote access policies through group policy. Useful for targeted lateral movement
Vampire: Vampire is an aggressor script which adds a “Mark Owned” right click option to beacons. For better Cobalt Strike organization during pentests/red teams
Pwny Racing: Live streamed pwnable challenge competitions
Content_discovery_nullenc0de.txt: 300k more dirs/files added to @Jhaddix’s content_discovery_all.txt
APIsecurity.io Issue 27: MyCar vulnerability, serverless, IoT API security
Unmasked: What 10 million passwords reveal about the people who choose them
Cybersecurity: “Information Security has always had a tie to protecting data as a core part of its identity. CyberSecurity, on the other hand, includes more connotations around protecting anything and everything we depend on—including things like critical infrastructure.”
Serious Security: Ransomware you’ll never find – and how to stop it
DNS Hijacking Abuses Trust In Core Internet Service: “Technical details of a state-sponsored attack manipulating DNS systems”
Announcing rescope v1.0 – Scoping for Bug-Bounty Hunters Made Easy: “No longer do you have to copy/paste the scope section to a file and set excludes manually. Just tell rescope which program you’d like to scope and it’ll take care of the rest.”
Hackers could read non-corporate Outlook.com, Hotmail for six months
Facebook admits “supply chain data leak” in new Oculus headsets
Dead Windows Live tiles regain new life in subdomain takeover
A security researcher with a grudge is dropping Web 0days on innocent users
Facebook user data used as bargaining chip, according to leaked docs
Amazon staff listen to customers’ Alexa recordings, report says
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.
Curated by Pentester Land & Sponsored by IntigritiSubscribe to the newsletter here!