By Intigriti
April 30, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 19 to 26 of April.
I haven’t had the time yet to do this CTF, but it’s on my todo list because it seems different. It’s a Web CTF that involves multiple subdomains, directory bruteforce, and different attack vectors.
So it’s a nice opportunity to practice recon. But make sure to respect the rules (attacking the infrastructure/ports other than 443 is not allowed).
Session fixation on Shopify ($5,000)
This is an excellent session fixation report. It is well-written, detailed and a good example of a real-life session fixation attack. So it’s a goodread if you want to learn about this kind of bugs.
Also, it’s interesting to see how @filedescriptor found the bug and chained it with an out of scope vulnerability: He found an XSS but XSS was out of scope. So he kept playing with the apps and noticed that some session IDs generated didn’t change after logging in, which meant session fixation. So he leveraged the XSS to exploit the session fixation.
“CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter
A list of the most common [secure] variables from 5,302,677 build logs on Travis CI
This is awesome research and collaborative work! I loved reading about:
How they came up with this research topic
How they started with a list of bug bounty programs, found their Github organizations (using Google), then their Travis CI projects (using a bookmarklet)
How they grepped through the sizeable data retrieved (using Ripgrep)
How the tools they used to fetch build logs were created with availability in mind (to avoid causing any service disruption)
Which kind of information to look for when analyzing Travis CI logs
Several examples of bugs found on bug bounty programs
Keyhacks is a Github repo listing ways in which API keys can be checked to see if they’re valid.
It can be handy to quickly show the impact of API keys leaked by bug bounty targets. It’s particularly interesting after reading the research about finding sensitive information in Travis CI logs.
How to Hunt Bugs in SAML; a Methodology – Part I, Part II & Part III
If you’ve come accross SAML during testing and didn’t know which kinds of bugs to look for, these tutorials are for you!
They’re a good introduction including how SAML works, common vulnerabilities, tools, a testing methodology, and resources.
5. Tutorial of the week
After the big succes of the Twitter CTF, Intigriti published a new challenge. This time it is a XSS challenge. Are you able to execute javascript on challenge.intigriti.io?
CHALLENGE: Can you find the XSS? 🧐 Earn a Burp License, cool swag & private invites! 👉https://t.co/EehqBfFmjA pic.twitter.com/sq8FIYgQOH
— Intigriti (@intigriti) April 29, 2019
Torfs – the well-known shoe retailer in Belgium – is still a 100% family business today. This family character guarantees a number of important values within the company where employees are central. With more than 80 stores in Flanders, 2 shops in the French part of Belgium and a growing online shop in Belgium, The Netherlands and several marketplaces, Torfs wants to be and remain the most customer-friendly optichannel shoe store chain. They pay up to €5000 and have their full online store in scope. Go have a look!
Other amazing things we stumbled upon this week
GitLab 11.4.7 Remote Code Execution – Real World CTF 2018 & Blog post
Zero to Hero Pentesting: Episode 6 – Enumeration (Kioptrix & Hack The Box)
Security sandbox: Plain Language Web Hacking with Pete Yaworski
Risky Business #538 — Marcus Hutchins is a milkshake duck, Iranian APTs doxxed and more
What else should you know about argument injection at OS commanding vulnerabilities
Getting in the Zone: dumping Active Directory DNS using adidnsdump & Adidnsdump
How I found 5 ReDOS Vulnerabilities in Mod Security CRS & Unpatched ModSecurity CRS vulnerabilities leave web servers open to denial-of-service attacks
On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)
Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat
Information disclosure on GitLab ($12,000)
DoS on Twitter ($5,040)
Information disclosure on HackerOne ($3,000)
Use After Free on Lob ($1,500)
Information disclosure on Zendesk ($3,000)
Information disclosure on Facebook ($5,000)
X41 BeanStack & Introduction: Java Fingerprinting using Stack Traces
SmartProxy: SmartProxy will automatically enable/disable proxy for the sites you visit, based on customizable patterns
BugHunter: A Bug management project for Bug Hunters
RCEvil.NET & Slides: A tool for signing malicious ViewStates with a known validationKey
Viewgen: ASP.NET ViewState generator, When to use it & Related research
Thief: Subdomain hijack automation. Wrapper around Sublist3r & Subjack
Findomain: A tool that use Certificate Transparency logs to find subdomains
Reverie: Wrapper around pentest tools with automated reporting (for Parrot Linux)
GitHacker: A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers’ mind
Csp-analyzer.py: Python script that displays the Content-Security-Policy of a given url
Netmap.js: Fast browser-based network discovery & port-scanning module
Termshark: A terminal user-interface for tshark
Target Practice #Android
XSS challenge by @intigriti: Submit answer before May 2nd. Winner gets a Burp license, swag & private invites
What stealthy attacks are hiding in API data — and why do most WAF miss them?!
Stop Using Python for Subdomain Enumeration & Twitter discussion
After three years of silence, a new jQuery prototype pollution vulnerability emerges once again
How Google Is Using Content Security Policy to Mitigate Web Flaws
Name (mDNS) Poisoning Attacks Inside The LAN & mDNS server/spoofer
Docker Hub Database Hack Exposes Sensitive Data of 190K Users
Evil TeamViewer Attacks Under the Guise of the U.S. State Department
These Are The World’s Most Hacked Passwords — Is Yours On The List?
DNS over HTTPS is coming whether ISPs and governments like it or not
Password1, Password2, Password3 no more: Microsoft drops password expiration rec
Amazon Employees Given ‘Broad Access’ to Personal Alexa Info
From Grey to White – An Unspoken Ethical Journey in Cyber Security
All Eyes On You: How To Grab And Hold An Audience’s Attention
Subscribe to the newsletter here! Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.