Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed. You can sign up for the newsletter here.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week. This issue covers the week from 11 to 18 of January.
Big thanks to Intigriti for sponsoring this newsletter!
bugbounty.link
This is a URL shortening service. What’s great about it is that it supports any protocol (file, gopher, etc). So it can be useful to test for SSRF or open redirects, and bypassing filters on certain URI schemes.
Reverse engineering games for fun and SSRF – part 1 & Part 2
This is a great writeup if you want to learn how to hack thick applications. @tampe125 shows how he:
Hacked an unnamed gaming thick application
Set it up to go through Burp Proxy as a transparent proxy (by using his local /etc/hosts files)
Extracted juicy information from the game’s logs
Reverse engineered a custom protocol using the logs
Identified an endpoint vulnerable to SSRF
Edited WebSocket connections to exploit the SSRF
It was only possible to configure Burp as a transparent proxy because the app didn’t use certificate pinning.
Are you submitting bugs for free when others are being paid? Welcome to BugBounties!
If you’re interested in bug bounty, this is an absolute must read! @zseano, a confirmed and experienced bug hunter, is denouncing some bad practices from bug bounty platforms. For example, some companies have a paying private program and a public one with the same scope but no rewards (kudos and Hall of Fame only).
He surprisingly concludes by saying that “bugbounties are overhyped and not sustainable” and that you should only do bug bounty as a hobby, not full time. He himself counts on quitting full-time bug hunting this year.
Whether he has an ulterior motive or not, one thing most people would agree on is: don’t work for free, your time is too precious.
Tip 1: Find yourself using the same non-default wordlists over and over again in Intruder? Add them into the default list! Intruder menu > Configure predefined payload lists
Tip 2: Sending lots of requests in Repeater and looking for specific text in the response? Use the find bar but also click the “+” and select “auto-scroll to match when text changes” to jump straight to what you want!
Tip 3: Hold Ctrl and click a column heading to copy the contents of an entire column to the clipboard (don’t be put off by the lack UI acknowledgement)
I love these Burp tips by @yppip. They might help you save time and avoid doing repetitive actions like loading your payload files manually every time.
And if you want to see more tips of this kind, @Agarri_FR has ~100 pages of them: video & slides. They date back a little but a lot of them are still valid.
Resources-for-Beginner-Bug-Bounty-Hunters
This one is for you if you dream of becoming a pro pentester or bug hunter and have absolutely no idea where to start. It’s a short list of resources sorted by different categories: web, networking and programming basics, XSS and labs.
These are not exhaustive resources that will make you bug hunter of the year.
These are not exhaustive resources, rather basics to master and get a solid foundation as a start.
Medium to advanced
Beginners corner
Challenge writeups
Pentest & Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
Pktrecon & Explanation: Internal network segment reconnaissance using packets captured from broadcast and service discovery protocol traffic
Recursive-gobuster: A wrapper around gobuster that automatically scans newly discovered directories
More tools, if you have time
Uncaptcha2: Defeat ReCaptcha with 91% accuracy by asking for the audio challenge, downloading the mp3, forwarding it to Google Speech2Text API and submiting the answer back…
Resolve_domain_computers.py: Get /etc/hosts entries for computers in Active Directory. Useful for internal pentests when for whatever reason you can’t configure your box to use their DNS server directly. It uses domain creds to grab a list of hostnames from a DC, resolve their IP addresses, and gives you /etc/hosts entries.
AEM hacker toolset: Tools to identify vulnerable Adobe Experience Manager (AEM) webapps
s3-monster.py: Script to download fomes from open S3 buckets
IdentYwaf: Blind WAF identification tool
Giggity: Wraps github api for openly available information about an organization, user, or repo
H8mail: Email OSINT and password breach hunting. Use h8mail to find passwords through different breach and reconnaissance services, or the infamous Breached Compilation torrent
Cardfinder.py: Day 17: Looking for Credit Cards in Files
ad-quick-install: Scripts to quickly setup AD and populate it with unique users (useful for building a lab
Articles
> If you happen to be a customer in US (which I am not but the website is hosted in a US data centre) then you are automatically opted into this service and all your website’s pages will have this JavaScript injected into them.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/11/2019 to 01/18/2019.
Curated by Pentester Land & Sponsored by Intigriti
Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.
