Bug Bytes #20 – Another LFI on Google, Turning your time into bugs by @Zseano & Live Hacking like a MVH by @fransrosen

By Intigriti

May 28, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 17 to 24 of May.

Our favorite 5 hacking items

1. Article of the week

Turning your time into bugs — zseano’s thoughts

If you’re into bug bounty, and want to get into the right mindset for success, then you need to read this and apply it.
The advice given is common sense, but sometimes what we need to hear is exactly that.
I love this piece, especially these two reminders: What you can try is limitless. And focus on specific goals to avoid burnout.

2. Writeup of the week

Another LFI on Google ($13,337)

An LFI on a Google subdomain is an impressive finding. The most interesting parts of this writeup (the entire vulnerable paths) are sadly redacted, but here are 3 important lessons I got from it:

  • Do file/directory bruteforce even on redirection pages

  • Improving the wordlist & doing a second round can yield more new directories

  • Persist if a bug is rejected. And follow your gut: if an endpoint looks interesting, keep digging

Also, it’s good to know that @omespino used a combination of known wordlists (all.txt & SecLists) and custom ones (based on pattern matching and discovery).

3. Resource of the week

EdOverflow’s newsletter

A couple of weeks ago, when @EdOverflow announced he was starting a newsletter, I didn’t know what it would be about. But I knew for sure that it would be good, as is everything shared by Ed.
Now after two issues, I urge you to subscribe if you haven’t already. Each email is about a vulnerability class, with links to articles for digging deeper. This is a great opportunity to learn about lesser known bugs and dedicate some quality time to research them.
I can’t wait for more of these emails! Reading them is like the hacker version of reading a good magazine, sitting by the pool with mango juice and a good playlist. Fun times!

4. Tool of the week

TravisLeaks

Remember this recent article by @EdOverflow on extracting sensitive information from Travis CI? It voluntarily didn’t include the tools used to fetch build logs to avoid them causing any service disruptions.
So if you’ve been wondering how to automate the techniques explained in the article, TravisLeaks will be very helpful. It has room for improvement but is a good start. Use it responsibly and customize it starting with the wordlist.

5. Slides of the week

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

These are slides by @fransrosen on live hacking (i.e. bug bounty live events), touching on many different topics: technical advice, methodology, recon, the genesis of live events, reporting, what to focus on, examples of bugs…
To give you a taste, here’s something to do when you’re blocked while doing file/directory bruteforce: Use VPN with switchable IP.
Need I say more? Stop everything and go check it out!

6. Intigriti News

6.1 Write-up 5K XSS-Challenge

Did you win a Burp Pro License by solving our XSS Challenge?   Read everything about the winner, our intended solution and the TWO (!) extra solutions found by our amazing community.

Read the solution here! 

Other amazing things we stumbled upon this week

Videos

Podcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Openinbrowser.py: Python script to open a list of URLs from a file in browser tabs, n tabs at a time

  • Tt-ext – Taint Testing Tool: Chrome extension to aid in finding DOMXSS by simple taint analysis of string values

  • To Fuzz a WebSocket: WebSocket Fuzzer in Python

  • Pown-cdb: Automate common Chrome Debug Protocol tasks to help debug web applications from the command-line and actively monitor and intercept HTTP requests and responses. As @hakluke said, “like Burp proxy but CLI”

More tools, if you have time

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty / Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/17/2019 to 05/24/2019.

Subscribe to the newsletter here!

Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti

You may also like