By Intigriti
May 28, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 17 to 24 of May.
If you’re into bug bounty, and want to get into the right mindset for success, then you need to read this and apply it.
The advice given is common sense, but sometimes what we need to hear is exactly that.
I love this piece, especially these two reminders: What you can try is limitless. And focus on specific goals to avoid burnout.
Another LFI on Google ($13,337)
An LFI on a Google subdomain is an impressive finding. The most interesting parts of this writeup (the entire vulnerable paths) are sadly redacted, but here are 3 important lessons I got from it:
Do file/directory bruteforce even on redirection pages
Improving the wordlist & doing a second round can yield more new directories
Persist if a bug is rejected. And follow your gut: if an endpoint looks interesting, keep digging
Also, it’s good to know that @omespino used a combination of known wordlists (all.txt & SecLists) and custom ones (based on pattern matching and discovery).
A couple of weeks ago, when @EdOverflow announced he was starting a newsletter, I didn’t know what it would be about. But I knew for sure that it would be good, as is everything shared by Ed.
Now after two issues, I urge you to subscribe if you haven’t already. Each email is about a vulnerability class, with links to articles for digging deeper. This is a great opportunity to learn about lesser known bugs and dedicate some quality time to research them.
I can’t wait for more of these emails! Reading them is like the hacker version of reading a good magazine, sitting by the pool with mango juice and a good playlist. Fun times!
Remember this recent article by @EdOverflow on extracting sensitive information from Travis CI? It voluntarily didn’t include the tools used to fetch build logs to avoid them causing any service disruptions.
So if you’ve been wondering how to automate the techniques explained in the article, TravisLeaks will be very helpful. It has room for improvement but is a good start. Use it responsibly and customize it starting with the wordlist.
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
These are slides by @fransrosen on live hacking (i.e. bug bounty live events), touching on many different topics: technical advice, methodology, recon, the genesis of live events, reporting, what to focus on, examples of bugs…
To give you a taste, here’s something to do when you’re blocked while doing file/directory bruteforce: Use VPN with switchable IP.
Need I say more? Stop everything and go check it out!
Did you win a Burp Pro License by solving our XSS Challenge? Read everything about the winner, our intended solution and the TWO (!) extra solutions found by our amazing community.
Bug Bounty World Interviews Swaroop Yermalkar – Bug Bounty Talks
Zero to Hero: Episode 10 – MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
New Series: Getting Into Browser Exploitation – browser 0x00
The Many Hats Club – Ep. 59, Veterans and hackers unite (with Cybermentor)
Business Security Weekly #129 – Discovering Applications, Netsparker
Secure Digital Life #111 – Mistakes In Your Career Search , RWU
NolaCon 2019, especially:
Security Fest 2019 Day 1 & Day 2, especially:
Votre vie privée contre des services ? (in French but here’s how to get auto-generated English subtitles)
Medium to advanced
The signed JSON Web Token – A supposedly Secure Token and its Weak Spots
Exploiting PHP Phar Deserialization Vulnerabilities – Part 1
Azure Apps for Command and Control (or subdomain takeovers)
0x04 Calling iOS Native Functions from Python Using Frida and RPC
Beginners corner
Cybersecurity Fingerprinting Techniques and OS-Network Fingerprint Tools
A Kubernetes quick start for people who know just enough about Docker to get by
Responsible disclosure writeups
Panic! at the Cisco :: Unauthenticated Remote Code Execution in Cisco Prime Infrastructure
Linux Privilege Escalation via LXD & Hijacked UNIX Socket Credentials
Slack Patches Download Hijack Vulnerability in Windows Desktop App
Bug bounty writeups
Logic flaw on Facebook ($7,500)
Authorization flaw on Shopify ($3,000)
Race condition on HackerOne ($500)
Logic flaw on HackerOne ($500)
Authentication bypass on Revive Adserver #SourceCodeAnalysis
LFI on Google ($3,134)
XSS ($1,000)
See more writeups on The list of bug bounty writeups.
Openinbrowser.py: Python script to open a list of URLs from a file in browser tabs, n tabs at a time
Tt-ext – Taint Testing Tool: Chrome extension to aid in finding DOMXSS by simple taint analysis of string values
To Fuzz a WebSocket: WebSocket Fuzzer in Python
Pown-cdb: Automate common Chrome Debug Protocol tasks to help debug web applications from the command-line and actively monitor and intercept HTTP requests and responses. As @hakluke said, “like Burp proxy but CLI”
Subdomain Takeover.py & Usage: SubDomain TakeOver Scanner
JS-Alpha: Funny project to create a converter that converts any javascript code to the code that contains only [a-z().] characters
Vulnx: Cms And Vulnerabilites Detector And An Intelligent Auto Shell Injector
Project Black: Pentest/BugBounty progress control with scanning modules
XSSCon: XSS Scanner in Python
Kaboom: Automatic pentest
Censys.go & Usage example: Search censys from the CLI
Trivy: A Simple and Comprehensive Vulnerability Scanner for Containers, Compatible with CI
CVE-2019-0708 scanner & Metasploit module: Scanner PoC for CVE-2019-0708 RDP RCE vuln (BlueKeep)
Pymetasploit3 & Tutorial: Metasploit automation library
Aws-testing-notes: Notes as I learn basic AWS penetration testing
Offensiveinterview: Interview questions to screen offensive (red team/pentest) candidates
Intigriti XSS challenge 2: Challenge over but still available online if you want to play
DVCW: Damn Vulnerable Crypto Wallet
How I Eat For Free in NYC Using Python, Automation, Artificial Intelligence, and Instagram
Permanent URL Hijack Through 301 HTTP Redirect Cache Poisoning
The Most Expensive Lesson Of My Life: Details of SIM port hack
Failure Is Not the End – How to Provide Value to Your Customer Even When You Can’t Own Their Network
RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708
Bountybash: Live Hacking Hackathon on July 19-20,2019
Register to Bugcrowd LevelUp 0x04: Free online conference on June 1-2
Organizations dissatisfied with WAFs ineffective protection, time-consuming management, high cost
Hackers for hire – the good, the bad and the just-plain-scammers
Unistellar attackers already wiped over 12,000 MongoDB databases
Millions of Instagram influencers had their private contact data scraped and exposed
>20,000 Linksys routers leak historic record of every device ever connected
Google launches Portals, a new web page navigation system for Chrome
Nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password
Amnesty sues maker of Pegasus, the spyware let in by WhatsApp zero day
Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
Equifax just became the first company to have its outlook downgraded for a cyber attack
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/17/2019 to 05/24/2019.
Subscribe to the newsletter here!
Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti