By Intigriti
July 15, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 05 to 12 of July.
– All you need to know to exit VIM without unplugging your laptop
– 10 tips that are helpful if you are not finding vulns/bugs
– Why http://1.0.0.1 is the same as http://1.1
– How to use Tmux/Screen AFTER you’ve started Nmap
These tweets are so good that I had to mention all four. They’re about:
How to exit VIM, and more importantly how to make `:!Q` (which isn’t currently an option) quit it too
Awesome advice to improve your environment and methodology, and start finding vulns/bugs
Why some SSRF payloads include IP addresses like 1.1.1, and how routers know that it means 1.1.0.1 and not 1.1.1.0. I’ve been wondering about that and the answer was… RTFM!
What to do when you’re hours into an Nmap scan and you forgot to start it in a Tmux/Screen session (Genius!)
If testing for mass assignment isn’t currently part of your methodology, this is an excellent opportunity to learn about it and start testing for it.
@albinowax was bug hunting on New Relic. He found that free accounts didn’t have access to the API. But this restriction could be bypassed by intercepting a POST request to change your name and adding this parameter: account[allow_api_access]=true.
He also tells us how he guessed the parameter’s name:
Securing Your Cloud Infrastructure | Security and Research Company (SECARMY)
After last week’s intro to cloud for pentesters and bug hunters, SECARMY returns with a sequel on common cloud security misconfigurations and their mitigations.
More specifically, this one is about SSRF and LFI on AWS, why they occur, how to detect them, how to leak AWS credentials and what companies can do to prevent it.
A few weeks ago, @EdOverflow published the article “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter. He did the research with a few other hackers, and they developed a tool to automate fetching Travis CI build logs.
It allowed them to quickly look for sensitive information in CI logs and earn many bounties. It was awesome to read about that but they didn’t release it because they didn’t want to cause service disruptions to CI platforms.
I guess they’ve changed their minds because they’ve just released Secretz!
It minimizes the large attack surface of Travis CI by automatically fetching repos, builds, and logs for any given organization. So it’s a really neat tool to add to your arsenal.
Who doesn’t like peeking at how other hackers organize their notes?
@GouveaHeitor shares here how he uses SwiftnessX to defines payloads, report templates and libraries / checklists. It’s worth looking at his screenshots if you feel like your pentest/bug bounty notes could be better organized.
The Complete Beginner Network Penetration Testing Course for 2019 & Notes for Beginner Network Pentesting Course
Post Exploitation With Windows Credentials Editor (WCE) – Dump Windows Password Hashes
Risky Business #547 — Zoom-gate, massive GDPR fines, ship hack warnings and more
Smashing Security 136: Oops, we created Iran’s hacking exploit
Business Security Weekly #135 – Science, Ben Franklin, & Lessons
Paul’s Security Weekly #611 – Porn Pirating, Zoom RCE, & Huawei
Android Apps – How easy is it to tear them apart and steal your data?
TyphoonCon 2019 slides, especially:
IIS Application vs. Folder Detection During Blackbox Testing
Advanced Frida Witchcraft: Turning an Android Application into a Voodoo Doll
Linux for Pentester: git Privilege Escalation, Pip Privilege Escalation & Sed Privilege Escalation
Introducing Rustbuster — A Comprehensive Web Fuzzer and Content Discovery Tool
Content Security Policy (CSP) explained including common bypasses
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! #Web
Unsafe password reset in GLPI < 9.4.1 #Web #CodeReview
Stored XSS in GLPI < 9.4.3 #Web #CodeReview
RCE Exploits of Redis Based on Master-Slave Replication #Web
Attacks on applications of k-anonymity for password retrieval: “Despite being promoted as protecting passwords, the model of k-anonymity used by Have I Been Pwned may allow a third-party server to learn user passwords. Affects password managers including 1Password and Bitwarden” #Web
Vulnerabilities in Nexus Repository left thousands of artifacts exposed #Web
U-XSS in OperaMini for iOS Browser (0-Day) #Browser #Mobile
Security Advisory: Targeting AD FS With External Brute-Force Attacks & TL;DR #ActiveDirectory
Improper access control on VHX ($1,500)
Business logic flaw on Upserve ($3,500)
Blind SQL injection on Tube8 ($2,500)
Forced browsing on HackerOne ($500)
Jenkins RCE ($8,000)
Open redirect / OAuth token theft / Account takeover on Airbnb
Cleartext password in LocalStorage ($1,500)
IDOR / Account takeover ($2,650)
See more writeups on The list of bug bounty writeups.
ScreenToGif: Allows you to record a selected area of your screen, edit and save it as a gif or video!. Useful for recording PoCs
Qsreplace: A Go script to replace or append to query string values in URLs. Can be used in combination with waybackurls to generate URLs for fuzzing with a particular payload
JWTrek: JWT Token C# Bruteforcer (HS256) (pure bruteforce, no wordlist yet)
Android-App-Testing: Python3 scripts to help automate the installation of Burp Suite certificates on Android devices
Venemy: OSINT tool for Venmo. It grabs profile information, friends lists & transactions
BADministration & Introduction: Tool to leverage SolarWinds Orion servers from an offensive standpoint
RedTeamCSharpScripts: C# Scripts for Red teaming
Kali Linux Tools Interface: A graphical interface to use tools in Kali by the browser
WCTF 2019 & Solution (It’s a new web exploitation technique dubbed the ‘Antivirus Oracle’)
Hacking JavaScript with JavaScript – How to use parsers and other tools to analyze JavaScript
Think Twice Before Adopting Security By Obscurity in Kotlin Android Apps
Getting your head under the hood and out of the sand: Automotive security testing
Abusing Common Cluster Configuration for Privileged Lateral Movement
Executing Code Using Microsoft Teams Updater & Why popular apps like Slack & Discord can be used too
@Hacker0x01 is hiring Security Analyst for the Triage team in APAC & they’re also hiring in EMEA & the USA
‘Zoom’s performance has been fantastic… thanks to half their customers uninstalling it’
Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping
Two pentesters, one glitch: Firefox browser menaced by ancient file-snaffling bug, er, feature
Logitech Unifying Receivers Vulnerable to Key Injection Attacks
Latest FinSpy Modules Lift Data from Secure Messaging Apps & The list of targetted apps
Rogue Android apps ignore your permissions & Paper: 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System
GDPR superpowers lead to whopper ICO fines for BA, Marriott: US $229.34 million million for British Airways & US $123 million for Marriott
Facebook to be slapped with $5 billion fine for privacy lapses, say reports
“Mozilla aren’t villains after all” – ISPs back down after public outcry
Google Home Silently Captures Recordings of Domestic Violence and More
Metasploit Can Be Directly Used For Hardware Penetration Testing Now
Bug bounty : how to win the race against black-hat hackers ?
Types of Cybercrime and How to Protect Yourself Against Them
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/05/2019 to 07/12/2019
Curated by Pentester Land & Sponsored by IntigritiDisclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.