By Intigriti
January 29, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed. You can sign up for the newsletter here.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week. This issue covers the week from 18 to 25 of January.
If you want to automate some of your recon tasks but don’t know where to start, this is an excellent beginning.
A recon workflow chart is given as an example. This is the first article of a series. It explains how to automate subdomains enumeration using a Bash script, and includes commands, tools plus tips like how to check for wildcard resolution (i.e. false positive subdomains).
Looking forward to the sequel(s)!
Logic vulnerabilities are my favorite. This one is an authentication flaw found on big sites like Google, Microsoft, Instagram, Cloudflare & many more.
Ironically, it abuses 2FA. The first thing that Luke Berner noticed is that if you request a 2FA code and change your password, the 2FA code remains valid for 20 minutes. And you can make it valid for a longer period of time by waiting indefinitely in the 2FA input page.
From there he concluded with this attack scenario:
The attacker compromises someone’s account, enables 2FA, requests a 2FA code, stays on the 2FA page, then disables 2FA
The victim changes his/her password to get back control of the account
The attacker is still be able to access the account using the 2FA code, even without knowing the victim’s new password!
Turbo Intruder: Burp extension link
Turbo Intruder: Embracing the billion-request attack: Article & Video
Debug.py: Example script to help debug/diagnose issues with Turbo Intruder failing to connect
Turbo Intruder is a new Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. Here are some things to know about it:
It’s open source.
It’s really incredibly fast because it’s built on a custom HTTP stack.
Despite its speed, it has a low risk of causing Denial of Service on the target server. According to @albinowax, “it’s certainly possible but the low number of concurrent connections helps avoid this – it tends to just run slowly on struggling websites rather than overwhelming them.
It doesn’t need Burp Suite to run, you can launch it from the command line.
It can be used for file/directory bruteforce, detecting race conditions or any other attacks that require more speed, duration or complexity that Burp Intruder
LevelUp 0x03 2019
Slides:
– Bad API, hAPI Hackers!
– AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs
Yes! It’s that time of the year again. A new LevelUp conference with so many good talks on Web app security, social engineering, API, IoT and mobile security, plus some non technical talks.
A must, especially for bug hunters!
Have you ever found an Exploit-DB exploit that you wanted to test and didn’t know how to do so? One very easy and quick way to use these exploits is to add them to Metasploit and use them as any other Metasploit module.
This isn’t a new trick but it might be very helpful if you’re starting out in penetration testing. I remember when I discover this, it was mind-boggling.
The Many Hats Club Ep. 32, She hacks purple (with Tanya Janca)
Smashing Security 112: Payroll scams, gold coin heists, web giants spanked
Ep. 016 – Email fraud, Android apps, Collection #1 and the 10 year challenge [PODCAST]
Medium to advanced
Code completion for Burp Jython extensions: Develop Burp Extensions in Python with code completion
Abusing Exchange: One API call away from Domain Admin & PrivExchange
Beginners corner
SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2
Wireless Hacking, Part 10: Creating an Evil Twin Wi-Fi AP to Eavesdrop on the Target’s Traffic
How I made a programmable hacking USB device to infiltrate PCs?
Challenge writeups
Playing with CloudGoat part 1: hacking AWS EC2 service for privilege escalation, Part 2, Part 3 & Part 4
Pentest & Responsible disclosure writeups
Why you should not have plain numbers as IDs in your database
Intrusion Testing – From Evil Printers to Parent Domain Controllers
How to Hack an Expensive Camera and Not Get Killed by Your Wife
SickSploit – Finding and exploiting open SickChill instances
Bug bounty writeups
Information disclosure on Twitter ($2,940)
Authentication/OAuth flaw on Uber ($7,500)
Domain hijacking on Starbucks ($1,000)
Blind XSS combined & Unrestricted file upload on AntiHack.me
See more writeups on The list of bug bounty writeups.
If you don’t have time
Objection: Runtime mobile exploration toolkit, powered by Frida
More tools, if you have time
bXSSRequest: Literally spray blind xss payloads everywhere/. “A tool that would spray payloads at a list of urls or endpoints in request headers”
Electronegativity: A tool to identify misconfigurations and security anti-patterns in Electron applications
Htcap: A web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes
Malice: VirusTotal Wanna Be. “A free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company “
Passcreator: Create your own wordlist or passaword list
Nmap for Go: Idiomatic nmap bindings for go developers
SSHReverseShell: Full TTY reverse shell over SSH. “tool to automatically drop you into a full TYY shell and implemented secure file transfer over SSH”
Tiny SHell: SSH-like backdoor with full-pty terminal
sshtranger_things.py: SSHtranger Things Exploit POC
Top 10 web hacking techniques of 2018: Vote before 11 February 2019
Disclose bug-bounty-list.json & Explanation: Disclose.io project updated with a JSON file containing the details of 771 companies where security researchers can disclose security vulnerabilities (Safe harbor status included)
Secjuice jobs: Infosec Employment Board, 100% Free, No Advertising
APIsecurity.io Issue 15: Fortnite hack, TLS MITM attacks, SQL injections for NoSQL
Hak.lnk: Resources For Hackers
Day 26: The Complete List of Windows Post-Exploitation Commands (No Powershell)
WebSploit: All-in-one Kali VM including DVWA, Multidae, Hackazon, WebGoat, Juice-shop & Mutillidae 2
SQLi Platform: Training for SQL injections
At the end of February we are going to announce the first bug bounty of the MoD. Ethical hackers were recruited in the cyber operational research [department] and they’re going to track down the faults of our system
South Korean Android delivery apps found to be leaking passwords and financial data
Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open
The huge ‘Collection #1’ data breach is only a small part of much larger hacker dataset: The “Price for access lifetime” is only $45
Millions of bank loan and mortgage documents have leaked online
Rogue websites can turn vulnerable browser extensions into back doors
This is amazing and going to lead to a lawsuit
Google fined with €50 million ($57 million) by French regulators at CNIL for GDPR breach
Google launched a phishing quizz to test if you can identify phishing emails
ThreatList: Credential-Sniffing Phishing Attacks Erupted in 2018
DHS Issued Emergency Directive Ordering Federal Agencies To Audit DNS Activity for their Domains
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/18/2019 to 01/25/2019.
Curated by Pentester Land & Sponsored by Intigriti