By Intigriti
August 6, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 26 of July to 02 of August.
Ghostwriter is a new project management & reporting engine by SpecterOps. It is open source and free and has a lot of interesting features:
Client management: for tracking your pentest clients & the information like points of contact, project history, notes…
Project management: for information like the type of project (pentest, vulnerability assessment, etc), start & end dates, the team assigned to the project…
Infrastructure management: for tracking and monitoring the domain names & servers you use for the project (like C2 servers)
Reporting engine: to generate reports in different formats (JSON, docx, xlsx & pptx) with support for template keywords
Automation: running tasks in the background, released C2 domains at the end of a project & Slack notifications
These are just some functionalities. Ghostwriter is an excellent tool for pentest teams and red teams.
I’m always interested in writeups about bugs chained together for a higher impact. This one is a good example of reflected XSS and Cache poisoning combined, which means that the XSS becomes stored. (Credits to nahoragg for the writeup).
The writeup itself brings many lessons such as:
Drupal has many known misconfigurations. So a CMS being used doesn’t mean there are no bugs!
Drupal’s internal caching system is enabled by default
To find out if caching is enabled, look for the x-drupal-cache response header
To find input that gets reflected in the response, try the X-Original-URL and X-Rewrite-URL headers, or parameter bruteforcing
This is @dijininja’s latest Web challenge. It’s a Github repo that has many sensitive information disclosures.
At first sight, it looks empty (except for the README file and a solutions file). So this is an interesting challenge for beginners who want to learn about information leaks, where to look for interesting information in Github repositories (beyond the visible files), how to use tools like Gitrob & truffleHog, etc.
Finding the Balance Between Speed & Accuracy During an Internet-wide Port Scanning
Most port scanning tutorials for bug hunters recommends using Masscan to get a list of open ports, then re-scanning these same ports with Nmap to get their exact version.
The problem with this method is that Masscan can miss many open ports. Nmap is more accurate but so much slower when the testing range is large.
So what’s the solution? This is the question that @CaptMeelo tried to answer by doing some benchmarking.
His conclusion: Run 2 or 3 concurrent Masscan jobs with all 65535 ports split into 4-5 ranges. Then run Nmap on the open ports found to get their version.
Websites behind a WAF are protected against DDoS and many Web vulnerabilities (XSS, SQLi, CSRF…). If you can entirely bypass a WAF and speak directly to your target’s servers, you will be able to go faster and test for more vulnerabilities. WAF bypass provides an edge to Web app pentesters and bug hunters.
This article by @gwendallecoguic is an excellent introduction to this topic. It provides several techniques for detecting the real IP address of a server, as well as tools for automation and resources to go further.
The Secure Developer Ep. #35, Secure Coding in C/C++ with Robert C. Seacord of NCC Group
Risky Business #550 — CapitalOne owned, Hutchins sentenced, VxWorks horror-show and more!
Smashing Security – 139: Capital One hacked, iMessage flaws, and anonymity my ass!
Sophos Podcast S2 Ep2: EvilGnome, leaky browser add-ons and BlueKeep – Naked Security Podcast
If CORS is just a header, why don’t attackers just ignore it?
How do I download files in a Remote Desktop Session over SSH
Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO)
Samsung NVR WebViewer Remote DoS Vulnerability — CVE-2019-12223 #DoS
How I was able to access complete storage of any ES-FileExplorer end-user #Mobile #Android
Opera Android Address Bar Spoofing: CVE-2019–12278 #Mobile #Android
I Always Feel Like Somebody’s W̶a̶t̶c̶h̶i̶n̶g̶ Listening to Me & TL;DR #IoT
R7-2019-18: Multiple Hickory Smart Lock Vulnerabilities #IoT
Browser extension flaw ($3,000)
IDOR on Paypam ($10,500)
Solr Injection on Zomato ($700)
See more writeups on The list of bug bounty writeups.
XSS Payload generator and dropper & Introduction: XSS payload generator with obfuscation, filter bypass & polyglots
PhanTap (Phantom Tap): An ‘invisible’ network tap aimed at red teams
Extended XSS Searcher and Finder: A better version of @damian89‘s xssfinder tool – scans for different types of xss on a list of urls
Extended ssrf search: Smart ssrf scanner using different methods like parameter brute forcing in post and get… Replaces @damian89‘s simple-oob-scanner
Extended baserequest importer: Helps @damian89 with some workflows when working with Burp, e.g. extract relevant params, scan them via intruder, watch passively!
Cloudcheck: Checks using a test string if a Cloudflare DNS bypass is possible using CloudFail
Goop: Proof of concept for bypassing Google search rate limiting CAPTCHA (remember, scraping Google search results is illegal!)
Pyrobots: a tool that reads “robots.txt” file and append each path to the domain/subdomain you entered
Atomic-Caldera: Plugin for @MITREattack’s Caldera framework. It makes it easier to convert @redcanaryco’s Atomic Red Team tests to be used with Caldera
LURE: User Recon Automation for GoPhish
Wordlistctl: Fetch, install and search wordlist archives from websites and torrent peers
Gowhois: whois command implemented by golang with awesome whois servers list
Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
Data from my Sunday streams: All the recon data from @nahamsec’s Sunday streams
Payloads to try to discover blind SQLi when no error is returned.
Collection of References on Why Password Policies Need to Change
Go-SCP: Go programming language secure coding practices guide
IppsecTribute V1.1: Website that allows you to search ippsec videos by keywords
Disobey 2020 Puzzle: “Solve the Disobey puzzle and you may get access to a special discounted hacker ticket”
Lessons in auditing cryptocurrency wallets, systems, and infrastructures
S3 Bucket Namesquatting – Abusing predictable S3 bucket names
Chatbot Security Framework: Everything you need to know about Chatbot security
Why Hackers Abuse Active Directory & Essential Active Directory Security Defenses
Hijacking browser TLS traffic through Client Domain Hooking: The author got a bounty from Google!
PowerShell Empire Framework Is No Longer Maintained & Alternatives
BlueKeep Exploits May Be Coming: Our Observations and Recommendations
Introducing Pingback Payloads: “a new, non-interactive payload type that provides users with confirmation of remote execution on a target—and absolutely nothing else”
NIST Releases Draft Security Feature Recommendations for IoT Devices
GreyNoise Visualizer: New visualizer that supports IP queries, CIDR queries, ASN queries, free text search over organizations, tag queries, JA3 fingerprint queries, etc. You can filter by interesting entries. Also check out the Walkthrough video, Query reference & Query examples.
How has DMARC adoption evolved since 2018? It’s…complicated.
Bugcrowd Releases Priority One Report: Payouts and Vulnerabilities Double Year over Year
‘Urgent/11’ flaws affect 200 million devices – from routers to elevators
Researchers Hack Surveillance Systems to Show Fake Video Feed
The Capital One breach is more complicated than it looks, An SSRF, privileged AWS keys and the Capital One breach & The Technical Side of the Capital One AWS Security Breach
Equifax data breach settlement: Regulators fire the first ‘warning shot’ of many
Russia targeted all 50 states in 2016 election, Senate report says
Unsecured Database Exposes Security Risks in Honda’s Network
An exposed password let a hacker access internal Comodo files
Data is safer in the cloud than in the bank: NAB: “The public cloud is more secure than the security a bank can put around its proprietary data centres”
Cisco to pay $8.6 million for selling vulnerable software to US government
Google Chrome Hides WWW and HTTPS:// in the Address Bar Again
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/26/2019 to 08/02/2019.
Curated by Pentester Land & Sponsored by IntigritiThe views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.