Bug Bytes #30 – Chaining Cache Poisoning To Stored XSS, How To Bypass Cloudflare’s WAF & Ghostwriter by SpecterOps

By Intigriti

August 6, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 26 of July to 02 of August.

Our favorite 5 hacking items

1. Tool of the week

Ghostwriter, Introduction – Part 1 & Part 2

Ghostwriter is a new project management & reporting engine by SpecterOps. It is open source and free and has a lot of interesting features:

  • Client management: for tracking your pentest clients & the information like points of contact, project history, notes…

  • Project management: for information like the type of project (pentest, vulnerability assessment, etc), start & end dates, the team assigned to the project…

  • Infrastructure management: for tracking and monitoring the domain names & servers you use for the project (like C2 servers)

  • Reporting engine: to generate reports in different formats (JSON, docx, xlsx & pptx) with support for template keywords

  • Automation: running tasks in the background, released C2 domains at the end of a project & Slack notifications

These are just some functionalities. Ghostwriter is an excellent tool for pentest teams and red teams.

2. Writeup of the week

Chaining Cache Poisoning To Stored XSS

I’m always interested in writeups about bugs chained together for a higher impact. This one is a good example of reflected XSS and Cache poisoning combined, which means that the XSS becomes stored. (Credits to nahoragg for the writeup).
The writeup itself brings many lessons such as:

  • Drupal has many known misconfigurations. So a CMS being used doesn’t mean there are no bugs!

  • Drupal’s internal caching system is enabled by default

  • To find out if caching is enabled, look for the x-drupal-cache response header

  • To find input that gets reflected in the response, try the X-Original-URL and X-Rewrite-URL headers, or parameter bruteforcing

3. Challenge of the week

Leaky Repo

This is @dijininja’s latest Web challenge. It’s a Github repo that has many sensitive information disclosures.
At first sight, it looks empty (except for the README file and a solutions file). So this is an interesting challenge for beginners who want to learn about information leaks, where to look for interesting information in Github repositories (beyond the visible files), how to use tools like Gitrob & truffleHog, etc.

4. Article of the week

Finding the Balance Between Speed & Accuracy During an Internet-wide Port Scanning

Most port scanning tutorials for bug hunters recommends using Masscan to get a list of open ports, then re-scanning these same ports with Nmap to get their exact version.
The problem with this method is that Masscan can miss many open ports. Nmap is more accurate but so much slower when the testing range is large.
So what’s the solution? This is the question that @CaptMeelo tried to answer by doing some benchmarking.
His conclusion: Run 2 or 3 concurrent Masscan jobs with all 65535 ports split into 4-5 ranges. Then run Nmap on the open ports found to get their version.

5. Tutorial of the week

Bypassing Cloudflare WAF with the origin server IP address

Websites behind a WAF are protected against DDoS and many Web vulnerabilities (XSS, SQLi, CSRF…). If you can entirely bypass a WAF and speak directly to your target’s servers, you will be able to go faster and test for more vulnerabilities. WAF bypass provides an edge to Web app pentesters and bug hunters.
This article by @gwendallecoguic is an excellent introduction to this topic. It provides several techniques for detecting the real IP address of a server, as well as tools for automation and resources to go further.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Cloudcheck: Checks using a test string if a Cloudflare DNS bypass is possible using CloudFail

  • Goop: Proof of concept for bypassing Google search rate limiting CAPTCHA (remember, scraping Google search results is illegal!)

  • Pyrobots: a tool that reads “robots.txt” file and append each path to the domain/subdomain you entered

  • Atomic-Caldera: Plugin for @MITREattack’s Caldera framework. It makes it easier to convert @redcanaryco’s Atomic Red Team tests to be used with Caldera

  • LURE: User Recon Automation for GoPhish

  • Wordlistctl: Fetch, install and search wordlist archives from websites and torrent peers

  • Ipdiscover

  • Gowhois: whois command implemented by golang with awesome whois servers list

  • Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool

Misc. pentest & bug bounty resources

Challenges

  • Disobey 2020 Puzzle: “Solve the Disobey puzzle and you may get access to a special discounted hacker ticket”

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/26/2019 to 08/02/2019.

Curated by Pentester Land & Sponsored by IntigritiThe views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like