Bug Bytes #33 – SSRF going wild, intigriti’s new challenge & JSON CSRF

By Intigriti

August 27, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 16 to 23 of August.

Intigriti news

1. WooRank premium features

Premium features are now in-scope for the Woorank project. Check out the project description for more info on how to enable them!

2. Solve the intigriti challenge & win

We announced a new XSS challenge on our Twitter profile. The challenge is simple: find a way to steal a victim’s cookies and win a Burp Pro License. It’s not too late to participate, as the challenge runs until Friday! Only three people have solved it so far — so your chances of getting a free Burp License are higher than usual!

We have tweeted out four tips so far:

  • This is a client-side attack that works in Chrome ONLY.

  • When we say “no self XSS”, we do NOT say “no obscure user interaction”

  • Mark my words and my URL.

  • Go local.

Our favorite 5 hacking items

1. Article of the week

SSRF in the Wild

This article is an analysis of publicly disclosed SSRF writeups.
@vickieli7 curated 76 unique reports, then read each one and categorized them following criteria like: vulnerable feature, presence of SSRF protection, criticality/impact, type of fix implemented…
She gives interesting statistics on each category. For example, 27 of the 76 bugs affected an image/file upload feature.
I love this idea of studying a vulnerability class by producing statistics based on specific criteria. This can be scaled to include other bug types and more writeups.
It’s also a great idea to look for bypasses each time you read a writeup. This is what allowed @vickieli7 to find one bug while learning about SSRF!

2. Writeup of the week

Information disclosure & SQL injection on U.S. Dept Of Defense

The chain of bugs described in this writeup are simple but critical. File/directory bruteforce revealed a Trace.axd file that redirected to a login page.
Trace.axd is ASP.NET’s trace feature that helps developers debug the app.
Tests credentials worked and gave @arinerron access to a lot of sensitive information through that debug page: tokens, passwords, new endpoints… One of them was vulnerable to SQL injection.
An interesting idea to keep in mind if you find a SSRF on an ASP.NET app, is to look for Trace.axd to escalate it.

3. Tool of the week

Burp Scope Monitor Extension

This is such a useful Burp extension! It’s easy to install/use, and allows you to manage a list of URLs marked as “analyzed” or “not analyzed”.
You may already be using lists of endpoints during tests to keep up with large scopes, but now you can do it directly from Burp. It allows you to highlight requests, retrieve URLs from other Burp tabs, send requests you want to analyze to Burp repeater, import/export state files…
The only downside I see is that the import/export function makes my Burp freeze. I need more RAM but the other functionalities work fine.

4. Tutorial of the week

JSON CSRF To FormData Attack

This tutorial explains why JSON CSRF is harder to exploit than CSRF: You can’t send JSON Content-Type using an HTML form. You need AJAX which can be blocked by CORS.
So to exploit JSON CSRF, you either need to bypass CORS or one of the two techniques presented here: Change the request’s Content-Type from Content-Type: application/json to Content-Type: text/plain or to Content-Type: application/x-www-form-urlencoded.
If one of these is accepted by the server, they allow you to exploit the CSRF by creating an HTML form, bypassing the previous limitation.

5. Non technical item of the week

Is It Time to Let Employees Work from Anywhere?

I would have loved to have this study years ago when I was negotiating (rather begging for) remote work with my previous employers. Home office is one of the reasons that pushed me towards self-employment.
If you’re in a similar situation, the results could help you convince management. It basically says that “If an employee has a strong track record and can do most of their work independently, research shows that allowing them to work from anywhere would benefit both the individual and organization”.
Also, the study distinguishes between Work From Anywhere (WFA, meaning geographic flexibility) and Work from Home (WFH). The first gives more flexibility and people who transitioned from WFH to WFA had their productivity increase by 4.4%!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

Misc. pentest & bug bounty resources

Articles

News

Bug bounty & Pentest news

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/16/2019 to 08/23/2019.

Curated by Pentester Land & Sponsored by Intigriti

Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

 

You may also like