Bug Bytes #34 – Challenge Winner, Bounty Economy and CSRF bible

By Intigriti

September 3, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 23 to 30 of August.

Intigriti news

  • BPost launched their vetted program. If you want to become vetted, follow these steps and gain access to more bug bounty programs!

  • Our “Outside the Box”-XSS challenge is over! Check out the winner and the writeup by @Fady_Othman!

Our favorite 5 hacking items

1. Non technical item of the week

Economics of the bug bounty hunting

This is a great read about how @dmi3sh uses specific metrics to increase his hourly rate as a full-time bug hunter.
The main takeaway for me is that he relies on a list of criteria to decide on which target, functionality and bug type it is best to focus. These are things like: Probability of finding a bug, payout, chance of being duped, of getting N/As and out of scope, chances of being paid, etc.
Using these objective elements helps make decisions about what to focus on a lot easier.

2. Tools of the week

LinkDumper
Jsonp

These are two very handy Burp extensions. I couldn’t choose just one as I plan on using both!
LinkDumper extracts links and anything that could be an endpoint from responses. It decodes them, sorts them and displays the findings in a tabs next to the request’s “response” tab (anywhere in Burp, like in Target, Proxy History, Repeater…).
What I like about this tool is that it also extracts anything that remotely resembles a link, even “junk”. This allows for finding endpoints that could have been missed with a simple regex. I noticed that it can also return URL parameters.
Jsonp is also worth testing. It helps reveal JSONP functionality by probing each JSON endpoint passively detected. When it sees an endpoint responding with application/json, it replays the request by appending parameters and/or changing the extension to .jsonp.
If a JSONP functionality is found, it could help you bypass CSP or find bugs like XSS and Cross-Site Script Inclusion (XSSI).

3. Article of the week

Analysis of Common Federated Identity Protocols: OpenID Connect vs OAuth 2.0 vs SAML 2.0

This is an excellent introductory article for anyone who struggles with understanding the difference between SSO, OAuth 2, OpenID Connect, and SAML.
You’ll find clear and concise definitions, comparison elements, common vulnerabilities, and links for further reading.

4. Slides of the week

Active Directory security workshop: A red and blue guide to popular AD attacks

This is a 227 pages presentations on Active Directory security. It is full of resources, tools, attacks, techniques and how to protect against them (useful for pentest recommendations).
A great resource for AD security!

5. Tutorial of the week

Bypassing CSRF Protection

What do you test for if you see CSRF protection on an app? This tutorial lists several techniques that may gives you new ideas to try.
They are not groundbreaking, but they are basics that every tester should know. The techniques are: Clickjacking, changing the request method, deleting the token parameter or send a blank token, using another session’s CSRF token, session fixation, removing the referrer header, and bypassing the regex.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • DNS Validator: Maintains a list of IPv4 DNS servers by verifying them against baseline servers, and ensuring accurate responses

  • Hashcatch: Capture handshakes of nearby WiFi networks automatically

More tools, if you have time

  • Yar: A tool for plundering organizations, users and/or repositories from Github

  • Recursebuster: Rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments

  • http-pulse_ssl_vpn.nse: Nmap NSE script to detect Pulse Secure SSL VPN file disclosure CVE-2019-11510

  • Sudomy: Subdomain enumeration tool in Bash

  • Kibanarec: A Tool to Extract Open Kibana Instances on Internet & Map them to their Corresponding Organizations using SSL certificates

  • apk_api_key_extractor: Automatically extracts API Keys from APK files

  • xss2png: PNG IDAT chunks XSS payload generator

  • CCAT & Tutorial: Cloud Container Attack Tool, a tool for testing security of container environments

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/23/2019 to 08/30/2019.

Curated by Pentester Land & Sponsored by IntigritiDisclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

 

You may also like