Bug Bytes #37 – How to find more IDORs, Race Condition to RCE & Tracy

By intigriti_inti

September 24, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 13 to 20 of September.

Our favorite 5 hacking items

1. Tutorial of the week

How to find more IDORs

This tutorial explains how to find IDORs that are less obvious than just incrementing an ID. The techniques mentioned can be very helpful especially in the context of bug bounty.
Some of them are testing encoded & hashed IDs, adding an ID to the request even if the app didn’t ask for it, changing the request method, etc.
Also, IDOR and self-XSS combined can lead to stored XSS, increasing the impact of the IDOR.

2. Writeup of the week

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

@YoKoAcc, @JRs_Faisal and Tomi teamed up and found a whole bunch of bugs on a private program. They share multiple writeups that each explains different bugs.
This one is interesting because of the weird race condition. Here are my main takeaways:
They couldn’t find any flaws in the main file upload functionality. But the file edit functionality allowed them to change already uploaded files to any extension (including PHP!). Nice way to get unrestricted file upload…
So they could upload Web shells, but didn’t get RCE because uploaded files were moved to AWS after 2 seconds! And here is the weird part: for some reason, the request that modified the uploaded file was vulnerable to a race condition. By sending multiple requests, the server returned the file’s location (before it is moved to AWS). So in the short window where the file was still on the server, they got a reverse shell by requesting the file in a browser.
Not sure why this is happening, but it’s interesting to see a race condition help get RCE via file upload!

3. Tool of the week


Most tools that help with XSS detection are limited because they rely on server response reflection.
Tracy tries to go further by helping you identify sources of input and their corresponding outputs (or sinks). You can trace risky input throughout the DOM, even in apps that use a lot of JavaScript. This helps detect harder-to-find XSS types like DOM XSS.
The only other tool I’ve seen efficiently help with this was DOMinator Pro, but it was commercial and I can’t find it online anymore. So it is awesome to have a free open source alternative!

4. Non technical item of the week

Problems I have faced in Bug Bounty

I really enjoyed reading this article. After 2 months of bug hunting, @Unknownuser1806 shares 6 problems he faced and how he solved them.
They revolve around productivity and mental health. I feel that we can easily lose sight of these topics when we get engrossed in hacking. Burnout is never that far… So the refresher is great! It’s also nice to see the specific tools a fellow bug hunter found helpful: Engross App, Habitica, Evernote/Diary, Morning habits, meditation & exercise.

5. Tips of the week

If you can’t access the admin panel, try discovering the javascript files for the admin section! E.g. if /admin/ is restricted try and see if /admin/js or similar exists and brute in front of there
While registering account there’s no fields like address or about me, but they’re exist on the page where you can edit your info after registering account. Try to add them while registering another account and paste payloads in values, this can bypass (XSS/injection) protection

There’s not much to comment here, the tips are self-explanatory.
I’ve never encountered these ideas before and think they’re worth adding to any Web testing methodology!

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups


If you don’t have time

  • Pixload: Image Payload Creating/Injecting tools

  • Bass: A tool that combines valid DNS resolvers from various DNS Providers of your target and generates a maximum final list of DNS resolvers. Add anywhere from 100-4k resolvers to your ‘resolver.txt’ (TL;DR)

  • Docem: Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)

  • Curryfinger & Introduction: A Go tool for finding the server behind popular CDNs through SNI & Host header spoofing

More tools, if you have time

  • Dupe Key Injector: A Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 “SSO Wars: The Token Menace” presentation

  • G-Calendar-Audit: A Python script to check for public Google calendars

  • Lockdoor Pentesting Framework: A Penetration Testing framework with Cyber Security Resources

  • Dnmasscan: A script that can resolve an input file of domains & scan them with masscan

  • EZDomain: Python script for subdomain, file, directory & S3 bucket bruteforce

  • Dr Robot: A tool for Domain Reconnaissance and Enumeration

  • Dolos Cloak: Automated 802.1x Bypass

  • Cryptbreaker & Introduction: A cloud-backed password cracking and assessment tool

Misc. pentest & bug bounty resources


Articles & Papers


Bug bounty & Pentest news



Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/13/2019 to 09/20/2019.

Curated by Pentester Land & Sponsored by Intigriti

Disclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.



You may also like