By Intigriti
October 1, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 20 to 27 of September.
Tomorrowland added https://winterpackages.tomorrowland.com/en to their scope
A new vetted program launched on intigriti. Learn how to become vetted.
We’ve launched another XSS challenge! Solve it and win a Burp Suite Pro license and private invitations!
TIP 1: // is more than a comment!
TIP 2: Go back to your roots
TIP 3: It’s a name game
TIP 4: Like an onion, this challenge has multiple layers.
I hope this talk’s video will be released soon. But even without it, this presentation is very helpful in understanding what to look for in JavaScript files, existing tools for automation, and what can/cannot be automated.
Techniques mentioned include endpoint discovery, reversing source maps, technology fingerprinting, detecting sources and sinks, detecting ReDoS, detecting secrets, detecting vulnerable third-party components, etc.
As a bonus, LewisArdern provides MetaSec.js, a wrapper around several open source tools to automate JS file analysis
This is an SSTI writeup. Detection was pretty straightforward: @err0rrrrr injected {{7*7}}{{7*7}} as a comment and received an email notification containing 4949.
The interesting part is that exploitation was hindered by some kind of blacklisting. He could bypass it by bruteforcing local variable names using this custom wordlist. That’s worth adding to Burp to help with stubborn SSTIs!
This is an excellent article on automation using Burp and Aquatone.
The novel idea is to use visual identification, not for checking subdomains, but when you’re testing a large Web app. When you’re limited on time as a pentester, you want to quickly assess a lot of URLs to cover the maximum surface.
@ryanwendel explains how he gets a list of URLs from Burp’s proxy history, and passes them to Aquatone to take screenshots. If authentication is required, he makes Aquatone use Burp as a proxy, and leverages Session Handling rules to maintain an authenticated state. So handy!
This is the most comprehensive XSS cheatsheet I’ve seen.
What is also unique about it, apart from the number of payloads, is that it is interactive. You can filter payloads by tag, event handler and browser.
It also features entirely new XSS payloads that @garethheyes found and presented at Global AppSec 2019. The talk wasn’t recorded but the slides are available: XSS Magic tricks.
All this should be really helpful with HTML filter and WAF bypass.
09/15/2019 – Live Bug Bounty Recon Session on Yahoo (Censys, Crtsh, Sublist3r) w/ @Yaworsk
If you’re a fan of @Yaworsk, his books “Real-World Bug Hunting: A Field Guide to Web Hacking” and Web Hacking 101, or his Youtube channel, then you will love this video!
For, once he is the interviewee not the interviewer. The discussion starts at 1h55m00s and covers many topics: Peter’s way of doing recon, his testing methodology, his areas of improvements, how he does JS analysis, why he doesn’t set Burp scope to only the target app, burnout and way more.
Using BurpSuite’s Intruder to find bugs and solve Bug Bounty Notes & Hacker101 CTFs
Owning Cody’s First Blog (RCE) on Hacker101 and hacking on FFH from BugBountyNotes.com (IDOR)
How to Get Started in Infosec – with Michael LaSalvia – Cybertalk 1
Risky Business #557 — 26 nations release cyber norms statement at UN
#StateOfTheHack: #DerbyCon Edition with Dave Kennedy (@HackingDave)
BSides SATX 2019, especially:
Security Testing for Android Cross Platform Application ( Xamarin & Cordova) – Part 1 & Part 2
What is Reverse DNS? Top Tools for Performing a Reverse DNS Lookup
WordPress Privilege Escalation from an Editor to Administrator
The Time I Chased a Cab (File): Zip Slip and Certificate Cloning
Path traversal on Atlassian ($11,000)
Information disclosure, SQL injection, Authentication bypass, Unrestricted file upload, RCE & XSS
Path traversal on Valve ($1,250)
Stored XSS on Rockstar Games ($1,000)
XSS & Open redirect on Twitter ($1,540)
Mongo-objectid-predict: Predict Mongo ObjectIds to exploit IDORs
Keyhacks.sh: No matter what tool you use to find secrets in Github, this Bash script will help test your findings
Secret-bridge, Introduction & TOOLS.md: Monitors Github for leaked secrets
Shhgit Live: Live stream of shhgit (Github monitoring tool) in action
WaybackRust: A tool written in Rust to query the WaybackMachine
Andromeda: Interactive Reverse Engineering Tool for Android Applications
CredNijna: A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB
Thetick: A simple embedded Linux backdoor
Navi: An interactive cheatsheet tool for the command-line
SKA: Simple Karma Attack
nmapAutomator: A script that you can run in the background!
SearchOpenFileShares & Introduction: Searches open files shares for potentially sensitive information (password files, database backups, etc)
Xsshop: Scripts for exploiting XSS
Bug Bounty Chat: Telegram channel to talk and help about bugbounty
Info Sec Pics: Telegram channel sharing infosecurity related pics
Web Application Cheatsheet (Vulnhub): List of Vulnhub VMs by exploit/vulnerability
Here’s what it’s like being a hacker millionaire under the age of 25
From now until November 1st. The Internal Security Assessment: Field Guide will be on sale for $4.99
High-severity vulnerability in vBulletin is being actively exploited
Syntax error in Go programming language conjugates security vulnerability
Apple to Fix iOS Bug Granting Full Access to 3rd Party Keyboards
Instagram phish poses as copyright infringement warning – don’t click!
Russian national confesses to biggest bank hack in US history
Hackers Exploit Unpatched Bug in Rich Reviews WordPress Plugin
Chinese Hackers Suspected Of Airbus Cyberattacks—A350 Among Targets
Advanced hackers are infecting IT providers in hopes of hitting their customers
Microsoft Phishing Attack Uses Google Redirects to Evade Detection
DoorDash confirms data breach affected 4.9 million customers, workers and merchants
Malicious Android Apps Evade Google Play Protect via Remote Commands
New Android Warning: 500 Million Users Have Installed Apps Hiding Nasty Malware—Uninstall Now
Microsoft Blacklists Dozens of New File Extensions in Outlook
How Google Changed the Secretive Market for the Most Dangerous Hacks in the World
What Is CrowdStrike and Why Is Donald Trump Blabbering About It to Ukraine
Medicine show: Crown Sterling demos 256-bit RSA key-cracking at private event
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/20/2019 to 09/27/2019.
Curated by Pentester Land & Sponsored by IntigritiDisclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.