Bug Bytes #38 – New XSS Challenge, {{7*7}} to {{P1}} & the ultimate XSS payload generator

By Intigriti

October 1, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 20 to 27 of September.

Intigriti news

Our favorite 5 hacking items

1. Slide/tool of the week

Manual JavaScript Anaylsis Is A Bug & MetaSec.js

I hope this talk’s video will be released soon. But even without it, this presentation is very helpful in understanding what to look for in JavaScript files, existing tools for automation, and what can/cannot be automated.
Techniques mentioned include endpoint discovery, reversing source maps, technology fingerprinting, detecting sources and sinks, detecting ReDoS, detecting secrets, detecting vulnerable third-party components, etc.
As a bonus, LewisArdern provides MetaSec.js, a wrapper around several open source tools to automate JS file analysis

2. Writeup of the week

Fuzzing {{7*7}} Till {{P1}}

This is an SSTI writeup. Detection was pretty straightforward: @err0rrrrr injected {{7*7}}{{7*7}} as a comment and received an email notification containing 4949.
The interesting part is that exploitation was hindered by some kind of blacklisting. He could bypass it by bruteforcing local variable names using this custom wordlist. That’s worth adding to Burp to help with stubborn SSTIs!

3. Article of the week

Application Enumeration Tips using Aquatone and Burp Suite

This is an excellent article on automation using Burp and Aquatone.
The novel idea is to use visual identification, not for checking subdomains, but when you’re testing a large Web app. When you’re limited on time as a pentester, you want to quickly assess a lot of URLs to cover the maximum surface.
@ryanwendel explains how he gets a list of URLs from Burp’s proxy history, and passes them to Aquatone to take screenshots. If authentication is required, he makes Aquatone use Burp as a proxy, and leverages Session Handling rules to maintain an authenticated state. So handy!

4. Resource of the week

One XSS cheatsheet to rule them all

This is the most comprehensive XSS cheatsheet I’ve seen.
What is also unique about it, apart from the number of payloads, is that it is interactive. You can filter payloads by tag, event handler and browser.
It also features entirely new XSS payloads that @garethheyes found and presented at Global AppSec 2019. The talk wasn’t recorded but the slides are available: XSS Magic tricks.
All this should be really helpful with HTML filter and WAF bypass.

5. Video of the week

09/15/2019 – Live Bug Bounty Recon Session on Yahoo (Censys, Crtsh, Sublist3r) w/ @Yaworsk

If you’re a fan of @Yaworsk, his books “Real-World Bug Hunting: A Field Guide to Web Hacking” and Web Hacking 101, or his Youtube channel, then you will love this video!
For, once he is the interviewee not the interviewer. The discussion starts at 1h55m00s and covers many topics: Peter’s way of doing recon, his testing methodology, his areas of improvements, how he does JS analysis, why he doesn’t set Burp scope to only the target app, burnout and way more.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

Tools

If you don’t have time

  • Mongo-objectid-predict: Predict Mongo ObjectIds to exploit IDORs

  • Keyhacks.sh: No matter what tool you use to find secrets in Github, this Bash script will help test your findings

More tools, if you have time

  • Secret-bridge, Introduction & TOOLS.md: Monitors Github for leaked secrets

  • Shhgit Live: Live stream of shhgit (Github monitoring tool) in action

  • WaybackRust: A tool written in Rust to query the WaybackMachine

  • Andromeda: Interactive Reverse Engineering Tool for Android Applications

  • CredNijna: A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB

  • Thetick: A simple embedded Linux backdoor

  • Navi: An interactive cheatsheet tool for the command-line

  • SKA: Simple Karma Attack

  • nmapAutomator: A script that you can run in the background!

  • SearchOpenFileShares & Introduction: Searches open files shares for potentially sensitive information (password files, database backups, etc)

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/20/2019 to 09/27/2019.

Curated by Pentester Land & Sponsored by IntigritiDisclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like