Bug Bytes #43 – Abusing HTTP hop-by-hop request headers, The Bug Bounty Podcast by @Regala_ & Live Bug Bounty Recon Session on Verizon Media’s Yahoo.com W/ @Securinti

By Intigriti

November 5, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 25th of October to 1st of November.

Our favorite 5 hacking items

1. Podcast of the week

Episode #1 ft. STÖK

This podcast is made by Fisher and is A-M-A-Z-I-N-G! It makes you feel like you are at a live hacking event, sitting with two seasoned bug bounty hunters discussing all kinds of subjects. The podcast is about how to pronounce CSRF, how @stokfredrik overcame his depression, his research on race condition vulnerabilities and much more.
It is perfect for you when you feel like listening to something relaxing but still informational and related to bug bounties.

2. Writeup of the week

Abusing HTTP hop-by-hop request headers

This is some cool research on hop-by-hop headers. These are headers that are used by proxies and not forwarded to the end server.
@nj_dav discovered a way to abuse them and basically remove other request headers. This can have unexpected results like authentication bypass, Cache poisoning DoS, etc.
The premise is simple to understand, but it would be interesting to practice this attack and take the research further by testing on common WAFs.

3. Tips of the week

What do you do when doing blackbox web testing that may be obvious to you but not so obvious to other people?

This is an excellent question asked by @nnwakelam. Doing “not so obvious” tests is the best way to differentiate yourself and avoid duplicates.
The thread includes some very interesting responses, for instance: “Continuously scanning for surface will net you more $$$ in the long run. Looking at an asset once defeats the purpose of a BB, it might as well be a penetration test at that point”.
It’s good to know all these strategies and test them especially if stuck in dup’zone.

4. Video of the week

Live Bug Bounty Recon Session on Verizon Media’s Yahoo.com W/ @Securinti

@securinti is most known for his crazy logic bugs. Since he is killing it at live hacking events and mostly shares unique creative bugs, it is interesting to get to know his mindset and approach. A recommended watch!

5. Conferences of the week

Global AppSec Amsterdam 2019
SAINTCON 2019
Security@ 2019

Wow, there are too many interesting talks to list and comment on here.
Let’s just say that Global AppSec and SAINTCON both offer a lot of talks on a large variety of topics and many of them are really captivating.
Security@ has two panels I find interesting for bug bounty hunters: one with bug bounty millionaires @nnwakelam, @thedawgyg and @santi_lopezz99. And another one on hacking the talent gap with @d0nut and @yaworsk.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

Tools

If you don’t have time

  • BugReplay: Browser extension to record bugs with network traffic and JS console (commercial tool)

  • XORpass: Encoder to bypass WAF filters using XOR operations

  • Femida: Burp extension for automated blind-xss testing (both passive & active)

  • UhOh365: A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled and is useful for social engineering assessments to find which emails exist and which don’t. See Reddit discussion on the weakness exploited by this tool

More tools, if you have time

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/25/2019 to 11/01/2019.

Curated by Pentester Land & Sponsored by IntigritiDisclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like