By Intigriti
November 12, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 01 to 08 of November.
We’ve launched our brand new platform, check it out!
KULeuven launched 2 new public programs:
www.kuleuven.be (responsible disclosure)
Online enrollment for students (up to €2.500 bounty)
Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks – Alyssa Herrera & Other Hack.lu 2019 talks
The slides for this talk were published months ago, and I was really hoping for the talk to be public too. Alyssa is known for focusing on server-side bugs, especially SSRF.
So, this is a must watch for anyone who wants to learn about this bug class. It is also a good example on the kind of thinking and focus you need to find critical bugs and become an expert at a specific topic.
Bypassing GitHub’s OAuth flow & TL;DR ($25,000)
Who would have thought that playing with HTTP methods could bypass OAuth on GitHub and yield a $25,000 bounty?!
The bug exists because the same controller handles both GET & POST requests, and using a HEAD request instead is unexpected.
The controller relies on the HTTP method to determine whether it will grant access to the app or serve an OAuth authorization page. @not_aardvark used the HEAD method. It was routed as GET (Rails behavior) and at the same time, the controller treated it as an authenticated POST request, bypassing authorization.
It is very easy for hackers to get distracted by all the information and topics out there and keep hopping from one subject to another. If you think you have the Shiny Object Syndrome, or if you find yourself spending a lot of time learning and practicing without seeing the results you would expect, then you probably need “deliberate practice”.
This article is a great introduction to this concept, with many resources to go further.
Every time I hear of some accomplishement by bug hunters like @nahamsec, @stokfredrik, @nnwakelam, etc, I can’t help but wonder how they do it all.
A lot of bug hunters juggle between multiple jobs and/or passions. It is what I do myself, but self-doubt creeps up sometimes: Why does it take me so much time to learn X? It seems easier for Y person… Is it just about the talent/intelligence you’re born with? Is it because they don’t have a family life like you? Or because they don’t need to sleep as much as you do?
@nahamsec shares his unambiguous take on the matter: sleep one hour later and wake up an hour earlier. Make the time and stop with the excuses!
This is not a new site, but I’ve just discovered it while looking for good OSINT resources. And it is amazing whether you do OSINT, or reconnaissance for pentest/bug bounty.
It has a lot of categories: Email, Domain, IP, Username, Person, Phone Number, File… For each one, you can find a lot of tools at the same place and search them all at once.
Live Bug Bounty Recon Session on Verizon Media’s Yahoo.com with @phwd
SQL Injection PHP Code Review [22] #CodeReview
PHP command Injection Vulnerability Code review [23] #CodeReview
Reflected Cross Site Scripting PHP Code Review [24] #CodeReview
CISSP vs. CEH, Cybersecurity Degrees, CTFs vs. Real-Life – Cybertalk with HackerSploit
Common Linux Privilege Escalation: Exploiting Sudo Access & Exploiting Sudo Access
Sudo Vulnerability CVE 2019-14287 | Privilege escalation in kali Linux
7MS #386: Interview with Ryan Manship and Dave Dobrotka – Part 4
Risky Business #561 — Report: NSO exploits used against politicians, senior military targets
Fast Recon-NG [from global to granular] [and how I got a P1 in Google VRP]
A Purple-Team View of Serverless and GraphQL & The Hard Way: Security Learnings from Real-world GraphQL
Breaking & Pwning Docker Containers & Kubernetes Clusters – All Day DevOps 2019
Hacking Tricks: Identifying Outgoing TCP Port for Reverse Shell
How to Use CCAT: An Analysis Tool for Cisco Configuration Files
Finding and Identifying JScript/VBScript Callable COM Objects
How to Set up Certificate-Based SSH for Bug Hunting (+ bonus!)
Spot Fake Businesses & Find the Signature of CEOs with OSINT
Text-To-Speech speaks pwned #Android #PrivilegeEscalation
Breaching the perimeter – PhantomJs Arbitrary file read #Web
CVE-2019-12415: XML processing vulnerability in Apache POI #Web
CVE-2019-1414 — a Local Command Execution in Visual Studio Code #PrivilegeEscalation #RCE
Backend SQL Injection in BigTree CMS 4.4.6 #Web #CodeReview
MiTM / Logic flaw on Shopify ($13,337)
Information disclosure on Shopify ($1,000)
Information disclosure on HackerOne ($2,500)
Privilege escalation on Ubiquiti Inc. ($16,109)
See more writeups on The list of bug bounty writeups.
Jandroid & Introduction: A tool for template matching against apps. Current use case is to identify potential logic bug exploit chains on Android
LiveTargetsFinder: Generates lists of live hosts and URLs for targeting, automating the usage of MassDNS, Masscan and nmap to filter out unreachable hosts and gather service information
Github-endpoints.py: Search endpoints on GitHub for a given (sub)domain
Getallurls: Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl
BlackWidow: A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website (by the creator of Sn1per)
Paramuda: A python tool designed to enumerate hidden parameters on a target URL through a wordlist. It is designed to scan for URL by counting the existence of the payload in the response body
SRLabs Gobuster: File & directry bruteforcer based on Gobuster with enhanced false positives detection
Frida Android Helper: Several handy commands to facilitate common Android pentesting tasks
Droidlysis: Property extractor for Android apps. It automatically disassembles apps and looks for various properties within the package or its disassembly
WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier
NTLM Challenger: Parse NTLM over HTTP challenge messages
ꓘamerka GUI & Introduction: Internet of Things/Industrial Control Systems reconnaissance tool
PostMessage_Fuzz_Tool & PostMessage Xss Fuzz using Chrome App
Anatomy of Scalable Vector Graphics (SVG) Attack Surface on the Web
Intro to Chrome’s (g)old features & If you are ever able to upload files to a site and want to XSS but are blocked by a CSP whitelist, you should try PNaCl! It requires you to control a JSON and a binary of any content-type (nosniff is ignored).
Coalfire arrests: Charges against US pen testers reduced but not dropped & The Primary Documents relating to the Coalfire Pentest in Iowa
Facebook Portal survives Pwn2Own hacking contest, Amazon Echo got hacked
Hacking the Singapore Government: A Q&A With A Top Hacker & MINDEF 2.0 Results
Strategies for Building and Growing Strong Cybersecurity Teams
Spear Phishing: A Law Enforcement and Cross-Industry Perspective
Apple Mail on macOS leaves parts of encrypted emails in plaintext
Site Isolation bypass discovered in Google Chrome’s Payment Handler API
Smartphone and speaker voice assistants can be hacked using lasers
Exclusive: Bitdefender Discovers Ring Doorbell Vulnerability
TrendMicro Employee Sold Customer Info to Tech Support Scammers
Specially Crafted ZIP Files Used to Bypass Secure Email Gateways
An inside look at WP-VCD, today’s largest WordPress hacking operation
Open source tool predicts which security vulnerabilities are most likely to be exploited
Undercover reporter tells all after working for a Polish troll farm
Huawei calls hackers to Munich for secret bug bounty meeting
DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition
A guide to cryptojacking – how to prevent your computer from being turned into a money-making tool
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/01/2019 to 11/08/2019.
Disclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti