Bug Bytes #45 – DEFCON 27 Recap, JWT Playbook, Leaky repo & new XSS challenge

By Intigriti

November 19, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 08 to 15 of November.

Intigriti news

We launched another XSS challenge! You can win a Burp Suite Pro license if you solve it before Monday. Check it out:

We're celebrating 10K followers with a challenge! 🎉
Find the XSS flaw and WIN a @burp_suite license! 👇
🏆 Challenge: https://t.co/dYnctSfAAq
ℹ️ More info: https://t.co/CllyXhC7oL pic.twitter.com/lRfN0wndkl

— Intigriti (@intigriti) November 18, 2019

Our favorite 5 hacking items

1. Conference of the week

DEF CON 27

Finally, DEF CON 27 videos are released! There is no introduction needed, right?
I’m watching this first: “Owning The Clout Through Server Side Request Forgery” by @NahamSec & @daeken. What about you?

2. Resource of the week

JWT Attack Playbook (for methodical pentesting)

This is a wiki for the [jwt_tool](https://github.com/ticarpi/jwt_tool) toolkit for testing JSON Web Tokens. I was surprised to see how detailed it is.
It explains everything from recognizing and reading JWTs, an attack methodology, how to test for known exploits, fuzzing, stealing JWTs by exploiting other vulnerabilities, and more. An excellent resource to get into hacking JWTs!

3. Challenge of the week

Leaky repo

This Github repository has many vulnerabilities. It is intended to be used as a target for benchmarking tools like github-dorks or truffleHog.
Personally, I also plan on using it as a challenge to practice finding secrets on Github.

4. Non technical item of the week

Tips for an Information Security Analyst/Pentester career – Ep. 78 – Nothing is impossible

This is @mattiacampagnan’s story on how he found a pentesting job. Basically, he created a blog and wrote dozens of articles related to penetration testing. This gave him some exposure. A company contacted him for an interview, he got a remote part-time position, did the work for 3 months, and finally it became a full-time position.
I loved reading this story because it is another reminder that there is no secret way to success. Do your work and find a way to differentiate yourself. Simple, but a lot of people do not want to hear that…
I personally can attest to the same thing: Maintaining a blog and being consistent opens up so many possibilities and professional options. If you are struggling to find work, you should really consider starting a blog, video course or Youtube channel. Anything that you put out there that shows technical abilities and professionalism will help you find employers or customers.

5. Tutorials of the week

Fasten your Recon process using Shell Scripting
Different Approaches For Reconnaissance — Bug Bounty’s

These are two nice tutorials that go a bit further that most typical recon articles.
Apart from classic subdomain enumeration, they show how to programmatically fetch URLs with their status code & page title, and search results for keywords. This will certainly aid process data collected from large scope bug bounty programs (or pentest targets).

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2019 to 11/15/2019.

Disclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti

You may also like