Bug Bytes #46 – Steal customer data via CORS Misconfiguration, Dnsexpire.py and #BadBugBountyPickupLines

By Intigriti

November 28, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 15 to 22 of November.

Our favorite 5 hacking items

1. Tip of the week

Rewarded with $xxxx for an issue which could have allowed me an access to stag & prod server. Sub-domain scan -> dir fuzz -> found a publicly exposed git -> extracted all committers email -> found one email in pw dump ->  used it to log into git instance -> got creds for servers

I’ve never thought of this, but it is a great idea for exploiting exposed .git folders: In addition to extracting source code, you can also extract committer emails and search for them on password dumps. I’d also search for them on Google, Github, etc. Good idea for recon/OSINT!

2. Writeup of the week

CORS misconfiguration allows to steal customer data (on LocalTapiola) ($2,100)

The most interesting part of this writeup is the Proof of Concept. It shows how to exploit a CORS misconfiguration to exfiltrate user data. The code can help if you’re working on a CORS PoC and want to show real impact.

3. Tool of the week

Dnsexpire.py

This is yet another awesome script by @gwendallecoguic. It returns expiration date of hosts, which is useful for detecting subdomain takeovers.

A good idea would be to run with a cron job and add Slack/email alerts to get notified as soon as a domain expires.

4. Non technical item of the week

#BadBugBountyPickupLines

If you like bug bounty and jokes, this Twitter hashtag is a treat. Some are so bad, they’re good…

  • I don’t care if you aren’t clear verified but you get a private invite to my heart

  • Are you a kudos only program? Because I feel like I’m not getting much out of this

  • Are you a crit? Because I’m gonna brag about you on Twitter

  • Call me vulnerable because you make my Heartbleed

5. Tutorial of the week

Analyzing DNS TXT Records to Fingerprint Online Service Providers

This tutorial shows how to automatically analyze and extract information from DNS TXT records used to verify domain ownership.

Tokens used within DNS TXT records allow for fingerprinting the service provider associated with the domain (e.g. Microsoft, Google, Citrix, Atlassian…). This is useful for pentesters as it is a different way for identifying technologies used.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • memento.py: Find endpoints in archived versions of robots.txt

  • Cloud-cidr: Get AWS,Azure,Google Cloud IP CIDRs

  • CORS Scanner

  • Subdomain_recon.py & Introduction: A subdomain reconnaissance scanner

  • Bug Menace: This project contains the packer build (targeting AWS) for a Bug Bounty enumeration and attack server. It’s basically just ubuntu + some osint tools

  • Boucan: Dashboard/API + DNS/HTTP Servers to identify Out of Band Resolution in Payloads

  • Lazyrecon_docker: Containerized version of my fork of Nahamsec’s Lazyrecon

  • Javafuzz: Coverage guided fuzz testing for java

  • Pax: CLI tool for PKCS7 padding oracle attacks

  • Flan Scan & Introduction: Cloudflare’s Lightweight Network Vulnerability Scanner. Wrapper around Nmap and vulners

  • Spraykatz: A tool able to retrieve credentials on Windows machines and large Active Directory environments

  • nullinux: Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB

  • Jackdaw: Collects all information in your domain, stores it in an SQL database & shows you nice graphs on how your domain objects interact with each-other an how a potential attacker may exploit these interactions #ActiveDirectory

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/15/2019 to 11/22/2019.

Disclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti

You may also like