Bug Bytes #48 – 20 char XSS, HackerOne accidental account takeover & one-time ☎️

By Intigriti

December 10, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 29 of November to 06 of December.

Our favorite 5 hacking items

1. Tutorial of the week

Exploiting XSS with 20 characters limitation

This tutorial solves a specific problem: bypassing character limitation to exploit XSS. To do that, the idea is to load a remote JavaScript file hosted on a very short domain.
What I love about this tutorial is that it goes further than theory: in practice most short domains are taken or very expensive. Using Unicode, it is possible to redirect to domains like ℡㏛.pw (5 characters) which expands to telsr.pw (8 characters).
Two excellent resources for working with Unicode are also shared.

2. Writeup of the week

Account takeover via leaked session cookie on HackerOne ($20,000)
HTTP Request Smuggling + IDOR

These writeups are both worth reading for different reasons. The HackerOne account takeover was the most shared/debated this week. @haxta4ok reported a false positive, but the triager’s response included their valid session cookie. $20,000 for human error (and an initial false positive)! HackerOne have added mitigations to prevent this happening again, but it could happen to employees that don’t use HackerOne’s triage or triagers from other companies.
The second writeup shows how you can chain HTTP Request Smuggling with IDOR for increased impact.

3. Resource of the week

One-time Mobile ☎️ Numbers Thread

This is a collection of websites for receiving SMS online for free. I haven’t had the occasion to test them yet, but I’m bookmarking this for future pentest engagements and bug bounty. They will be handy for SMS verification and 2FA.

4. Conference of the week

Wild West Hackin’ fest (WWHF) 2019

This looks like a fun conference to attend. Topics range from Burp Suite collaboration to hacking your career, Google Calendar attack surface, social engineering, building an escape room, Kerberos, etc. There is probably something that woud interest you whether you’re into pentest, red team, bug bounty, physical security, social engineering or incident response.

5. Article of the week

Server Side Request Forgery (SSRF) and AWS EC2 instances after Instance Meta Data Service version 2(IMDSv2)

Following the Capital One breach, AWS EC2 recently introduced new changes to the way metadata information is retrieved. This prevents SSRF exloitation and may leave you wondering whether you should stop looking for SSRF on EC2.
This article is a nice summary of the new changes and what they mean for hackers/bug hunters.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

Tools

If you don’t have time

  • Automatic API Attack Tool & Introduction: Imperva’s customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output

  • Barq & Introduction: AWS Cloud Post Exploitation framework. Useful for attacking EC2 instances without having the original instance SSH keypairs

  • CodeCat: Tool to help in manual analysis in codereview

  • Issue2report: Generate pentest reports based on github issues

  • Crtsh: Go script that shows the result of crt.sh with different optional filters

  • Subdomain Extractor: Burp extension for extracting subdomains. Usage: Go to your Site Map -> Select All -> Right click -> Copy sub domains

More tools, if you have time

  • Awspx & Introduction: A graph-based tool for visualizing effective access and resource relationships in AWS environments (meaning Bloodhound for AWS)

  • Mitaka: A browser extension for OSINT search

  • Zap-operator: ZAP plugin that helps to attack your Kubernetes applications in production

  • bountyRecon: Just an initiative for automating bug bounty recon

  • Bug-bounty-kit: Recon setup + automation

  • Blue eye: A python Recon script

  • Fetcher.sh: Oneliner to quickly check the status code of 1000 urls or more

  • Chepy: A python library with a handy CLI that is aimed to mirror some of the capabilities of CyberChef

  • NTLMRecon: A fast NTLM reconnaissance and information gathering tool without external dependencies

  • Caligo & Introduction: A simple C2 for hostile “dropbox” devices management used in physical security assessments

  • JA3Transport & Introduction: A Go library for impersonating JA3 signatures

  • Lsassy & Introduction (in French): Remotely parse lsass dumps and extract credentials

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/29/2019 to 12/06/2019.

Disclaimer:

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti

You may also like