By Intigriti
December 10, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 29 of November to 06 of December.
This tutorial solves a specific problem: bypassing character limitation to exploit XSS. To do that, the idea is to load a remote JavaScript file hosted on a very short domain.
What I love about this tutorial is that it goes further than theory: in practice most short domains are taken or very expensive. Using Unicode, it is possible to redirect to domains like ℡㏛.pw (5 characters) which expands to telsr.pw (8 characters).
Two excellent resources for working with Unicode are also shared.
– Account takeover via leaked session cookie on HackerOne ($20,000)
– HTTP Request Smuggling + IDOR
These writeups are both worth reading for different reasons. The HackerOne account takeover was the most shared/debated this week. @haxta4ok reported a false positive, but the triager’s response included their valid session cookie. $20,000 for human error (and an initial false positive)! HackerOne have added mitigations to prevent this happening again, but it could happen to employees that don’t use HackerOne’s triage or triagers from other companies.
The second writeup shows how you can chain HTTP Request Smuggling with IDOR for increased impact.
This is a collection of websites for receiving SMS online for free. I haven’t had the occasion to test them yet, but I’m bookmarking this for future pentest engagements and bug bounty. They will be handy for SMS verification and 2FA.
This looks like a fun conference to attend. Topics range from Burp Suite collaboration to hacking your career, Google Calendar attack surface, social engineering, building an escape room, Kerberos, etc. There is probably something that woud interest you whether you’re into pentest, red team, bug bounty, physical security, social engineering or incident response.
Following the Capital One breach, AWS EC2 recently introduced new changes to the way metadata information is retrieved. This prevents SSRF exloitation and may leave you wondering whether you should stop looking for SSRF on EC2.
This article is a nice summary of the new changes and what they mean for hackers/bug hunters.
@erbbysam talks about defcon, scanning the entire internet for certs, and becoming a HackerOne MVH!
Setting Up Your Ubuntu Box for Pentest and Bug Bounty Automation
Ted Demopoulos: How To Be A Cyber Security Consultant | DailyCyber 207
Cybertalk – EP3 – Cybersecurity Certifications & Learning Resources
Reverse Engineering WhatsApp Encryption for Chat Manipulation and More
Authentication fundamentals: The basics | Azure Active Directory
Developing and Debugging Java Burp Extensions with Visual Studio Code
Android SSL Pinning Bypass Using Objection and Frida Scripts
Strapi Framework Vulnerable to Remote Code Execution (CVE-2019-19609) #Web #RCE
Flaws vs bugs (CVE-2019-9745) #Windows
Rendering McAfee web protection ineffective #Antivirus #Web
Stored XSS via cookie on Grammarly ($2,000)
Automatic API Attack Tool & Introduction: Imperva’s customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output
Barq & Introduction: AWS Cloud Post Exploitation framework. Useful for attacking EC2 instances without having the original instance SSH keypairs
CodeCat: Tool to help in manual analysis in codereview
Issue2report: Generate pentest reports based on github issues
Crtsh: Go script that shows the result of crt.sh with different optional filters
Subdomain Extractor: Burp extension for extracting subdomains. Usage: Go to your Site Map -> Select All -> Right click -> Copy sub domains
Awspx & Introduction: A graph-based tool for visualizing effective access and resource relationships in AWS environments (meaning Bloodhound for AWS)
Mitaka: A browser extension for OSINT search
Zap-operator: ZAP plugin that helps to attack your Kubernetes applications in production
bountyRecon: Just an initiative for automating bug bounty recon
Bug-bounty-kit: Recon setup + automation
Blue eye: A python Recon script
Fetcher.sh: Oneliner to quickly check the status code of 1000 urls or more
Chepy: A python library with a handy CLI that is aimed to mirror some of the capabilities of CyberChef
NTLMRecon: A fast NTLM reconnaissance and information gathering tool without external dependencies
Caligo & Introduction: A simple C2 for hostile “dropbox” devices management used in physical security assessments
JA3Transport & Introduction: A Go library for impersonating JA3 signatures
Lsassy & Introduction (in French): Remotely parse lsass dumps and extract credentials
AWS Ramp-Up Guide: Security – For AWS Cloud Security, Governance & Compliance Professionals, especially AWS Well-Architected Security Labs
Bug Hunting 101 – Web Application Security Testing (Free ebook but in Bahasa)
APIsecurity.io Issue 60: Microsoft Azure OAuth2 Vulnerability, 5G Threat Landscape, Webinars
PEASS – Privilege Escalation Awesome Scripts SUITE (with colors): Privilege escalation tools for Windows and Linux/Unix
A Window into Malicious Advertising – 61% of malvertising targets Windows devices
Malvertising is on the decline but serious security issues remain
44 million Microsoft users reused passwords in the first three months of 2019
Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally By 2021
Hack that lifts limits on contactless card payments debuts at Black Hat Europe 2019
New vulnerability lets attackers sniff or hijack VPN connections
SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos
Critical DoS messaging flaw fixed in December Android update
Android vulnerability StrandHogg shatters user privacy, impacts top 500 apps & interesting comments by @LukasStefanko & @fs0c131y
UK Government Releases Photos of Russian Hackers, Whose Lives Look Awesome
Top gadgets for the security and privacy conscious (or the super paranoid!)
This cheap gadget can stop your smartphone or tablet being hacked at an airport, hotel or cafe
Protecting users from government-backed hacking and disinformation
5G hackers: These eight groups will try to break into the networks of tomorrow
These are the worst hacks, cyberattacks, and data breaches of 2019
The Motivation Secret: How to Maintain Intense Motivation as a Hacker (or Anything)
The snooping girl on a train, again. How to compromise a business
Misconceptions: Unrestricted Release of Offensive Security Tools
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/29/2019 to 12/06/2019.
Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti