By Intigriti
January 14, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 03 to 10 of January.
– Exploiting a Server Side Request Forgery (SSRF) in WeasyPrint for Bug Bounty & HackerOne’s $50M CTF
– [[BURP] 12 tricks for Burp Repeater
The first video is about an interesting SSRF that was tricky to exploit. @NahamSec explains why it is important to identify the backend, and how to do it (by requesting an image or iframe).
In this case, the backend was WeasyPrint. Since it is open source, analyzing its code helped find a tag which was not blacklisted and could be used to read internal and external resources.
The second video taught me 3 new helpful tips on Burp Repeater:
How to save the entire history of a tab – Useful for reporting
You can replay urls by copying them from browser into repeater – Saves times
Repeater has an option to “URL-encode as you type” – Encodes values automatically without having to do it manually with Burp Decoder
– The Bug That Exposed Your PayPal Password ($15,300)
– Hunting Good Bugs with only html
The first writeup is about an impressive XSSI found on Paypal’s login form. It goes beyond simple detection and proof of concept, to show how this can be exploited to take over user accounts.
This is also a good opportunity to revisit this old but excellent introduction to XSSI: Cross-Site Script Inclusion: A Fameless but Widespread Web Vulnerability Class.
The second writeup shows how multiple bugs (such as open redirest and SSRF) can be chained to significanlty increase the impact.
– Bypass SameSite Cookies Default to Lax and get CSRF & CSRF challenge by @RenwaX23
– Unicode Normalization Vulnerabilities & the Special K Polyglot
SameSite cookies are not yet the end of CSRF. There is a special feature called LAX+POST which basically disables SameSite for 2 minutes. In other words, there is a window of 2 minutes where users are vulnerable to POST CSRF despite the SameSite attribute being used.
@RenwaX23 explains some ways in which this behavior can be exploited in real-life attacks. He also provides a challenge if you want to play with this.
The second tutorial is excellent if you want to start leveraging Unicode for bypassing XSS and SQL injection filters.
The need for note making and an organized methodology in Bug Bounty Hunting
@sharathsanketh makes the case for maintaining a written organized methodology. He gives concrete examples of taking notes on CSRF and “Forgot password” bugs.
And most importantly, he explains an essential idea for beginners: No one will give you a ready-to-use complete methodology. You have to read, do deep searches (especially on Twitter) and take notes of anything you learn so that it is not just passive reading.
Nowadays the question is not “Where will I find information?”, but rather “How can I exploit iteffectively?”.”
Burp Share Requests is a Burp Suite extension that allows you to share requests with another Burp user. Useful for collaboration or sharing information with triagers!
To use it, righ click on any request you want to share, click on “create link” and share the link generated. When the other person opens the link (with the same extension installed), it imports the request into their Burp.
ReconNess seems fantastic for bug bounty. It’s an open source Web app that helps organize recon and is easily extensible. You can add targets, notes, and agents to run any commands (for assets enumeration, port scanning, directory bruteforce, etc). Using custom-built Bashs cripts achieves the same results but this GUI tool can make the process much more pleasant.
Exploiting a Server Side Request Forgery (SSRF) in WeasyPrint for Bug Bounty & HackerOne’s $50M CTF
Mark Litchfield (@BugBountyHQ) shares his experience and talks about becoming a $1M hacker
How to setup a BIND9 DNS server for OOB Exfiltration! (step by step)
How to get Started with Bug Hunting – An Unconventional Story by Katie Paxton-Fear (@InsiderPhD)
iOS 13.3 / 13.2 / 13.0 CheckRa1n JAILBREAK How To Make CheckRa1n Bootable Drive (Ra1nUSB) On WINDOWS
HITB+ CyberWeek Main Conf Tracks, CommSec Track & Keynotes & highlight talks, especially:
GrrCON 2019, especially;
Using JS2PDFInjector to check risks of PDF files with embedded JavaScript & JS2PDFInjector
Fuzzing JavaScript WebAssembly APIs using Dharma/Domato (on Chrome/V8)
Tik or Tok? Is TikTok secure enough? #Web #Android
Cable Haunt & Reddit discussion #DNSRebinding #BufferOverflow
PandoraFMS v7.0NG authenticated Remote Code Execution (CVE-2019-20224) #CodeReview #Web
The Curious Case of WebCrypto Diffie-Hellman on Firefox – Small Subgroups Key Recovery Attack on DH #Crypto #Web
Potential unprivileged Stored XSS through wp_targeted_link_rel ($650) #CodeReview
Update: Want to take over the Java ecosystem? All you need is a MITM! ($2,300)
How I found a Privilege Escalation Bug in a private Ecommerce?
xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS) ($200)
hakrevdns: Small, fast tool for performing reverse DNS lookups en masse
hakcheckurl: Takes a list of URLs and returns their HTTP response codes
Electric Scan: Electron based screenshot scanner
XposedOrNot: A tool is to search an aggregated repository of xposed passwords comprising of ~850 million real time passwords
Bucket Flaws (S3 Bucket Mass Scanner): A Simple Lightweight Script to Check for Common S3 Bucket Misconfigurations
GIXY: Nginx configuration static analyzer
DNSolver: Recon tool that parses a list of domains and returns a list of unique IP adresses
VULNRΞPO & Online version: A free project designed to speed up the creation of IT Security vulnerability reports
Frida Injector for Android: Inject frida agents on local processes through an Android app
Npq: Install packages safely with npm or yarn by auditing them as part of your install process
AD Fly Tool: Active directory query tool using LDAP Protocol. Helps red teamer / penetration testers to validate users credentials, retrieve information about AD users, AD groups…
RFCpwn: An enumeration and exploitation toolkit using RFC calls to SAP
AUTO_RECON.bat: Automated host recon, persistence and exfiltration
SharpStat: C# utility that uses WMI to run “cmd.exe /c netstat -n”, save the output to a file, then use SMB to read and delete the file remotely
Apache2 mod_backdoor: A backdoor module for Apache2
Cobalt_aliases: Tired of typing execute-assembly everytime you use Cobalt Strike? Clone this
Nmap compatible list of all vulnerable software from National Vulnerability Database
Kali Linux – An Ethical Hacker’s Cookbook, 2nd Edition ($44.99 Value) FREE for a Limited Time (Free until January 21)
VulnNodeApp: A vulnerable application made using node.js, express server and ejs template engine
Deep Dive in to Citrix ADC Remote Code Execution, CVE-2019-19781
Two-factor authentication security testing and possible bypasses
Building Your Own Web Application Firewall as a Service And Forgetting about False Positives
Significant Changes to Accessing and Using GeoLite2 Databases
Announcing the Microsoft Identity Research Project Grant (grant awards of up to $75,000 USD)
Academic research finds five US telcos vulnerable to SIM swapping attacks
Half of the websites using WebAssembly use it for malicious purposes
Researchers demonstrate practical break of the SHA-1 hash function
Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability
‘Maze’ ransomware threatens data exposure unless $6m ransom paid
Travelex ransomware attack: Pulse Secure VPN flaw implicated in security incident
VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers
UK man sentenced to prison for hacking and spying on victims through their webcams Or why you should use a webcam cover!
New Magecart skimmers practice steganography, data transfer via WebSocket
New Iranian data wiper malware hits Bapco, Bahrain’s national oil company
Google details its three-year fight against the Bread (Joker) malware operation
On the brink of cyber warfare: Attacks feared over US-Iranian escalation
Iran courted US security expert for years, seeking industrial hacking training
Interpol hails 78% drop in cryptojacking infections across Southeast Asia
Dixons Carphone hit with £500,000 fine after data breach affecting 14 million people
U.S. Funds Program With Free Android Phones For The Poor — But With Permanent Chinese Malware
India’s answer to GDPR: Data protection legislation set to pass this year
Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/03/2020 to 01/10/2020.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti