By Intigriti
February 5, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 24 to 31 of January.
Awesome IDOR technique by @jobertabma! The idea is to replace an ID with one that does not exist yet (e.g. ID+1). Wait for ID+1 to exist and see if you can access its information.
Now to revisit old programs to test for potentially missed IDORs/info disclosures…
This is an excellent writeup on Shitrix (CVE-2019-19781). It shows how to exploit the vulnerability “manually” when public exploits are not working. In this case, the NOTROBIN malware had infected the target and made changes to prevent other exploitation attempts.
Knowing how to bypass it can be helpful for penetration tests.
Yay! My favorite bug bounty podcast is back, with @0xacb this time. No spoilers, let’s just say that it is worth listening to if you’re into bug bounty and want to know how to reach “cosmic brain level 10”.
– Samesite by Default and What It Means for Bug Bounty Hunters
The first article is awesome work but will break a few hearts! It explains the impact of Samesite cookies beyond CSRF. Many other client-side bugs are affected including Clickjacking, XSSI, XSLeaks, Cross-Site WebSocket Hijacking…
The second article in an awesome interview with @EdOverflow. Among other things, he shares insight on finding logic flaws and discovering “goldmines” (untapped areas of research).
This is a great tutorial on leveraging Discord WebHooks for automated recon. This feature makes it easy to send notifications to Discord from Bash scripts.
A subdomains monitoring example is also given. It has never been so easy!
HackTheBox – AI: A cool out of band SQL Injection using “Speech To Text”
@STÖK Talks About Team Disturbance, Getting Started With Bug Bounties, and Live Hacking Events!
How to Start a Career in Cyber Security with The Cyber Mentor
How the Innocent Lives Foundation Uses OSINT to Uncover Online Predators
Security Weekly News #8 – Coronavirus, Ragnarok Ransomware, Ned In The Basement, Cisco
Owning the cloud through SSRF and PDF generators – Public v2
An Opinionated Guide to Scaling Your Company’s Security & Twitter thread
NullHyd Jan Meetup Talk on Chaining bugs and Writing single click Exploits
Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I) & Part II #Web #Cloud
xmlrpc-common deserialization vulnerability (CVE-2019-17570) #Web
CVE-2020-1925: Requests to arbitrary URLs in Apache Olingo #Web #CodeReview
Validating the SolarWinds N-central “Dumpster Diver” Vulnerability #DesktopApp
Picking apart an IOT Camera (Bloomsky) #Web #IoT
Code injection in Workflows leading to SharePoint RCE (CVE-2020-0646) #RCE #Web
LPE and RCE in OpenSMTPD (CVE-2020-7247) #RCE #SMTP
High Severity CSRF to RCE Vulnerability Patched in Code Snippets Plugin #Web
Race Condition allows to redeem multiple times gift cards which leads to free “money” on Reverb.com ($1,500)
Account take over of ‘light’ starbuckscardb2b users on Starbucks
Improper Input Validation | Add Custom Text and URLs In SMS send by Snapchat | Bug Bounty POC ($1,000)
See more writeups on The list of bug bounty writeups.
Go-pillage-registries & Introduction: Pentester-focused Docker registry tool to enumerate and pull images
Shodomain: Shodan subdomain finder
Flamingo & Introduction: Go tool for capturing credentials sprayed across the network by various IT and security products
Wordlistgen: Quickly generate context-specific wordlists for content discovery from lists of URLs or paths
Burp-teams: A Burp extension to enable teams of people to share repeater tabs and data
XSS tag_event analyzer & : Python script for detecting valid tags/events on XSS exploitation
GoLinkFinder: A fast and minimal JS endpoint extractor
Dom-red: Python script to check a list of domains against open redirect vulnerability
Chain Reactor & Introduction: Open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints
StickyReader & Introduction: Powershell script to read Sticky Notes from compromised Windows 10 hosts
Socialscan: Check email address and username availability on online platforms with 100% accuracy
Prettyloot: Convert the loot directory of ntlmrelayx into an enum4linux like output
Red_Team: Some scripts useful for red team activities
TikTokOSINT: Python script that dumps public data of any user
MoveKit, StayKit & Introduction: Cobalt Strike lateral movement & persistence kits
Alternatives to Extract Tables and Columns from MySQL and MariaDB
Kompar & Choosing the right static code analyzers based on hard data
Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS
Internet Explorer mhtml: – Why you should always store user file uploads on another domain
How to decrypt WhatsApp end-to-end media files, whats-enc.py & WhatsApp Media Decrypt
Burp Suite Pro / Community 2020.1 released, with major enhancements to HTTP message editor and more
HTTP Request Smuggler now supports overriding the request method!
Kali Linux 2020.1 Release: Non-Root users by default now
Microsoft launches Xbox bug bounty program with rewards of up to $20,000
In the line of fire: Will California’s AB5 labor law cause havoc for cybersecurity consultants?
LoRaWAN networks are spreading but security researchers say beware
Serious Security – How ‘special case’ code blew a hole in OpenSMTPD
200K WordPress Sites Exposed to Takeover Attacks by Plugin Bug
Wawa’s massive card breach: 30 million customers’ details for sale online
Breach at Indian airline SpiceJet affects 1.2 million passengers
Five Years Later, Ashley Madison Data Breach Fuels New Extortion Scam
Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Iranian hackers target US government workers in new campaign
Avast Shuts Down Jumpshot After Getting Caught Selling User’s Data
Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors
Ring Android App Sent Sensitive User Data to 3rd Party Trackers
First MageCart Hackers Caught, Infected Hundreds of Web Stores
Facebook knows a lot about your online habits – here’s how to stop it
Google now charges the government for user data requests, report says
How to Hack Your Employees With a Phishing Simulation Campaign
Making Mr. Robot: Jeff Moss on the push for authenticity in award-winning hacker show
What’s the difference? Information Assurance vs Information Security vs Cyber Security
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/24/2020 to 01/31/2020.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.
Curated by Pentester Land & Sponsored by Intigriti