By Intigriti
February 11, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 31 of January to 07 of February.
The first tool tries to solve the inconvenience all bug hunters and pentesters face: Having to use so many different tools, to remember their command line options, to juggle between terminals and note-taking apps, copy-pasting commands…
Quiver allows you to run recon scripts or single commands organized into categories with auto-completion, and to access markdown notes from the terminal. This last feature is really interesting. It makes it possible to manage a markdown knowledge base that can be accessed from both GUI (with an app like Joplin) and CLI.
The second tool is handy for Android application tests. It helps download APKs directly from the Google Play Store using the command line. Practical if you want to automate APK downloads.
@Th3G3nt3lman Shares His Recon Methodology and How He Consistently Collects $15,000 Bounties! & Summary notes
This is a must watch if you want to up your recon game. @Th3G3nt3lman shares so many good gems, especially on how he differentiates himself, and finds assets/bugs that everyone has missed.
He has a full-time job and hunts for only 4/5 hours a week. Using strategies like quick/smart assets enumeration (e.g. building custom short lists) helps him make the most of his time. This clearly shows that time is no excuse!
Expanding the Attack Surface: React Native Android Applications
Assetnote’s specialty is reconnaissance. So it is worth listening when they’re talking about expanding attack surface.
This tutorial shows how to extract JavaScript from React Native Android apps (without decompiling with dex2jar). Then how to analyze it and find juicy information (think endpoints, API keys, Firebase credentials, etc).
This is an excellent talk about API security testing. @InonShkedy covers multiple vulnerability types including mass assignments, CSRF (and how to combine them), BOLA, 2 complex account takeovers he found, etc.
The company he works for, @traceableai, also shared 31 tips on API security & pentesting.
These are both awesome resources for anyone who wants to dive into API security.
Cool SSRF technique shared by @thedawgyg. Switching to HTTP/0.9 allows you to remove the Host header (because it is not required in this version as opposed to HTTP/1.1). This can help bypass fixes.
Security Weekly News #9 – Iranian Campaign, Twitter Conspiracy, Bangladesh Hacked
Application Security Weekly #94 – Xbox Bounty Program, Magento Patch, RCE in OpenSMTPD
Modern Web Security: The Art of Creating and Breaking Assertions
Don’t Cross Me! Same Origin Policy and all the “cross” vulns: XSS, CSRF, and CORS
Revisiting ReDoS: A Rough Idea of Data Exfiltration by ReDoS and Side-channel Techniques
Simple Remote Code Execution Vulnerability Examples for Beginners
Introduction to mobile network intrusions from a mobile phone
All h1-415-ctf writeups and the winners’ writeups: p4fg & manoelt
CVE-2019-12180 – ReadyAPI & SoapUI command execution via malicous project file
Straight Outta Script Kiddie Zone : Deep dive on how to get a SYSTEM shell on Windows
From CSRF to RCE and WordPress-site takeover: CVE-2020-8417 #Web
SpringBoot ‘DevTools’ Insecure Deserialization — Analysis & Exploit #Web
Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access (Facebook, $12,500)
Responsible Disclosure: Breaking out of a Sandboxed Editor to perform RCE (HackerEarth)
Exploiting Insecure Firebase Database! & Insecure-Firebase-Exploit script
H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products (Shopify, $15,000)
Gitlab (CodeQL) writeups: Netty HTTP Response Splitting ($1,500), CSRF in Spring apps ($1,800), LDAP injectionin Java ($3,000), Use of insecure protocol in Java (Maven) ($2,300)
Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP (Shopify, $2,000)
See more writeups on The list of bug bounty writeups.
OWASP D4N155: Intelligent and dynamic wordlist using OSINT
Fuzz-lightyear & Automated IDOR Discovery through Stateful Swagger Fuzzing
SEcraper: Search engine scraper tool in Bash. Uses Ask, Bing & Yahoo search engines
Wildcheck: A Go script for detecting wildcard domains based on Amass’s wildcards detector
Gwdomains: Subdomain wildcard filtering tool
Dufflebag: Search exposed EBS volumes for secrets
Codeza: Python script that scans URLs listed in a file and returns Content-Length, Status-Code, Title, Forms & those potentially vulnerable to DOM XSS
Codict & Introduction: A framework to learn and assess source code
Eslinter: A Burp Suite extension that extracts JavaScript and lints them with ESLint
FockCache: Minimalized Test Cache Poisoning
Injectus: CRLF and open redirect fuzzer
Berserko: Burp Suite extension to perform Kerberos authentication
PrivescCheck: Privilege Escalation Enumeration Script for Windows
OverwriteStrings & Introduction: Overwrite Strings in an executable to avoid detection
Can you spot the vulnerability? #CodeReview
Wacom drawing tablets track the name of every application that you open
AD Privilege Escalation Exploit: The Overlooked ACL & Who Can See LAPS Passwords?
The return of the spoof part 1: Parent process ID spoofing & Part 2: Command line spoofing
Google Chrome to Block Mixed Content Downloads, Prevents MiTM Attacks
Chrome 80 released with silent notification popups, support for same-site cookies
TLS 1.0/1.1 end-of-life countdown heads into the danger zone
Leap Day Twitch Stream: Free online conference on 29 Feb 2020
University Students: Join Us at BountyCon: Apply before February 29 2020
Bug hunter finds cryptocurrency-mining botnet on DOD network
Academics steal data from air-gapped systems using screen brightness variations
TeamViewer stored user passwords encrypted, not hashed, and the key is now public & DecryptTeamViewer
Tesla and other autopilot-driven cars tricked with 2D projections
Emotet can spread to poorly secured Wi-Fi networks and computers on them
Ransomware installs Gigabyte driver to kill antivirus products
New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure
Malware stew cooked up on Bitbucket, deployed in attacks worldwide
Twitter says an attacker used its API to match usernames to phone numbers
Hackers deface Facebook’s official Twitter and Instagram accounts
Police Warning: Cyber Criminals Are Using Cleaners to Hack Your Business
Google says it accidentally sent some users’ private videos to strangers
How to create fake traffic jams in Google Maps with bucket full of smartphones
Government spyware company spied on hundreds of innocent people
A Graduate’s Thoughts: How to Get Started in Information Security and Cyber Security
Mobile Security 101: Common Threats and How to Protect Yourself Against Them
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/31/2020 to 02/07/2020.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.
Curated by Pentester Land & Sponsored by Intigriti