By Intigriti
March 31, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 20 to 27 of March.
A new public bug bounty program has been launched for Deriv.com. Check it out here: https://go.intigriti.com/deriv
The first article shows a solution for testing Web apps that have a short session timeout and log you out everytime you trigger an exception, and that also require solving a captcha to log in. The captcha makes it complicated to use Burp macros, the traditional way of handling sessions.
@dinosn’s method is to chain Burp with mitmproxy, another proxy that detects logouts and calls a custom script to run tesseract OCR and solve captchas.
I haven’t had the time to properly test this tool, but judging from its documentation, it offers very interesting functionality. It is a Burp extension that allows you to easily use external tools that were not designed for Burp. You can pipe requests and/or responses with Linux tools like diff, head, cut, grep…
This can be used to show each response’s hash as a comment, which helps detect different responses that have the same length but a different hash. You can also apply a regex to requests and responses and add a comment if a pattern was detected. Many other uses cases are explained in the documentation that I invite you to check out.
2019-12-11-Jan Masarik – Automating bug bounty + Opening ceremony, Slides, Master’s thesis & Bugshop
This is awesome work on bug bounty automation. @s14ve did a Master’s thesis on this topic and presents everything he came up with: Common bugs, existing tools for automation, and his own solution. This is in the form of a conference talk, slides, the thesis report, and the tool’s source code.
I’ve been intrigued by some of the paid/closed source tools he mentions, especially Bounty Machine. So, it is amazing to be able to play with this this free, open source, well documented alternative.
This is a crash course on Java for the purpose of writing Frida scripts. If you’ve tried using existing scripts and wondered how to modify them for you own needs, this will help you quickly understand the syntax and most of what you need to know.
The fist resource is a neat Web security course taught last quarter at Standford. It is comprehensive and up-to-date. In addition to videos, slides and external links, you’ll also find asssignements and an exam!
The second resource is a cool cheatsheet/memo for most programming languages. It is helpful whether you are working with JavaScript, Bash, Python, Go, Rust or Ruby…
@Smsecurity Talks About Oscp, Deserialization Bugs, Shodan Tips and What It Takes to Become an MVH
Finding Your Next Bug: Blind Cross Site Scripting (XSS) & XSS Hunter
Bounty Thursdays – VirSecCon, H1-2004, VDP Finder, Bug Bytes, Bugcrowd Community.
Risky Business #576 — Are cloud computing resources the new toilet paper?
Paul’s Security Weekly #644 – Drobo Exploit, Docker Escape, SMBv3.11
Paul’s Security Weekly #644 – Work From Home Securely – Peter Smith, Edgewise
Security Weekly News #21 – Zoombombing, Zero Days, & Signal Sciences
Working from Home Pt.1: Pimp Myself, Pt.2: Pimp My Office & Pt.3 – Pimp My A/V
Matthias Wilson-OSINT around the world – researching people and companies worldwide
SANS CyberCast – SANS@Mic -Attacking Serverless Servers: Reverse Engineering the AWS, Azure, and GCP Function Runtimes & Puma Security Serverless Prey
Infrastructure as Code: Setting up a web application penetration testing laboratory
Prevent DOM-based cross-site scripting vulnerabilities with Trusted Types
A deep dive into disable_functions bypasses and PHP exploitation
Kerberoasting: AES Encryption, Protected User Group and Group MSA
Richsploit: One tool to exploit all versions of RichFaces ever released
Vulnerability In WPvivid Backup Plugin Can Lead To Database Leak
Profile-picture name parameter with large value lead to DoS for other users and programs on the platform (HackerOne, $2,500)
User input validation can lead to DOS (Twitter, $560)
Facebook CSRF bug which lead to Instagram Partial account takeover. (Facebook, 12,500)
Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image)
$3,500 Bounty for SSRF (video) (Slack, $3,500)
s3reverse: Go script that converts a list of S3 buckets addresses into the same format (that serve as input for other tools)
InQL Scanner: Tool for speeding-up GraphQL security testing, can be used as a stand-alone script, or as a Burp Suite extension
qsfuzz (Query String Fuzz): Go tool that allows you to build your own rules to fuzz query strings and easily identify vulnerabilities
Zile: Extract API keys from file or url using by magic of python and regex
Unicollider: A fun retro lookup tool to generate Unicode collisions based on the “Hacking Github with Unicode’s Dotless i” article
Webpack Exploder: Client-side Webpack unpacking tool
FProbe: Take a list of domains/subdomains and probe for working http/https server
XXExploiter: Tool to help exploit XXE vulnerabilities
AdvancedKeyHacks: API Key/Token Exploitation Made easy.
Subra: A Web-UI for subdomain enumeration (subfinder)
LeakLooker GUI & Introduction: Discover, browse and monitor database/source code leaks, using Binary Edge
nullscan & Demo: A modular framework designed to chain and automate security tests
Fuze: The easiest way to decrypt iOS applications
CrackerJack: A Web GUI for Hashcat developed in Python that can be used for simple on-demand password cracking
Envizon: Network visualization & vulnerability management/reporting
yanp.sh & Introduction: Nessus CSV Parser and Extractor
SharpML & Introduction: Password Hunting with Machine Learning in Active Directory
IntelSpy: Perform automated network reconnaissance scans
C2concealer & Introduction: A C2 Malleable Profile Generator for Cobalt Strike
Ninja: Open source C2 server created for stealth red team operations
InstaSave: Python script to download images, videos & profile pictures from Instagram
WhatsMyName.app #OSINT
VirSecCon2020 & Discord invite : April 4
30% off all ebooks at http://nostarch.com now through April 1st, 2020
Google’s Threat Analysis Group (TAG) – Identifying vulnerabilities and protecting you from phishing
FireEye warns about the proliferation of ready-made ICS hacking tools
Email security: Mail.ru patches critical memory disclosure flaw
4G networks vulnerable to denial of service attacks, subscriber tracking
Microsoft Warns of Hackers Exploiting Unpatched Windows Bugs
Kr00k exploit tool allows pen testers to probe for WiFi security vulnerability
Phineas Fisher Says They Paid $10,000 Bounty to Person Who Hacked Chilean Military
Rare BadUSB attack detected in the wild against US hospitality provider
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
A mysterious hacker group is eavesdropping on corporate email and FTP traffic
HHS.gov Open Redirect Used by Coronavirus Phishing to Spread Malware
Never-before-seen attackers are targeting Mideast industrial organizations
Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps
WHO Targeted in Espionage Attempt, COVID-19 Cyberattacks Spike
Ryuk Ransomware Keeps Targeting Hospitals During the Pandemic
Google’s Chrome will give you an ‘always show full URL’ setting
Mozilla Firefox Gets a HTTPS Only Mode For More Secure Browsing
Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
How to prevent your Zoom meetings being Zoom-bombed (gate-crashed) by trolls
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/20/2020 to 03/27/2020.
Curated by Pentester Land & Sponsored by Intigriti