Bug Bytes #69 – @FransRosen’s postMessage tracker, the @zseano files & SSRF in e-mail addresses

By Intigriti

May 5, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 24 of April to 01 of May.

Our favorite 5 hacking items

1. Tools of the week

postMessage-tracker is a Chrome extension presented by @fransrosen in his “Attacking Modern Web Technologies” talk. It monitors postMessage listeners in all subframes of the window and logs everything, helping find postMessage issues such as XSS and data extraction bugs.

Semgrep is like grep but for code. Both hackers and developers can use it to detect vulnerabilities by looking for anti-patterns in code. Here are two examples of patterns to look for in Go: 1 & 2. Languages supported are Python, JavaScript, Go, Java, C, and soon PHP and Typescript.

2. Writeup of the week

This is a very well-written and informative writeup on SSRF. @d0nutptr shares what he looks for when testing SSRF, and 5 interesting bugs he found that earned hime more than $4,800 in total. My main takeaway is to start signing up to apps using Burp Collaborator emails like user@abc123.burpcollaborator.net.

If you receive an HTTP request in addition to the expected SMTP message (email), there is potential for SSRF.

3. Videos of the week

Hackers are sharing so much good stuff these days! In this week’s must-see videos:

@securinti solves Intigriti’s latest XSS challenge. He based it on a bug found in a live hacking event, and shares so many cool tips on using Chrome DevTools.

@zseano hacks a Web app live and thinks out loud, sharing his mindset and approach.Mayonaise talks about his recon workflow and hacking approach, automation, learning process…

@stokfredrik shares advice on how to learn new skills, and dealing with duplicates. Personal development applied to hacking!

4. Non technical items of the week

These are two interesting reads that can help get into a successful bug hunting mindset. @zseano is interviewed about his unique approach and experience, and @sharathsanketh shares some of his realizations as a beginner bug hunter trying to up his game.

5. Resources of the week

Daily-commonspeak2 is an unofficial repo for Commonspeak2 wordlists generated daily. Useful for subdomains recon!

The mobile testing checklist covers both iOS and Android. I like its simple format that helps remember everything to test for, with references and the tools needed.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Chrome Galvanizer & Introduction: A tool to generate Chrome enterprise policies to help users boost Chrome extension security

  • CursedChrome

  • Trishul: Burp Extension to hunt for common vulnerabilities including XSS, SQL injection & SSTI

  • APKEnum & Introduction: A Python Utility For APK Enumeration

  • WebIDL: New fuzzer to help identify security vulnerabilities in the implementation of WebAPIs in Firefox

  • Nozaki: Security oriented HTTP fuzzer engine

  • DevToolReader & Introduction: Python script that parses Indexeddb files – used to extract Firefox DevTools console history

  • pwncat: Netcat on steroids with Firewall and IPS evasion, bind and reverse shell, local and remote port-forward

  • SitRep: Extensible, configurable host triage

  • jbosswidlyfly_to_hashcat.py: Python 3 script to convert JBoss/Wildfly user properties list to hashcat mode 20

  • AzureADLateralMovement & Introduction: Bloodhound for Azure AD

  • Pivotnacci: A tool to make socks connections through HTTP agents

  • Wifipumpkin3: Powerful framework for rogue access point attack

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Coronavirus

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/24/2020 to 05/01/2020.

Curated by Pentester Land & Sponsored by Intigriti

 

You may also like