Bug Bytes #7 – Abusing bounces, LazyRecon and LiveOverflow’s definition of a vuln

By Intigriti

February 26, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

You can sign up for the newsletter here.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 15 to 22 of February.

Our favorite 5 hacking items

1. Resource of the week

NetSPI SQL Injection Wiki

This is a great wiki on SQL injection for both beginners and advanced testers.
I’m always talking abount maintaining a personal knowledge base. If you need inspiration, this is a perfect example of one which is very well organized and includes most things you need to learn or remember for testing SQL injections:

  • Payloads for detection (by type of request)

  • How to identify the Database Management System in use

  • The different injection types and techniques including WAF evasion techniques

  • Payloads for different attack queries (for information gathering, OS commands execution, privilege escalation, etc)

2. Writeup of the week

Abusing autoresponders and email bounces

I think the best bugs are those found after researching a specific topic, finding a new type of bugs, then applying the finding to as many sites with a bug bounty program as possible.
This is a great strategy for finding a lot of valid bugs but it requires new thinking and discovering something that few people might have noticed. So it is nice to read about @securinti’s thought process!
This article encompasses a lot of information like:

  • How to find valid target email addresses without spamming them

  • Examples of how to exploit them for many different attacks (blind XSS, arbitrary file upload, Ticket Trick, abusing printers…)

  • How to abuse autoresponder and bounce emails to obtain sensitive information (like someone’s real email address behind a generic one)

  • Two examples of such bugs found on Google and Intigriti

Also, don’t bother testing for the Intigriti bug on other bug bounty platforms, he already did.

3. Tool of the week

LazyRecon by @CaptMeelo (not to be confused with @Nahamsec’s LazyRecon script)

I love peeping into recon tools and seeing which tools, techniques or development practices they use that I don’t.
LazyRecon is very similar to my own automated tool. It’s written in Bash, is a wrapper around staple bug hunting tools (like Amass, Subfinder, Massdns, Masscan, Nmap, Aquatone, Dirsearch…) and is organized following a workflow including all the basic recon steps: subdomain enumeration, subdomain takeover, CORS configuration, IP discovery, port scanning, visual recon and content discovery.
I highly recommend reading through the tool’s description (especially the “Notes” section) and the source code. It’s good to use as is or as a basis for your own complete and customized recon tool.

4. Video of the week

What is a Security Vulnerability?

@LiveOverflow is a genious! Seriously, reading the title of this video, I didn’t understand what was there to discuss: a security vulnerability is any unexpected behaviour or flaw which can have a business impact, whether it is financial or brand image loss.
But this video is about 5 examples which makes you think:

  • A CVE that isn’t really a security vulnerability

  • A security vulnerability in a smart contract, which isn’t one according to the owner of the contract, but is a big issue for investors

  • A no-vulnerability that some newbies mistake for one. But if the length of session cookies was shorter, it would actually become a vulnerability…

  • Why there are proposals for removing XSS Auditor from browsers, and why an XSS should be reported even if it is stopped by it

  • Whether to report a vulnerability that is not easily exploitable because of TLS

Sometimes, the line is blurry and it takes experience and intuition to decide whether a bug is a vulnerability or not. It makes sense.
I didn’t realize this before hearing in it explained in these terms, but I use intuition too. Reading reports and experience that comes from discussions with clients and developers also help.

5. Tutorial of the week

AWS s3 Buckets Create

This is a short to the point tutorial on how to create AWS s3 buckets. It’s not groundbreaking but it’s nice to have if you find a misconfigured subdomain pointing to an unclaimed bucket name.
Here’s an example bug bounty writeup from the same author on exploiting such a misconfigured subdomain.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Gorecon: All in one Reconnaissance Tool , a.k.a swiss knife for Reconnaissance , A tool that every pentester/bughunter might wanna consider into their arsenal

  • Venom:  A Multi-hop Proxy for Penetration Testers Written in Go

  • RootHelper](https://github.com/NullArray/RootHelper): A Bash script that downloads and unzips scripts that will aid with privilege escalation on a Linux system. It automatically downloads and deploys enum & priv-esc tools

  • Orc: Post-exploitation framework for Linux written in Bash

  • Deckard: Performs static and dynamic analysis on APKs to extract Xposed hooks

  • Jast: Just Another Screenshot Tool

  • CVE-2019-5736-PoC: PoC for CVE-2019-5736, the recent runc (runtime for Docker and Kubernetes) container breakout bug

Misc. pentest & bug bounty resources

Challenges

  • Vulnado: Purposely vulnerable Java/Spring appo help lead secure coding workshops. Includes SQL injection, XSS, SSRF and RCE (plus reverse shell) all detailed for instruction in markdown so you don’t even need a slide deck

  • XSS challenge by @LooseSecurity

  • RIPS Technologies new source code analysis challenge (spoilers in the Tweet’s comments)

  • Subdomain Takeover Lab: Website with more than 70 subdomains intentionally vulnerable to subdomain takeover (AWS/S3, Github Page, Heroku, Tumblr, Tilda…)

Articles

News

Breaches & Vulnerabilities

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/15/2019 to 02/22/2019.

Curated by Pentester Land & Sponsored by Intigriti

Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like