Bug Bytes #70 – Gmail XSS, Decrypting HTTPS without MiTM & Hakluke’s TikTok Tips

By Intigriti

May 12, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 01 to 08 of May.

Intigriti news

We launched another XSS challenge! Find the XSS and WIN a Burp Suite Pro license (1 year):

NEW CHALLENGE 🎯: Find the XSS and WIN a @Burp_Suite Pro License! As usual, we'll tweet a tip for every 100 likes. 💜 GO!👇https://t.co/dYnctSfAAq#HackWithIntigriti

— Intigriti (@intigriti) May 11, 2020

Our favorite 5 hacking items

1. Article of the week

Decrypting and analyzing HTTPS traffic without MITM

This article revisits a known technique for decrypting TLS traffic of mobile apps. It shows why Man-in-The-Middle is not always the best method, since bypassing certificate pinning or client certificate authentication can be complicated.

The idea is to use Frida to steal the session key, sniff traffic with Wireshark and decrypt it in real time by providing Wireshark with the session key, and finally import the requests to Burp using the PDML importer for Burp Suite.

2. Writeup of the week

DOM XSS in Gmail with a little help from Chrome (Google, $5,000)

This is a cool DOM XSS found in Gmail. So, no recon, no looking for obscure or forgotten subdomains. @opnsec used the main site, focused on the postMessage API and understanding how the different iframes communicate with each other.He used postMessage-logger to make cross-frames messages visible in DevTools, and analyzed the different requests and JS code to get a working PoC.Moral of the story: DOM XSS is still a thing, complicated front-end code like Gmail’s won’t be confusing if you know exactly what to focus on (e.g. postMessage), and if DevTools is lacking a feature, develop your own extension!

3. Videos of the week

James Kettle (albinowax) Talks About Request Smuggling, Security Research, Hacking, and More!

API hacking for the Actually Pretty Inexperienced hacker with Katie Paxton-Fear – OWASP DevSlop

The first one is an interview of @albinowax. Anyone interested in Web app hacking, bug bounty or security research should watch it. He talk about his learning process, how he leverages automation and bug bounty for research, how he chooses research topics, etc.The second video is a talk by @InsiderPhD on API hacking. She shares her approach, the bugs to look for, with demonstrations using a custom vulnerable API.

4. Tool of the week

Transformations

Transformations is a new tool by @jobertabma that helps find out how inputs are transformed by Web apps. For instance, let’s say that a server responds with `c1aa46d751f1ffa58481418667134109ac5f573c`, when you give it `test`. Feeding both strings to the tool will tell you that the transformations performed are `stringReverse(sha1(md5(md5(“test”))))`.This can be useful for building payloads that bypass WAFs, or understanding seemingly random strings.

5. Tips of the week

Hackluke’s hacking advice:- How to ACTUALLY get started with bug bounties How to pick your first bug bounty program What tools can you use to find critical vulnerabilities easily? Do you need to be able to code to find bug bounties? Which vulnerability should you learn first?! What are the best resources for beginner hackers? COMMUNITY. IS. IMPORTANT. There is such thing as too much recon How to stop finding duplicates Abusing the “first mover advantage” in bug bounties One of my best hacking tips: NEVER ASSUME ANYTHING!

These are the sweetest tips for bug hunters. @hakluke started tweeting short videos, each answering a specific question like the ones above. I love that he tells concise, no BS truths, in a light tone, the way only a real friend would do.

Make sure to follow him on Twitter to get any new ones!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Coronavirus

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/01/2020 to 05/08/2020.

Curated by Pentester Land & Sponsored by Intigriti

 

You may also like