Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 07 to 14 of August.
Red Team Village (DEF CON Safe Mode), especially:
I know I’ve mentioned Red Team Village last week, but these videos were just uploaded and are really worth viewing. Three of them are about advanced automation for higher efficiency. The idea is to leverage automation to free up time and be able to focus on other things that cannot be automated. @DanielMiessler, @NahamSec/_StaticFlow_ and @ryanelkins present three different solutions that will probably make you want to rework your tools!
The last talk is about Android app testing. @B3nac shares his methodology and common attack vectors, with focus on Deep links. This is the talk to wathc if you want to focus on Android bounties.
CVE-2020-11518: how I bruteforced my way into your Active Directory
Open Sesame: Escalating Open Redirect to RCE with Electron Code Review
These are excellent examples of bug chains that escalate impact to the max.
@honoki followed a lead for Java insecure deserialization that needed arbitrary file upload. So, he reproduced the target environment locally, found a vulnerable file upload functionality, and a bruteforeable authentication key. The combination of all these bugs resulted in RCE on an AD-connected server, which means remote access to the company’s internal networks.
In the second writeup, @spaceraccoonsec explains in great details how XSS (with CSP bypass) and open redirect in an Electron app can be escalated to RCE.
Alyssa_Herrera_ Talks About Bug Bounties, Pulse Secure Research, Hacking US Dept of Defense & More!
@Alyssa_Herrera_ is known for her research on SSRF, Pulse Secure VPN, and for hacking the United Stated Department of Defense. It’s nice to hear her talks about all this, and many other things like her background, testing methodology, burnout, imposter syndrome, etc.
SQLi Query Tampering
Credential Digger
SQLi Query Tampering is a Burp Suite extension that basically ports Sqlmap’s tampering functions to Burp. It helps process and generate custom payloads to manually test for SQL injection. This is really handy when you need to generate payloads that evade WAFs and filters, and prefer manual testing to Sqlmap.
Credential Digger is a Github scanner that looks for hardcoded credentials and filters false positives using machine learning models. I haven’t tested it yet, but the machine learning aspect makes it worth testing. Automatically scouring Github for secrets, with less false positives, is interesting for recon.
Got an XSS? Try to 'upgrade' it to SSRF to get a bigger #BugBounty. Thanks for the #BugBountyTip, @georgeomnet!
❓Never head of ESI Injection before? Check out this @defcon talk: https://t.co/ltXGAuP6AZ#BugBountyTips #HackWithIntigriti pic.twitter.com/0XYUgWrS0M
— Intigriti (@intigriti) August 14, 2020
This is a great tip by @georgeomnet! The next time you find XSS and caching is used, remember to test for ESI injection. It can lead to SSRF, increasing the impact of the XSS.
See more writeups on The list of bug bounty writeups.
CertEagle & Intro: Asset monitoring utility using real time CT log feeds
gl-redteam/gitrob: Gitrob fork that adds several features to gitrob including GitLab support, commit content searching, in-memory repository cloning, and more
ardse: Extracts subdomains of a specified domain using https://api.recon.de
Whoxyrm: A reverse whois tool based on Whoxy API
Vailyn: A phased, evasive Path Traversal scanning & exploitation tool in Python
pmg: Extract parameters/paths from urls
403fuzzer: Fuzz 403/401ing endpoints for bypasses
Evine: Interactive CLI Web Crawler
paraglider: Python tool to check source-code for (hidden) parameters
Mística: An open source swiss army knife for arbitrary communication over application protocols
SkyArk: Helps to discover, assess and secure the most privileged entities in Azure and AWS
Manuka: A modular OSINT honeypot for blue teamers
Overlord: Red Teaming Infrastructure Automation
Cotopaxi: Set of tools for security testing of Internet of Things devices using specific network IoT protocols
Carnivore: A username enumeration and password spraying tool for Microsoft services (Skype for Business, ADFS, RDWeb, Exchange and O365)
DeepSea Phishing Gear: Aims to help RTOs and pentesters with the delivery of opsec-tight, flexible email phishing campaigns carried out on the outside as well as on the inside of a perimeter
AutoGadgetFS: Open source framework that allows users to assess USB devices and their associated hosts/drivers/software without an in-depth knowledge of the USB protocol
Mythic & Intro: Apfell C2 framework is re-branded as Mythic with new features
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/07/2020 to 08/14/2020.
