By intigriti
May 14, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 3 to 10 of May.
This is a great lab if you want to practice finding authentication vulnerabilities. There are 5 bugs: IP based authentication bypass, Timing attack, Client side auth, Leaky JWT and JWT Signature Disclosure (CVE-2019-7644).
Also, if stuck, check out the walkthroughs. I don’t want to read them before doing the challenges but they seem detailed (like 5 articles in 1!).
Information disclosure on Shopify ($802.20)
This is a fun report! The vulnerability is that a GraphQL endpoint reveals sensitive information without authentication: that’s the internal beer consumption (brands & quantities left) at Shopify’s offices.
What’s interesting is how @eraymitrani found the vulnerable GraphQL endpoint. I highly recommend reading the summary where he explains it.
Basically, he saw in a previous report by @rijalrojan that Shopify had an exposed GraphQL endpoint. So he set out to find other exposed endpoints, following these steps:
Subdomain enumeration
Request /graphql on all subdomains using wfuzz
Filter by 200 responses
Send introspection queries to all of them in Burp Repeater
Got “query string not present” error
Solve it by adding the “content-type:” header to the post request
Look for a domain that leaks private information
If you’re always hearing about chaining bugs and wondering how to do it in practice, this is a good example.
Self-XSS and login CSRF are generally not paying bugs by themselves. But, combined, they become more dangerous and worthy of a bounty.
The attack scenario in this case is to enter the XSS payload in the address details of the attacker’s account, and make the victim open this account using the login CSRF. When the victim buys something and wants to select the delivery address, the XSS payload is triggered.
As its name indicates, this is an awesome asset discovery list. In other words, it’s a list of resources to help find all kinds of assets for organization: IP addresses, (sub)domains, emails, open ports, cloud infrastructure, business communication infrastructure, data leaks, source code aggregators, and more.
Some of the tools mentioned are classics that you probably already use, but you might also discover something new!
This is a nice introduction to bug bounty. But even if you’re not a beginner, some resources mentioned might be helpful. Personally, I didn’t know of dkimsc4n (a DKIM scanner) and can’t wait to try it.
Also, thanks for mentioning Pentester Land @vavkamil!
We’ve added several new features to our platform:
The submission title length is increased up to 50 characters.
Researchers are now able to specify a preferred payment method (invoice, wire, Payoneer, Paypal) and enter their details. This setting is made available in the payout overview
Researcher are now able to start their vetting procedure by one click via the profile view.
A blogpost about the platform’s new features will be posted soon!
This week we received two bug bounty tips:
Use Exiftool to extract metadata from documents. It might reveal vulnerable htmlopdf generators.
A PDF file can tell more than you think! Great advice from @QuintenBombeke! #BugBountyTip #HackWithIntigriti #BugBounty pic.twitter.com/73ZTUWlH0O
— Intigriti (@intigriti) May 9, 2019
The Birthday Trick: If you sign up for a target, set your birthday to today or tomorrow! Then use birthday discount vouchers in your inbox to buy gift cards. Repeat!
BOUNTY TIP: Get yourself a nice bounty present by buying giftcards with birthday discounts 🎁! Repeat & recycle your gift cards to generate infinite money. 💰🤑Thanks, and happy (real) birthday, @securinti! 👑🎂#BugBountyTip #HackWithIntigriti pic.twitter.com/cY1NcM3J4c
— Intigriti (@intigriti) May 14, 2019
HackerOne Hacker Interviews: Jesse Kinser (@randomdeduction)
Zero to Hero: Week 8 – Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
How do I prepare for a CTF Challenge? The Joe McCray Way for Beginners
Risky Business #540 — In depth: Hamas cyber unit destroyed in air strike
Security In Five Episode 486 – The Different Types Of Malware
HITB 2019 materials, especially:
From Chump to Trump – Privilege Escalation By Stealing Elect^H^H^H^H Domain Credentials
Medium to advanced
x-up-devcap-post-charset Header in ASP.NET to Bypass WAFs Again!
Introduction To Serverless Security: Part 2 – Input Validation
Beginners corner
Burp tip – How to share Burp Apps accross Linux Machines/Users.
Top 20 and 200 most scanned ports in the cybersecurity industry
Metasploit Basics for Hackers, Part 25: Web Delivery with Linux/UNIX/OsX
Challenge writeups
Pentest writeups
Responsible disclosure writeups
Alpine Linux Docker Image root User Hard-Coded Credential Vulnerability
TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor
Alert logic Uncovers New Vulnerability in WordPress WP Live Chat – CVE-2019-11185
Bug bounty writeups
RCE on Aeternity ($10,000)
XSS via Deeplink on Twitter ($2,940)
DOM XSS on HackerOne ($565)
Client-Side Enforcement of Server-Side Security on Dropbox ($216)
CSRFs on private program ($3,000)
See more writeups on The list of bug bounty writeups.
If you don’t have time
awesome-jenkins-rce-2019: There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
Natlas: Scaling Network Scanning
ggroup.py: Check for public Google groups given a list of domains
Horn3t: Powerful Visual Subdomain Enumeration at the Click of a Mouse
More tools, if you have time
doNmap.sh: Bash wrapper for nmap scans
Final Recon: OSINT Tool for All-In-One Web Reconnaissance
awsEmailCheck.py: Determines if there is an AWS account associated with a given email address
Scan.sh: Initial recon automation (masscan + nmap import into metasploit db)
wpBullet Build Status: A static code analysis for WordPress Plugins/Themes (and PHP)
autOSINT: Recon tool. Uses recon-ng & hunter.io
ReconT: Reconnaisance, footprinting & information disclosure
Shiva: An Ansible playbook to provision a host for penetration testing and CTF challenges
QRGen: Simple script for generating Malformed QRCodes
Jalesc: Just Another Linux Enumeration Script: A Bash script for locally enumerating a compromised Linux box
LDAP_Search: Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
SharpClipHistory: A .NET application written in C# that can be used to read the contents of a user’s clipboard history in Windows 10 starting from the 1809 Build
Nina Zakharenko’s Fundamentals & Intermediate Python Courses (Free Until May 16th), learnpython.dev (Accompanying website) & Repo
All in one Recon Methodology PDF: PDF bundle of multiple recon presentations listed here
Android Security & Malware: Telegram channel by @LukasStefanko on “Security & privacy, malware on Google Play, vulnerabilities, bug bounty hunting, security tips, tutorials, penetration testing..”
Mobile App Sec Assemble: Slack workplace for people interested in Mobile Application Security
Kaonashi: Wordlist, rules and masks from Kaonashi project (RootedCON 2019)
Infiltrate 19 AWS related CTF: Available until 05/31/2019
Finding Unlisted Public Bounty and Vulnerability Disclosure Programs with Google Dorks
Chrome switching the XSSAuditor to filter mode re-enables old attack
Medical Device Security, Part 2: How to Give Medical Devices a Security Checkup
Win a Trip to Las Vegas – Our May 2019 Promotion: The two reports to Facebook during May that are of better quality & with highest reward value will get a paid trip to Las Vegas for DEFCON
Congratulations to our most dedicated researchers in Q1 2019!
Verizon’s 2019 Data Breach Investigations Report & Summary of findings
Who’s Afraid of the Dark? Hype Versus Reality on the Dark Web
‘Unhackable’ Biometric USB Offers Up Passwords in Plain Text
Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone
Cybercrooks steal $40m in Bitcoin from crypto-exchange Binance
Freedom Mobile leaked millions of card data with CVV codes in plain text
Hackers breached 3 US antivirus companies, researchers reveal
Google I/O 2019: Upcoming browser features to help you secure your web application
Japanese government to create and maintain defensive malware
Improving Infosec (or any Community/Industry) in One Simple but Mindful Step
How To Be More Disciplined With Your Goals: 7 Simple Strategies You Should Learn
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/03/2019 to 05/10/2019.
Subscribe to the newsletter here!Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti