Bug Bytes #8 – XML External Entities, Awesome WAF and Vulnreport

By Intigriti

March 5, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 of February to 1 of March.

Our favorite 5 hacking items

1. Webcast of the week

Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them

One of the first things I was told as a junior pentester was that writing a report is the most important part of a pentest. The reason is that even if you find the craziest vulnerabilities, they’ll bring no value to the customer if you can’t explain them clearly enough. Information like risks, impacts, how the bug works, and how to fix it must be crystal clear so that the client and developers know why they must fix the bug and how.
The good news is that writing good reports is not a magical art, it can be taught. This webcast by SANS has great tips on this topic. These are 10 mistakes to avoid and what to do instead. They apply whether you write your reports in english or any other language.
This is a must-read resource if want to improve the quality of your reports.

2. Writeup of the week

Typo in permission name allows to write contacts without user knowledge on Mail.ru ($150)

I’ve never encountered this vulnerability type, so I thought it was very interesting. It is basically an Android app vulnerable to permission hijacking (the same idea link hijacking or subdomain takeover).
The app declares in its Manifest file the permission write_contacts. Then it defines a provider that gives access to the app’s contacts database. The problem is that the provider definition uses the permission write which is not defined anywhere (instead of write_contacts).
So another malicious app could define this permission, using the same name and hence have access to the content provider. It could write contacts and users wouldn’t see anywhere that the malicious app has this permission.

3. Resource of the week

Awesome WAF

Wow, this is a pretty impressive collection on WAFs that @0xInfection open sourced this week. It contains:

  • Fingerprints of almost all known WAFs (80+)

  • Testing methodology for detecting WAFs

  • Popular evasion techniques with examples

  • Compiled list of known bypasses for WAFs

  • Tools, research papers, blogs, writeups, videos & presentations

Also, the author recommends to keep an eye on it as he plans to update it regularly.

4. Tool of the week

Vulnreport & Tutorial

This isn’t a new tool, it’s 2-year old. But I’ve just discovered it thanks to the tutorial above and it is the pentest reporting tool that I’ve been looking for.
It is a web app that you can self host and has great features: You can add applications (targets), multiple tests per application, vulnerabilities from custom defined vulnerability types, and a lot more (user roles, admin, exporting reports in PDF…).
Truth be told, I haven’t tested it yet, but judging from the documentation and screenshots this is the most customizable and professional pentest reporting tool I’ve seen. And if it’s still missing something you need, you can add it since it is open source.

5. Video of the week

XML External Entities ft. JohnHammond

This is an excellent introduction to XXE. It’s concise and contains most information you need to understand XXE and start hunting for it. The explanations include  how XML works, what XXE is, the different types, how to detect it… It’s very understandable even for people not familiar with XML.
Also, I love this quote:

‘s’ in ‘xml’ stands for ‘security’

Wait, there is no s in xml…! 😀

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Hell Blazer: Automated recon tool

  • GenerateForcedBrowseWordlist.py: Burp extension that builds a wordlist for forced browsing from host(s) in the sitemap or for all in scope

  • Tripped.it](https://tripped.it/): New tool to test for Blind XSS (commercial tool with a free version)

  • Certrip: Subdomain recon tool for pulling Subject Alternative Names from hosts TLS certificates

  • Sherlock: Find usernames across social networks (136 sites supported)

  • SplunkWhisperer2 & Introduction: Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations

  • Whori.sh: Bash script that attempts zone transfers for rwhois (i.e. scraping rwhois data from permissive environments)

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty news

Breaches & Vulnerabilities

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/22/2019 to 03/01/2019.

Curated by Pentester Land & Sponsored by Intigriti

You may also like