By Intigriti
March 5, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 of February to 1 of March.
Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them
One of the first things I was told as a junior pentester was that writing a report is the most important part of a pentest. The reason is that even if you find the craziest vulnerabilities, they’ll bring no value to the customer if you can’t explain them clearly enough. Information like risks, impacts, how the bug works, and how to fix it must be crystal clear so that the client and developers know why they must fix the bug and how.
The good news is that writing good reports is not a magical art, it can be taught. This webcast by SANS has great tips on this topic. These are 10 mistakes to avoid and what to do instead. They apply whether you write your reports in english or any other language.
This is a must-read resource if want to improve the quality of your reports.
Typo in permission name allows to write contacts without user knowledge on Mail.ru ($150)
I’ve never encountered this vulnerability type, so I thought it was very interesting. It is basically an Android app vulnerable to permission hijacking (the same idea link hijacking or subdomain takeover).
The app declares in its Manifest file the permission write_contacts. Then it defines a provider that gives access to the app’s contacts database. The problem is that the provider definition uses the permission write which is not defined anywhere (instead of write_contacts).
So another malicious app could define this permission, using the same name and hence have access to the content provider. It could write contacts and users wouldn’t see anywhere that the malicious app has this permission.
Wow, this is a pretty impressive collection on WAFs that @0xInfection open sourced this week. It contains:
Fingerprints of almost all known WAFs (80+)
Testing methodology for detecting WAFs
Popular evasion techniques with examples
Compiled list of known bypasses for WAFs
Tools, research papers, blogs, writeups, videos & presentations
Also, the author recommends to keep an eye on it as he plans to update it regularly.
This isn’t a new tool, it’s 2-year old. But I’ve just discovered it thanks to the tutorial above and it is the pentest reporting tool that I’ve been looking for.
It is a web app that you can self host and has great features: You can add applications (targets), multiple tests per application, vulnerabilities from custom defined vulnerability types, and a lot more (user roles, admin, exporting reports in PDF…).
Truth be told, I haven’t tested it yet, but judging from the documentation and screenshots this is the most customizable and professional pentest reporting tool I’ve seen. And if it’s still missing something you need, you can add it since it is open source.
This is an excellent introduction to XXE. It’s concise and contains most information you need to understand XXE and start hunting for it. The explanations include how XML works, what XXE is, the different types, how to detect it… It’s very understandable even for people not familiar with XML.
Also, I love this quote:
‘s’ in ‘xml’ stands for ‘security’
Wait, there is no s in xml…! 😀
#1 GoodCode BadCode – XXE Code Review & Exploit | AppSec Academy
Snyking in – Directory traversal vulnerability exploit in the st package
The Top 10 Things to Do After Installing Kali Linux on Your Computer & Tutorial
BSides Columbus 2019, especially:
Backdoors to the Kingdom: Changing the Way You Think about Organizational Reconnaissance
Materials for Day of Shecurity Boston 2019 – Privilege Escalation Workshop
Medium to advanced
Automate all the things! Postman + Python + Burp macros for the win — Part 1
Setting up Frida Without Jailbreak on devices running Latest iOS 12.4
Beginners corner
Pentest writeups
Responsible disclosure writeups
SHAREit Multiple Vulnerabilities Enable Unrestricted Access to Adjacent Devices’ Files & Exploit
Can your Printer Hack your Secrets: Appweb Authorization Bypass
Bug bounty writeups
SSRF in Slack ($500)
CSRF on Instacart ($300)
Web Cache Deception leading to info disclosure on private program ($300)
See more writeups on The list of bug bounty writeups.
If you don’t have time
GCPBucketBrute: A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated & Google Cloud Platform (GCP) Bucket Enumeration and Privilege Escalation
Tarnish: A Chrome extension static analysis tool to help aide in security reviews & Introduction
Yawast: Antecedent Web Application Security Toolkit, an app meant to simplify initial analysis and information gathering for penetration testers
More tools, if you have time
Hell Blazer: Automated recon tool
GenerateForcedBrowseWordlist.py: Burp extension that builds a wordlist for forced browsing from host(s) in the sitemap or for all in scope
Tripped.it](https://tripped.it/): New tool to test for Blind XSS (commercial tool with a free version)
Certrip: Subdomain recon tool for pulling Subject Alternative Names from hosts TLS certificates
Sherlock: Find usernames across social networks (136 sites supported)
SplunkWhisperer2 & Introduction: Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations
Whori.sh: Bash script that attempts zone transfers for rwhois (i.e. scraping rwhois data from permissive environments)
Does_email_address_exist.py: Useful Python script to know if an email address exists, based on Inti’s Medium post
APIsecurity.io Issue 20: Drupal APIs hacked, EU releases IoT standards
List of resources for people asking “I want to get into information security, where do I start?”
Building Virtual Machine Labs: A Hands-On Guide (Free book)
Jenkins Master Post: A collection of posts on attacking Jenkins
OffensiveCSharp: Collection of Offensive C# Tooling
HackerOne CTF for h1-702: “All of the information is included in that tweet”
@try_to_hack Makes History as First Bug Bounty Hacker to Earn over $1 Million although he may not be the first
Bug Allows Bypass of Face ID and Touch ID Authentication of WhatsApp iOS version
Plain wrong: Millions of utility customers’ passwords stored in plain text
Drupal Vulnerability (CVE-2019-6340) Can Be Exploited for Remote Code Execution & WAF bypass
Latest WinRAR Flaw Being Exploited in the Wild to Hack Windows Computers
Padding Oracles: New padding oracle attacks against TLS with CBC. “We tried to get in contact with security teams via common BugBounty sites but had very bad experiences. Man-in-the-Middle attacks are usually out of scope for most website owners, and security teams did not know how to deal with this kind of issue. We lost a lot of “Points” on Hackerone and BugCrowd for reporting such issues”
Full DNSSEC adoption needed to repel state-sponsored DNS hijackers – ICANN
New flaws in 4G, 5G allow attackers to intercept calls and track phone locations
WordPress 5.1 launches with Site Health security feature: “WordPress 5.1 will start showing notices to administrators of sites that run on long outdated PHP versions”
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/22/2019 to 03/01/2019.
Curated by Pentester Land & Sponsored by Intigriti