Bug Bytes #9 – Hacking Web Sockets, $10k Facebook Bug by @vulnano & Automated Bug Hunting

By Intigriti

March 12, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 1 to 8 of March.

Our favorite 5 hacking items

1. Tool of the week

Rescope & Introduction

Wow, I love this tool! Have you’ve ever experienced the discomfort of adding several targets one by one or playing with regexes to configure your Burp scope? If yes, worry no more!
It is now possible to copy a bug bounty program’s scope from their page, paste it to a .txt file, and convert it to Burp scope using one command.
Rescope takes as input a file containing your target domains, subdomains, IPs, wildcard subdomains, etc. And outputs a JSON file that you can import in Burp to automagically configure your scope. In one shot, and no regex required.
Here’s an example input file:
Scope:
Critical admin.example.com/login.aspx
Critical https://example.com/upload:8080
Critical *.dev.example.com and *.prod.example.com
High 192.168.0.1-2 (internal testing)

Out of Scope:
!EXCLUDE
bgp.example.com:179
*.vendor.example.com
192.168.10.9
It can contain any text and descriptions. The tool extract targets wherever they are. The only thing to remember is to put !EXCLUDE before to list your exclusions, because by default all targets found are considered included.

2. Writeup of the week

Facebook Messenger server random memory exposure through corrupted GIF image ($10,000)

This is one weird bug in Facebook Messenger for Android: @vulnano uploaded a corrupted GIF file with missing content body. The image displayed back contained data from previously used memory buffers. It was leaking data from memory! He noticed it because the image display had white noise, while it was supposed to be blank.
Also, when the images were uploaded with Facebook Messenger for Android, nothing happened. The weird images were only visible from the Facebook Web app.
Another takeaway is to not rely on tools without understanding what they do and how to do the same job yourself. @vulnano first generated corrupted images with Gifoeb, but they caused the app to crash. So he studied the GIF image format and generated his own images.

3. Tutorial of the week

Hacking Web Sockets: All Web Pentest Tools Welcomed

Web sockets testing is an area where dynamic testing tools are lacking. This tutorial introduces a great way to fill this gap.
It shows you how to use existing tools like SQLmap, Burp Pro active scanner or Commix to pentest Web sockets. This is done through a Web socket harness: a python script which acts like a proxy between the Web socket and the tool you want to run against it. It gets HTTP traffic from the tool, transforms it into Web socket traffic and sends it to the socket. Then does the opposite with the Web socket’s response.
This opens a whole new world for fuzzing and automated testing of Web sockets!

4. Non technical item of the week

How to write a report

This is a great article on writing good quality bug bounty reports. Whether you have experience in bug reporting or not, I highly recommend going through the article and thinking of what could be improved in your reports.
It could help you gain more reputation points and avoid being asked for more details because the explanations weren’t detailed or clear enough.
On this same topic, also check out the bug bounty writeups below. Some of them (especially those by Jobert Abma) are good examples of really well written reports.

5. Slides/Workshop material of the week

Using Docker with Kubernetes for automating Application Security and OSINT workflows
Automating Application Security Bug Hunting: Improving coverage with better automation

Lately, I’ve been thinking about automation a lot. Using custom scripts to automate your recon is one thing, but automation Bounty Machine style is at a whole other level. It involves tools like Kubernetes, Docker, Argo and Golang (for speed).
That’s why I’m so excited about studying these two new resources:
The workshop material explains how to set up Docker with Kubernetes for automated testing. It includes source code and documentation in the form of a Gitbook.
And the slides introduce the framework Intrigue-core which has an interesting Web UI and API.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conference slides

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • WebTech & Introduction: Identify technologies used on websites

  • Check.subs.sh: @Blurbdust’s script for enumerating subdomains & checking them for subdomain takeover

  • Data-Over-DNS & Introduction: Tool for tunnelling data over DNS as part of a blind XSS attack

  • Burp-javascript-security-extension & Introduction: A Burp Suite extension for finding malicious JavaScript. It performs checks for cross-domain scripting against the DOM, subresource integrity checks, and evaluates JavaScript resources against threat intelligence data

  • SPAudit & Introduction: Chrome extension for scanning SPAs (Single Page Applications)

More tools, if you have time

  • GitHub Wiki Auditor: Python script to check GitHub accounts for world-editable wiki pages

  • Domainker: BugBounty helper tool, includes plugins to automate testing for CRLF, check if target is hosted on Amazon, and get host CNAME and response codes

  • G-suite-check: Checks if the domains MX records point at G-suite

  • Shr3dKit](https://github.com/shr3ddersec/Shr3dKit): Red Team Tool Kit

  • Decker: Declarative penetration testing orchestration framework & Reddit discussion

  • Sheepl: Creating realistic user behaviour for supporting tradecraft development within lab environments (useful for creating red team/blue team AD network environments)

  • ShellCheck](https://github.com/koalaman/shellcheck): A static analysis tool for shell scripts

  • Subzy](https://github.com/LukaSikic/subzy): Subdomain takeover tool which works based on matching response fingerprings from can-i-take-over-xyz

  • Subtake: Automatic finder for subdomains vulnerable to takeover. Written in Go, based on @haccer’s subjack

  • Legion: Open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems

  • CVE-2005-1794-check.py: Easy way to test for RDP hard coded RSA key MiTM vulnerability, without actually performing the MiTM

Misc. pentest & bug bounty resources

Articles

News

Bug bounty news

Reports

Breaches & Vulnerabilities

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/01/2019 to 03/08/2019.

Curated by Pentester Land & Sponsored by Intigriti

You may also like