The 5 Hacking NewsLetter 106
Posted in Newsletter on May 20, 2020
Posted in Newsletter on May 27, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 15 to 22 of May.
Project Axiom is a set of utilities for deploying and managing your own dynamic infrastructure on Digital Ocean. It includes different commands that you can use to work with VPS instances from the command line. Examples of actions available are launching a VPS instance, backing it up, connecting to it with SSH, deploying a VPN, etc.
An awesome, convenient project for bug hunters, red teamers and pentester!
RCE in Google Cloud Deployment Manager (Google, $31,337.00)
@epereiralopez found an SSRF that led to RCE on Google. Even though this finding required having a really good understanding of Google Cloud Manager, he does an awesome job of explaining everything in this pretty well written and descriptive writeup.
A very recommended read whether you want to learn about SSRF/RCE, getting max bounties on Google, testing Google Cloud Manager, or how to write great writeups!
@RobinVerton shares a very interesting HTTP header smuggling technique. It exploits differences in how reverse proxies and WSGI frameworks (e.g. Django & Flask) handle header names.
If you’re wondering how this relates to existing HTTP request smuggling research… @albinowax’s techniques involved poisoning Web caches and desynchronizing systems. This new attack focuses on smuggling HTTP headers with the goal of bypassing authentication or account takeovers. It is relatively easier, provided that you know/guess header names.
I’d also recommend checking out this article by The Daily Swig for a high-level summary.
These are two cool videos for anyone interested in Web app hacking and research. @NahamSec interviews @Agarri_FR who specializes in Web app hacking and fuzzing. Even though he does less bug hunting now, he is still well-known for his past research on SSRF and XML fuzzing that is still very relevant and referenced today, and for his unique Burp advanced training. So, it’s nice to get to know him, his learning process, how we manages to find bugs without focusing on recon, how he picks research topics, etc.
In the video writeup, @filedescriptor solves Intigriti’s May XSS challenge. He shows ho to trigger XSS by chaining Relative Path Overwrite (RPO) and Open redirect. A nice opportunity to learn about RPOs and less obvious XSS!
The usual method for proxying iOS traffic through Burp opens a Burp proxy listener that is exposed to the local network. But what if you’re on a public network and do not want to expose it? @heald_ben shows how to do that by using a Jailbroken iOS device, an Apple cable, iproxy, and SSH tunneling.
The second tutorial is an introduction to OAuth security. It includes a summary of how OAuth 2.0 works (specifically the Authorization Code Grant), and how to test for some common security issues. I love how everything is structured. It provides a good basis to expand upon each time a new attack is discovered.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/15/2020 to 05/22/2020.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…