Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue exceptionally covers two weeks, from 13 to 27 of July.

Our favorite 5 hacking items #

1. Non technical item of the week #

Under the Hoodie Videos: True Stories from Rapid7 Pen Testers Under the Hoodie - Lessons from a Season of Penetration Testing

I absolutely loved watching these videos, especially “The Bank Job”!

Having only conducted technical “classic” penetration testing and never social engineering or red team engagements, I find these tales mind-blowing. It’s like watching a good action movie made by real hackers.

2. Writeup of the week #

The Daily Swig by the creators of Burp Suite

If I had to choose only one news site to follow, it would be The Daily Swig.

I added it to my RSS feed and what I like about it most compared to other news sites is that it doesn’t flood you with tens of articles everyday about who hacked who, who was arrested, etc.
It presents only few IT sec news which are relevant to me as a pentester / bug hunter, in very concise & well written words.

3. Tutorial of the week #

The poor man’s bug bounty monitoring setup by EdOverflow

I stumbled upon this blog post just as was researching the best way to automate the process of monitoring bug bounty target assets.

Many successful bug hunters strongly recommend doing that especially if you are a full time bug hunter, to gain an advantage over hunters who are not monitoring their targets’ assets (subdomains, acquisitions, TLDs, new functionalities…).

4. Video of the week #

Bug Hunting as a Second Income & Slides

This webinar is a nice complement to Jason Haddix’s Bug hunters methodology talk. It is great for anyone starting in bug bounty or just to learn more about Jason’s process.

5. Tool of the week #

cc.py by Si9int

Common Crawl is an open repository of web crawl data that can be accessed and analyzed by anyone for free.
Cc.py extracts URLs of the target you give it from the Common Crawl dataset. It allows you to quickly and passively obtain a list of URLs available on your target domain, that have been gathered by Common Crawl.

Needless to say that I’ve already added it to my arsenal & methodology!

Other amazing things we stumbled upon this week #

Stuff to watch/listen to #

Videos #

• Vlog by STÖK on H13120 - Hacking Dropbox
• HackerOne Hacker Interviews: @filedescriptor

Podcasts #

• Highly Caffeinated InfoSec
• Ep. 21, Championing New Infosec Talent

Conferences #

• OISF 2018 - Hacking Identity A Pen Testers guide to IAM by Jerod Brennen
• OISF 2018 - Planning & Executing A Red Team Engagement by Tim Wright
• Chat with a hacker (Sides only)
• Identity & Access Management (IAM) In Modern Web Applications: Talk given at null community Bangalore Chapter

Tutorials #

Medium to advanced #

• Escalating Low Severity Bugs To High Severity
• Exfiltration via CSS Injection
• Evading CSP with DOM-based dangling markup
• Osquery injection
• DNS Rebinding Attacks Explained
• Using HTML Attribute Separators for Bypassing WAF XSS Filters
• Instrumenting Electron Apps for Security Testing

Beginners corner #

• Wiki (Collection of tutorials) by si9int
• OSINT Primer: People (Part 2)
• OSINT Primer: Organizations (Part 3)
• File Upload Restrictions Bypass
• Google Search Operators: The Complete List (42 Advanced Operators)
• An Introduction to Penetration Testing AWS: Same Same, but Different
• Attacking JWT Token
• SSL Strip & How awesome it is!
• How to Attack Active Directory
• Secret Holes Behind the Common Load-Balancer
• GraphQL
• Sqlmap tutorials
  • File System Access on Webserver using Sqlmap
  • Important SQLMap Commands
  • Comprehensive Guide to Sqlmap (Target Options)
• IT and InfoSec interview questions: Basic networking terms
• XML EXTERNAL ENTITY (XXE) Processing

Writeups #

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

• Owning SAML
• How I hacked companies related to the crypto currency and earned $60,000
• Cisco Webex Teams Remote Code Execution Vulnerability (CVE-2018-0387)
• Stored XSS in Brower ’name’ field reflected in two pages

  • Demonstrating the full impact of #XSS vulnerabilities often pays off… alert() can't compete with full organization takeover https://t.co/SvF7PbwdTT

Tools #

If you don’t have time #

• Photon: Incredibly fast crawler which extracts urls, emails, files, website accounts and much more
• h1-cli by EdOverflow: A CLI tool to interact with hackerone.com. This was my submission for HackerOne’s Summer 2018 Hack Day.
• merge-snallygaster-bfac: Merging and Sorting the URLs/backupfiles obtained from Snallygaster and BFAC

  • If you’ve ever used snallygaster or bfac to find back up files, or other interesting assets on a target, here is a quick utility to merge their results because we dont have a standard format (yet) for storing results from open source tools - https://t.co/KgyVb9kGbZ

• Dirhunt: Find web directories without bruteforce

More tools, if you have time #

• Gitleaks: Audit git repos for secrets
• XSRF Webshots: Script for testing SSRF vulnerability
• BeRoot: Privilege Escalation Project - Windows / Linux / Mac & Tutorial
• ipv4Bypass: Using IPv6 to Bypass Security
• Keyfinder: A tool for analyzing private (and public) key files, including support for Android APK files
• Airbash: A POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing
• GSAN (Get Subject Alternative Names): Extract subdomains from SSL certificates in HTTPS sites.
• Theftfuzzer: A tool that fuzzes Cross-Origin Resource Sharing implementations for common misconfigurations. https://www.sxcurity.pro
• Cr3dOv3r: Know the dangers of credential reuse attacks
• git-secrets: Prevents you from committing secrets and credentials into git repositories
• Request Highlighter: Burp extension that provides an automatic way to highlight HTTP requests based on headers content
• pyBuster by @pwndizzle: A multi-target URL bruteforcer
• Keyfinder: A tool for finding and analyzing private (and public) key files, including support for Android APK files
• Hamburglar: Collect useful information from urls, directories, and files
• Ghostpack: a collection of new offensive security C# tools & Introduction to Ghostpack
• CommonCrawlParser: Simple multi threaded tool to extract domain related data from commoncrawl.org https://www.damianschwyrz.de/

Misc. pentest & bug bounty resources #

• Kringle Con: Registration open for “Santa’s on-line virtual conference to be held in December 2018 in conjunction with the SANS Holiday Hack Challenge” (free but limited space)
• Legal bug bounty
• Bug Bounty Cheat Sheet by EdOverflow: A list of interesting payloads, tips and tricks for bug bounty hunters
• Can I take over XYZ?: A list of services and how to claim (sub)domains with dangling DNS records
• State of Bug Bounty Report 2018 - Vulnerability Edition by Bugcrowd
• Week in OSINT — #2018–28
• Week in OSINT #2018–29
• Top 10 Web Hacking Techniques of 2017 - Nominations Open
• AMA with @0xteknogeek
• The Modern JavaScript Tutorial
• my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc
• awesome-GO-offensive-tools: List of Awesome Offensive Tools written in GO
• Mobile Security Penetration Testing List

Challenges #

• Real World CTF
• Rootme.org SSRF challenge

Non technical #

• The evolutionary waves of the penetration-testing / vulnerability assessment market
• Understanding Information Security Assessment Types by HackerOne
• CREST Bug Bounties Report
• Grey Areas of Bugbounty World
• Hacking Valve: Using Bug Bounties as an Educational Tool
• The Issue of Farming for Easy Cash & The Impact on Bug Bounty Marketplace Dynamics
• Failing the OSCP Exam
• There Is No Get Out Of Jail Free Card When It Comes To Hacking Back
• Hackers Hiding Web Shell Logins in Fake HTTP Error Pages
• Hacking Your Career
• Getting Hired: A Few Tips

Tweeted this week #

We created two collections of our favorite pentest & bug bounty related tweets shared these last two weeks. You’re welcome to read them directly on Twitter:

• Tweets from 07/13/2018 to 07/20/2018
• Tweets from 07/20/2018 to 07/27/2018

Have a nice weekend folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…