The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on August 27, 2018
Hey hackers! These are our favorite resources related to pentesting and bug hunters that we came across recently.
This issue covers the week from 17 to 24 of August.
How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes by Luke Stephens (@hakluke)
This is a great tutorial on how to set up an automated subdomain takeover scanner “Franz-Rosén style”. The author uses subfinder to find subdomains and Subover to check for subdomain takeover, but you could easily modify the BASH script suggested to add other subdomain tools (like Amass or Massdns).
Remote Code Execution on a Facebook server by Daniel Le Gall (@Blaklis_)
Daniel Le Gall found a Facebook Django server with debug mode enabled. Sometimes stacktraces are not directly exploitable but in this case, Daniel noticed interesting environment variables that allowed him to forge his own session and therefore execute arbitrary commands on the server. From “technical information disclosure” to RCE, for $5,000!
FindSubDomains: Online tool for subdomains lookup
I’m still playing with this site to determine if it adds value to my current process for finding new subdomains. But this is a nice tool anyway because it allows you to quickly obtain a list of subdomains for when you’re in a hurry or do not have a good network connection to run tools like Amass or Massdns.
Unusual cases of reflected XSS by Mikhail Klyuchnikov (@__Mn1__)
These two unsual reflected XSS cases are nice examples of thinking out of the box to find new XSS flaws on sites that are being tested by myriads of other bug hunters.
In the first case, the Referer header had to match a specific format.
In the second case, a value based on the User-Agent was calculated on-the-fly and sent as a GET parameter for the request to pass. Mikhail created a PHP script which retrieves the victim’s User-Agent, gets the corresponding GET parameter value before redirecting the victim to the vulnerable page. He didn’t share the PHP script’s source code (unless I missed it!) but here is an XSS challenge replicating the same behavior: http://infosec.gearhostpreview.com/9p9ch/.
Prioritizing and choosing a program to focus on by HackerOne
The question of choosing a bug bounty program is critical. I used to hesitate a lot and bounce from a program to another without exploring any one deep enough. But the most interesting bugs require good knowledge of the target app!
This blog post is helpful if you too are hesitant when choosing a target: It presents criteria to find the right programs based on your personal goals.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/17/2018 to 08/24/2018
Have a nice weekend folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…