Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue exceptionally covers two weeks, from 31 of August to 14 of September.

Our favorite 5 hacking items #

1. Tutorial of the week #

A practical guide to testing the security of Amazon Web Services (Part 1: AWS S3)

There is so much to learn to become a successful pentester/bug hunter. I can’t remember which famous bug hunter once said that it used to take him 9 month to learn about a new vulnerability!

That’s why I love this kind of comprehensive guides. It goes from the basics as if you’ve never heard of AWS S3 to advanced concepts on their security and how to test them for misconfigurations.

2. Tool of the week #

Script for gathering domains/subdomains with IPRanges of organization

I am currently trying to improve my recon process, mainly to find new targets (domains & subdomains) as quickly as they become available. So this script comes very handy and complements other more known tools.

It resolves each IP in a given IP range by checking if port 443 is open, retrieves the SSL certificate from port 443 and scrapes it for domains & subdomains.

3. Resource of the week #

Global scan - exposed .git repos

I stumbled upon this article right after discovering a .git folder exposed on a bug bounty target. I was amazed at how easy it was to retrieve parts of the company’s source code and was wondering about the extent of this vulnerability.

This research answers the question and gives a great example of how to scale your hunt for such simple bugs.

4. Writeup of the week #

Account Takeover in Periscope TV

Host headers attacks are usually associated with reset password pages or cache poisoning. From what I understood, this is a new way to exploit host headers attacks: it targets the OAuth implementation used to log into Periscope via Twitter.

Here is how I understand the attack:

• Go to https://www.periscope.tv/ & click login with twitter
• Intercept the request with Burp & change the host header to hackerone.com/www.periscope.tv (instead of www.periscope.tv)
• A URL is returned: https://twitter.com/oauth/authenticate?oauth_token=... Send it to the victim
• The victim opens it and has already authorized the Periscope app in Twitter
• He/she is redirected to <https://www.example.com/www.periscope.tv/i/twitter/loginComplete?oauth_token=[attacker’s oauth token]&oauth_verifier=[victim’s oauth verifier]>
• So the attacker receives on his/her server the victim’s oauth_verifier. He/she can takeover the victim’s account by reusing the same oauth_token & oauth_verifier

5. Conference of the week #

Bounty Hunters by J Wolfgang Goerlich (GrrCon 2018)

I started this blog as a penetration tester, but I confess that I have been obsessed with bug hunting for months.

This is a nice talk about some bugs found by bug hunters on big companies and how to protect against them. The way the stories are narrated made me feel like I was sitting around a campfire with other bug hunters, hearing about their stories…

Other amazing things we stumbled upon this week #

Videos, Conferences & Podcasts #

Videos #

• hardwear.io 2018: Bitfi - You Wouldn’t Steal My Cloins by Andrew Tierney (@cybergibbons)
• Bug Bounty First Meeting

Podcasts #

• PODCAST: What Is a Red Team, Anyway?
• Ep. 30, From hacking a country to running a con

Conferences #

• Practical Web Cache Poisoning: Redefining ‘Unexploitable’, Slides & Whitepaper
• Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies by Alejandro Hernández & Slides (Black Hat USA 2018)
• My First year in Application Security Whitney Phillips

Slides only #

• A story of the passive aggressive sysadmin of AEM

Tutorials #

Medium to advanced #

• Content Security Policy
• HTML Injection
• Disguise PHAR packages as images
• How to use Google’s CSP Evaluator to bypass CSP
• Privilege escalation in the Cloud: From SSRF to Global Account Administrator
• One way to bypass htmlentities
• Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’
• Let’s Trade: You Read My Email, I’ll Read Your Password!
• Exploiting Blind Java Deserialization with Burp and Ysoserial
• Exploring the Burp Suite API
• From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter
• Case Study – New way to Exploit Java Deserialization Vulnerability

Beginners corner #

• Finding The Real Origin IPs Hiding Behind CloudFlare or TOR
• Hacking Mongodb
• A practical guide to testing the security of Amazon Web Services (Part 1: AWS S3)
• DNS Lookup (forward)
• Microsoft IIS Tilde Vulnerability
• Web Application Firewall (WAF) Evasion Techniques #3
• Pimp My Shell — 5 Ways to Upgrade a Netcat Shell
• Injection In Apache Cassandra – Part I
• XXE Explanation and Exploitation
• Redis Unauthorized Access Vulnerability Simulation | Victor Zhu

Writeups #

You can find the latest bug bounty writeups in our dedicated page: [List of bug bounty writeups]({{ site.url }}{{ site.baseurl }}/list-of-bug-bounty-writeups.html).
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

• Injecting tourism website running codeigniter
• Security Bugs in Practice: SSRF via Request Splitting
• OCR to XSS
• XSS using quirky implementations of ACME http-01
• A Ridiculous Bypass
• Reflected XSS in Realgm.
• Deeply Vulnerable Legacy Code - Portuguese Government Finance & Tax Portal & Breaking into the Finance Government Account of Every Portuguese Citizen & Entity
• Remote code execution vulnerability in WordPress Duplicator < 1.2.42
• A few notes on WordPress Security
• Hacking The RPi Cam Web Interface
• Bypassing Hotstar Premium with DOM manipulation and some JavaScript
• Wi-Jacking: Accessing your neighbour’s WiFi without cracking

Tools #

If you don’t have time #

• Vulmon: a vulnerability search engine. It includes cve id, vulnerability types, vendors, products, exploits, operating systems and anything related with vulnerabilities.
• Sploitus: Vulnerability/exploit search engine, using multiple source feeds
• Datasploit: An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.
• pwnedOrNot: Python Script to Find Passwords for Compromised Email Accounts using haveibeenpwned API

More tools, if you have time #

• HackBar: plugin for Burpsuite v0.2 beta & JAR
• Activity Trail Log: BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment
• Retire.NET: CLI extension to check your project for known vulnerable dependencies
• nmapburp.sh: NMap a network and send all open web servers to Burp
• sploitus.py: Python wrapper to search sploitus.com locally
• twa: A tiny web auditor with strong opinions
• getValidDNS.sh: A little bash script to gather valid AND fast DNS Resolvers from public-dns.info (useful if using MassDns)
• badKarma: advanced network reconnaissance toolkit
• Headless Burp: Provides a suite of Burp extensions and a maven plugin to automate security tests using BurpSuite. https://netsoss.github.io/headless-burp/
• htrace.sh: Simple shell script to debugging http/https traffic tracing, response headers and mixed-content. Scanning domain using Nmap NSE Library. Support external security tools: Mozilla Observatory and SSL Labs API.
• nmap-bootstrap-xsl: A Nmap XSL implementation with Bootstrap

Misc. pentest & bug bounty resources #

• Vulnerability Grant - July, 2018
• BugBountyNotes
• What Permission Delegation changes in Web Security
• windowsblindread: A list of files / paths to probe when arbitrary files can be read on a Microsoft Windows operating system
• List of specific sub-domains seen as CNAMEs
• Pen tester’s Diary : Episode 1
• Werdlists: Wordlists, Dictionaries and Other Data Sets for Writing Software Security Test Cases https://decal.github.io/werdlists
• When is a vulnerability not a vulnerability?
• Open Source Intelligence Gathering 201 (Covering 12 additional techniques)
• F-droid penetration test report
• Penetration test report Solidified Technologies inc.
• I finished Penetration Testing with Kali (PWK) and improved Nmap (just a notch)
• Under the Hoodie: Which Vulns Are Being Exploited by Attackers (and Our Pen Testers) in 2018?

Challenges #

• Hacker101 CTF
• BugBountyNotes challenges
• XSS Polyglot Challenge v2

Non technical #

• Bug Bounties and Mental Health
• Interview with a bug bounty program
• Penetration Testing vs. Red Teaming: PCI Edition

Tweeted this week #

We created two collections of our favorite pentest & bug bounty related tweets shared these last two weeks. You’re welcome to read them directly on Twitter:

• Tweets from 08/31/2018 to 09/07/2018
• Tweets from 09/07/2018 to 09/14/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…