Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across recently.

This issue covers the week from 14 to 21 of September.

Our favorite 5 hacking items #

It’s weird how often I face a new challenge and, while preparing this newsletter, come across relevant resources without looking for them specifically! This is the case for all 5 items of this week, so I hope that you find them as informative as they were for me.

1. Tutorial of the week #

Discovering GraphQL endpoints and SQLi vulnerabilities by @localh0t

I read more and more bug bounty writeups like this one or this one that mention misconfigured GraphQL endpoints and these bugs seem to pay really well.

GraphQL is an alternative to Web services like REST. This tutorial is a great introduction to understand their differences, how to find hidden GraphQL endpoints and exploit them to detect SQL injection.

2. Writeup of the week #

How I XSS’ed Uber and Bypassed CSP by @mefkansec

I love the creativity of the recon work that led to this XSS: @mefkansec looked for Uber invitation links mentioned everywhere on forums & social media. Then he used a google dork to find a lot more invitation links in order to gather new GET parameters until he found one that was vunerable to a simple reflective XSS.

But the PoC didn’t work because of the CSP! The list of whitelisted domains showed that Uber subdomains are allowed. So in his working PoC, he used an Uber subdomain (found in VirusTotal) which redirects to a Marketo subdomain. By adding a callback parameter, he could execute Javascript:

https://partners.uber.com/p3/referrals/ms?i=bq6ew1w9ue&m=ANNIVERSARY&v=1"><script src=”https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>

3. Tip of the week #

How to get source code of any electron application

@Yassineaboukir recommends reverse engineering and analyzing the source code of Electron apps, as an easy way to find hardcoded secrets. The tutorial he mentions is very concise and should help you get started quickly.

Also, @0xibram recommends in the comments using this guide once you have the source code: Electron Security Checklist - A guide for developers and auditors.

4. Resources of the week #

@gwendallecoguic suggests 4 blog posts that helped him learn how to bypass Cloudflare. Try the different techniques until you find one that works on your target.

5. Tool of the week #

ct-exposer

This tool helps monitor Certificate Transparency logs for new subdomains, when you’re targeting a specific bug bounty program or during a long term pentest engagement.

It uses the API of Entrust Datacard’s Certificate Transparency Search Tool.

Other amazing things we stumbled upon this week #

Videos, Conferences & Podcasts #

Videos #

• SANS Webcast: Password Cracking - Beyond the Basics

Conferences #

• How to rob a bank over the phone by Joshua Naga Crumbaugh (GrrCon 2018)

Slides only #

• So You Want To Red Team? (44CON)
• Electron: Abusing the lack of context isolation - CureCon(en)

Tutorials #

Medium to advanced #

• XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites
• Quoteless Javascript Injections
• Web Caching
• Subdomain Takeover: Identifying Providers
• A practical guide to testing the security of Amazon Web Services (Part 2: AWS EC2)
• Erlang Authenticated Remote Code Execution

Beginners corner #

• Basic Penetration testing lab — 1
• Basic iOS Apps Security Testing lab — 1
• Testing Password Reset Functionalities
• How to extract APK file of an Android application
• Content Security Policy
• 5 ways to bypass account lockout in web applications

Writeups #

• How I was able to takeover any Account of the Official Bookstore of the French Senate?
• How I hacked 747 game 😎 | Built Cheat Bot using Deep Learning
• SSRF as a Service: Mitigating a Design-Level Software Security Vulnerability
• Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges
• Gaining RCE by abusing Node-RED
• Security Bugs in Practice: SSRF via Request Splitting

Tools #

• CertStreamMonitor: Monitor certificates generated for specific domain strings and associated, store data into sqlite3 database, alert you when sites come online
• cookie-decrypter: A Burp Suite Professional extension for decrypting/decoding various types of cookies
• TruePolyglot: Polyglot file generator project. This means that the generated file is composed of several file formats. The same file can be opened as a ZIP file and as a PDF file for example.
• terraform-burp-collaborator: Terraform configuration to build a Burp Private Collaborator Server
• Upload Scanner: HTTP file upload scanner for Burp Proxy (Burp extension)
• SimpleshoT: simple screenshot generator
• TIDoS Framework: The Offensive Web Application Penetration Testing Framework

Misc. pentest & bug bounty resources #

• Why You Shouldn’t Store Sensitive Data in JavaScript Files
• Android-Reports-and-Resources: A big list of Android Hackerone disclosed reports and other resources
• Inside look at modern web browser (part 1) & Part 2
• Top Firewall Misconfigurations that Lead to Easy Exploitations by Attackers

Non technical #

• Search for Simone: A social media investigation
• Hacker Q&A with André Baptista: From CTF Champ to h1-202 MVH
• A Bug Bounty Hunter Tells All

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/14/2018 to 09/21/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…