Hey hackers! These are our favorite resources pertaining to pentesting and bug hunting for last week.

It covers the period from 28 of September to 05 of October.

Our favorite 5 hacking items #

1. Resource of the week #

Mobile Security Testing Guide (MSTG) v1.0.1 by OWASP

This is an awesome guide on mobile security testing! I’ve been reading through it because I’m preparing a training on Android hacking and it is very good quality information on hacking Android & iOS apps for both beginners and experienced testers.

2. Writeup of the week #

Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature by japz

What an amazing finding! By chaining two features, it is possible to create a business logic bug that allows anyone to receive all private invites without any user interaction:

• Sending an email to the security@ email in the program’s page automatically triggers h1’s system to send you an invite
• Then leaving the private program triggers the system to send you fast-tracked invites in the next 24 hours

If you can only read one writeup this week, this is an excellent candidate for 2 reasons: It demonstrates real out-of-the-box thinking, and I love how the researcher politely questioned hackerone’s decision to close it as a duplicate and how @jobertabma took the time to explain their decision. So the bug went from dup to triaged with $2,500 and swag!

3. Tool of the week #

Gurp by @joan_bono

This is a Golang command-line interface to Burp Suite’s REST API.

I haven’t yet played with Burp’s new REST API, because of so many projects lined up and things to learn. But it like the idea of using the API from a command line. Sometimes, many URLs or apps have similar endpoints. So I’d create scripts for some specific tests (to detect open redirects, bruteforce Basic authentication, etc), and run them against the list of targets. It could be done using the API directly, but I’m more comfortable with the CLI.

4. Conference of the week #

DerbyCon 2018, especially:

• Extending Burp to Find Struts and XXE Vulnerabilities
• Android App Penetration Testing 101
• Web app testing classroom in a box - the good, the bad and the ugly
• Hacking Mobile Applications with Frida
• Ninja Looting Like a Pirate
• Web App 101: Getting the lay of the land
• Breaking Into Your Building: A Hackers Guide to Unauthorized Access

There are so many interesting talks in Derbycon 2018! Some are technical, some fun, with a huge variety of topics (red teaming, pentesting, web apps security, mobile security, active directory hacking, buffer owerflows, physical security, social engineering…). I couldn’t list all talks I find interesting here as usual, so check the playlist. You will surely learn something!

5. Site of the week #

Application Security Wiki by @exploitprotocol & @abhibundela

This is a new wiki which compiles resources on many subjects related to Web application security: books, vulnerable apps for training, recon, and tutorials, tools & writeups for each type of vulnerability…

I like going through this kind of sites because they gather a lot of information and good references in the same place, categorized by subject which saves a lot of time. It’s kind of what I do with this weekly newsletter but presented differently!

Other amazing things we stumbled upon this week #

Videos, Conferences & Podcasts #

Videos #

• HackerOne Hacker Interviews: @ngalog

Podcasts #

• Why You Should Rethink Using Facebook To Sign On To Websites (Security in 5)

Conferences #

• BruCON 0x0A, especially:
  • Social engineering for penetration testers by Sharon Conheady
  • All Your Cloud Are Belong To Us – Hunting Compromise in Azure by Nate Warfield
• Security BSides Athens 2018, especially:
  • T1 03 This is a serious laptop; No games and chatting possible OK? - Yiannis Koukouras & Slides

Slides only #

• Introduction to Web Application Security - Blackhoodie US 2018
• c:> whoami /priv [show me your privileges and I will lead you to SYSTEM]

Tutorials #

Medium to advanced #

• Bypassing Web Cache Poisoning Countermeasures
• Squid proxy server for penetration testing drop boxes
• Better Web-Pentesting in Windows with AHK
• From Local File Inclusion to Remote Code Execution - Part 2
• Pentesting and .hta (bypass PowerShell Constrained Language Mode)
• SmartDec smart contract audit beginner’s guide
• Pentesting IoT devices (Part 2: Dynamic Analysis)
• How I Cracked a 128-bit Password
• A timing attack with CSS selectors and Javascript
• AWS IAM Enumeration 2.0: Bypassing CloudTrail Logging

Beginners corner #

• Open Source Intelligence Gathering: Techniques, Automation, and Visualization
• Grep Extractor a Burp Extender
• Hiding from Bash history
• Web Appsec — Part 1 — Same Origin Policy
• Popping shells on Splunk
• Violating Your Personal Space with Webex
• Convert nmap Scans into Beautiful HTML Pages
• Windows Privilege Escalation via Unquoted Service Paths
• Multiple Ways to Detect HTTP Options
• Hacking Sites With Cross-Site Request Forgery

Tools #

• TakeOver-v1: Takeover script extracts CNAME record of all subdomains at once. TakeOver saves researcher time and increase the chance of finding subdomain takeover vulnerability.
• NodeXP: Server Side Javascript Injection tool capable of detecting and exploiting Node.js vulnerabilities
• AES Killer: Burp plugin to decrypt AES Encrypted traffic of mobile apps on fly
• known_hosts-hashcat: A guide and tool for cracking ssh known_hosts files with hashcat
• James Kettle’s extensive header wordlists for Param Miner

Misc. pentest & bug bounty resources #

• Learning Web App-Sec at PentesterLab
• Privilege Escalation & Post-Exploitation
• Subdomains Enumeration: New cheatsheet for Subdomains enumeration on PayloadsAllTheThings
• Darth Sidious: Building an Active Directory domain and hacking it
• Clientside Exploitation in 2018 - How Pentesting Has Changed
• The Art of Subdomain Enumeration (book) & supplement material
• Web App Pentest Cheat Sheet
• Iframe busters lead to XSS on 2% of all websites
• Analyzing Impact of WWW Subdomain on Cookie Security

News #

• ‘Check behind you – hackers are always watching’
• Paper over the Kracks: New techniques can bypass WPA2 flaw mitigations

Challenges #

• XSS challenge:

Non technical #

• A Career in Information Security: FAQ (Part 2)
• Maintaining a semblance of privacy while looking for a job
• The leaderboard and kudos: Evolving for the good of the Crowd and our customers
• The Inconvenient Truth About Your Eight-Character Password

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/28/2018 to 10/05/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…