Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 5 to 12 of October.

Our favorite 5 hacking items #

1. Book of the week #

The Art of Subdomain Enumeration by Appsecco

The folks from Appsecco regularly share great information and tools on recon and particularly subdomain enumeration, including two LevelUp talks and now this free book. I highly recommend it, but make sure to take notes and integrate the different techniques into your subdomain enumeration methodology to benefit from it.

2. Writeup of the week #

How I hacked modern Vending Machines

This was a fun read! It’s a bug found on a vending machine’s Android app: anyone could buy stuff with a zero-credit account.

It’s a nice example of reverse engineering an Android app, detecting and exploiting weak database encryption.

3. Tool of the week #

Certstream by Cali Dog Security

There are a lot of tools to monitor Certificate Transparency logs nowadays. Although I already use some of them like Censys, Crt.sh & Facebook’s CT monitoring tool, I immediately added this one to my methodology because it presents a stream that is updated with SSL certificates in real time!

You can interact with the CT log stream using libraries provided in Python, Javascript, Go or Java.

4. Video of the week #

Eliminating False Assumptions in Bug Bounties by Frans Rosén @fransrosen (OWASP Stockholm)

This is a relatively short talk but the advice given is gold, especially if you are new to bug hunting. Frans talks about ups and downs of bug bounty and some tips to avoid dupes, N/As and boredom.

For example, he recommends hunting on old programs with a large attack surface like Google, Facebook or Yahoo because they put up new code all the time and are less tested since most newbies go for the new programs.

5. Resource of the week #

XSS Cheat Sheet by @brutelogic

This is a good cheatsheet that can be helpful if you’re stuck with an XSS filter or learning about this type of bugs.

It contains a list of XSS payloads broken down by context (HTML, JavaScript, File Upload, DOM…), exploitation examples and other tips all related to XSS.

Other amazing things we stumbled upon this week #

Videos, Conferences & Podcasts #

Conferences #

• Crowdsourced Security by Yassine Aboukir (BSides Belfast 2018)

Slides only #

• Hacktivity 2018
  • Hunting for bugs in AEM webapps by Mikhail Egorov @0ang3el
  • The Mate Escape - Huawei Pwn2Owning & Whitepaper by Alex Plaskett & James Loureiro

Tutorials #

Medium to advanced #

• Bypassing WAFs and cracking XOR with Hackvertor
• The Rise of C# and using Kali as a C2 Server with SILENTTRINITY
• Kerberoasting: Stealing Service Account Credentials
• A Deep Dive into Serverless Attacks, SLS-1: Event Injection

Beginners corner #

• IoT Penetration Testing Part 1
• Web App Pentest Cheat Sheet
• How to Collect OSINT from Unlisted Pastes on Pastebin
• My First Burp Suite Extension

Writeups #

• Jolokia Vulnerabilities - RCE & XSS
• How I found a way to view paid content on an online streaming website for free?
• An Ethical Hacking Story — The Yummy Days Case

Tools #

If you don’t have time #

• NNDefaccts: nnposter’s alternate fingerprint dataset for Nmap script http-default-accounts
• Metadata-Attacker: A tool to generate media files (.jpg, .mp3, .mp4) with malicious metadata like XSS vectors

More tools, if you have time #

• ReconDog: Reconnaissance Swiss Army Knife
• Atlas: Quick SQLMap Tamper Suggester
• Andrax: A penetration testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a Linux distribution
• Unc0ver: Directory Fuzzer for Pentesting and Host Recon
• KEIHash: A program to parse pcap files and calculate the KEIHash of SSH connections to fingerprint them
• XXRF-Shots: Useful for testing SSRF vulnerability
• AutoRDPwn: The Shadow Attack Framework
• MicroBurst: A collection of scripts for assessing Microsoft Azure security
• domain_hunter: A Burp Suite Extender that search sub domain and similar domain from sitemap,get related domains from certification
• tcpbin: Very crude and poorly written HTTP(s) and SMTP bin. It sets up TCP sockets on ports 80(http), 443(https), 25(smtp) to listen for incoming data. Then it dumps these to a log folder which can be viewed on port 8000(https).

Misc. pentest & bug bounty resources #

• Top 10 Web Hacking Techniques of 2017
• List of Operating Systems for OSINT (Open-Source Intelligence)
• Awesome Google Drive OSINT Folder

Challenges #

• Magic XSS with two parameters challenge

News #

• Retesting (beta): Each hacker that participates in the retest of a vulnerabilitywill receive a $100 bounty upon completion
• Developing the Researcher Experience on Bugcrowd
• Project Strobe

We discovered a bug in one of the Google+ People APIs:

• Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
• The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.

Non technical #

• Introduction to Internet of Things (IoT)

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/05/2018 to 10/12/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…