Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 02 to 09 of November.

Our favorite 5 hacking items #

1. Conference of the week #

Wild West Hackin’ Fest 2018, especially:

• Hack for Show, Report for Dough
• The Top 10 Reasons It’s GREAT to Be a Pen Tester… And How You Can Help Fix that PROBLEM
• What to Expect When You Are Expecting…a Penetration Test

Wild West Hackin’ Fest is a relatively new security conference by Black Hills Security, a company known for its penetration testing services.I’ve already shared with you many of their high-quality webcasts on penetration testing.

This time, it’s no different. These 3 talks present pentesting tips, tricks, and traps. They could help if you’re considering becoming a professional pentester.

2. Writeup of the week #

Evernote For Windows Read Local File and Command Execute Vulnerabilities

This is a write-up for a stored XSS affecting the Evernote desktop app (version 6.14). The bug itself is simple:

• Create a note & add a picture to it
• Rename the picture to: " onclick="alert(1)">.jpg
• The JS payload will execute every time you open the note
• Share the note with other Evernote users (This isn’t a self-XSS)

Since the JavaScript runs in the context of a desktop app, it can retrieve local files (LFI) and execute commands (RCE).

An XSS leading to RCE is unusual since it is a client-side vulnerability. I think it’s really cool!

3. Resource of the week #

Getting started in Bug Bounty

This is one of the best guides to get started in bug bounty I’ve seen out there! It lists many Twitter & Github accounts to follow, blogs, books, etc.

In addition to technical references, it also encompasses essential non technical advice like:

No one will be able to tell you everything about this field, It’s a long path but you have to travel it alone with help from others. “Do not expect someone will spoon feed you everything.”

This can’t be overstated…

4. Non technical item of the week #

On Empathy in Security

This is a nice piece on security & empathy.

It particularly resonated with me because one of the first things I learned as an IT security auditor was the right posture to adopt with a client or auditee: Never make fun of their bugs or lack of security on their products. Never make them feel inferior just because they didn’t know how to properly secure an asset. Explaining bugs, risks and mitigation is what will help them improve their overall security, not a bad attitude.

So empathy in security actully makes a lot of sense.

Empathy towards attackers too, though it might seem weird. I’m reminded of an article I’ve read recently (but can’t find anymore) on cryptocurrency theft. Someone was contacted by a young blackhat. They talked for hours and the victim managed to get back all his money just by talking with and showing genuine empathy to the hacker. He was just a young guy in a bad situation.

5. Tip of the week #

Passive DNS for the Bad

This is a simple yet effective trick. It’s for when you find IP addresses with open Web ports (80, 443, 8080…), that can’t be accessed directly. If the server uses a reverse proxy and blocks access by IP, you will have to find the right hostnames resolving to the IP you have.

Passive DNS databases (like DNSDB) are a good resource to get hostnames from IPs and maybe access endpoints that other hunters/pentesters might have missed.

Other amazing things we stumbled upon this week #

Podcasts #

• Podcast Episode 118: White Hat Eye on the Gaming Guy
• Two Sides to a Bug Bounty: The Researcher and The Program (S04E15)

Conference Slides #

• Browser history re:visited

Tutorials #

Medium to advanced #

• Android Command Line Reverse Shell in Java
• Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
• Negative Impact of Incorrect CSP Implementations
• HP NonStop Basics
• Bypassing Android FLAG_SECURE using FRIDA

Beginners corner #

• Tunneling scanners (or really anything) over SSH
• Hardening Website Security – Part 1: HTTP Security Headers
• Proxy Fiddler Through Burp
• How to deploy modern TLS in 2018?
• Metasploit Basics, Part 19: Web Delivery for Windows

Writeups #

Pentest & Responsible disclosure writeups #

• Security issues on ArtChain
• Disclosing Multiple Gamasutra Vulnerabilities

Bug bounty writeups #

• Unauthenticated RSFTP to Command Injection
• Information disclosure on Twitter
• Ticket Trick on private program
• XSS on Paypal
• Logic flaw on Hackerone
• Information disclosure on Shopify
• Information disclosure on Hackerone

See more writeups on The list of bug bounty writeups.

Tools #

If you don’t have time #

• GetJS: a tool to extract all the javascript files from a set of given urls
• Arecibo & Tutorial: An Out-of-Band Exfiltration tool (DNS & HTTP)
• portscan (the tool’s source is in this page’s source code) & explanation: JavaScript port scanner
• Fofa: Another chinese Shodan
• Onyphe & Tutorial: Similar to Shodan. Also does automatic fingerprinting of malware on servers and IoT devices.

More tools, if you have time #

• HackerTarget ToolKit
• OSGiScanner: Scan for OSGi Consoles
• ffuf - Fuzz Faster U Fool: Fast web fuzzer written in Go
• burp-rest-api v2: REST/JSON API to the Burp Suite security tool
• XSStrike: Advanced XSS detection suite (new release)
• Djangohunter: Tool designed to help identify incorrectly configured Django applications that are exposing sensitive information
• FShell: Forward Shell, designed to get an interactive tty using remote code execution through a stageless protocol (eg HTTP)

Misc. pentest & bug bounty resources #

• Serverless Toolkit for Pentesters
• OWASP Serverless Top 10
• List of bug bounty platforms
• jsp-jstl-intruders.txt: JSP & JSTL parameters brute-force
• hackeronestatus.com & @HackerOneStatus: Get notified of issues on the Hackerone plaform
• What do we want? Vulnerabilities! What type do we want? Well…

Our community provides us with research, which we automate into our scanner and we reward the ethical hacker responsible for submitting the vulnerability every time it is found by our scanner.

Challenges #

• myHouse7: Vulnerable Virtual Machine with multiple docker images to practice pivoting across 4 different networks with 7 different machines
• OWASP Juice Shop v8.0.0

News #

• New Android API Lets Developers Push Updates Within their Apps

The API has been designed to aggressively inform users about the latest available updates and give them a smooth in-app installation experience without closing the app or opening the Google Play Store.

• Bug Bounty Hunter Ran ISP Doxing Service

A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom firms for finding/reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data

• Self-encrypting SSDs can easily be cracked

The researchers’ findings undermine the conventional wisdom that hardware-based encryption offers superior protection than software-based encryption. Business and consumers are advised not to rely on hardware encryption alone and to add software encryption, such as the free and open source VeraCrypt software package or similar alternatives, in order to safeguard their data.

• Apache Struts users have to update FileUpload library to fix years-old flaws

Non technical #

• Infosec Problems For 2019 and Beyond: Patching, Bug Bounties and Hype
• Community Update – Private Invites, Kudos, Leaderboards, Platform and Swag.
• Hacker education, inclusivity, and shifting perceptions of bug bounties

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/02/2018 to 11/09/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…