Posted in Newsletter on December 25, 2018
The 5 Hacking NewsLetter 28
Posted in Newsletter on November 19, 2018
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 09 of November to 16 of November.
Our favorite 5 hacking items
1. Conference of the week
DEF CON 26 Recon Village, particularly:
I wasn’t sure if the DEF CON Recon village talks were going to be made public. Boy, was I happy to see them shared on Youtube!
I was rooting especially for:
- Jason Haddix’s latest methodology & tools for recon (but slides are missing)
- More information on how BountyMachine works. Sadly it won’t be open sourced :/
All the talks are interesting since they focus on recon in a very practical way.
2. Writeup of the week
When XSS payload is injected inside a hidden input field, it can be hard to exploit. Until now, one way to do it was using expression() but it worked only on IE<=9.
This writeup shows a new technique to exploit such XSS bugs on Firefox and Chrome:
<input type="hidden" accesskey="X" onclick="alert(1)"> (Firefox)
<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Chrome)
The payload is executed once the victim presses the key combination ALT+SHIFT+X (on Windows & Linux) or CTRL+ALT+X (on Mac OS X).
3. Tool of the week
This is a very impressive script. It allows you to bypass all SSL certificate checks on any Android app, including SSL pinning.
Playing with Android apps’ source code and different SSL pinning bypass techniques can be fun and educational. But sometimes, we’re on a hurry and just want to get rid of SSL pining to start looking for bugs. It’s never been this easy!
All you have to do is install Frida, download the script and run it on the app’s package name.
It’s almost instantaneous and you don’t have to meddle with the app’s code, re-patch it, etc.
4. Tip of the week
This is a great tip for finding less obvious blind XSS vulnerabilities: Don’t limit yourself to testing forms. Find contact email addresses (by scraping your target site or guessing), and send your payload to them (in subject & body).
Sometimes the forms are well sanitized but the email messages are not and they’re added to the same admin portals.
5. Non technical item of the week
This is a great account of what went wrong during a pentest… for the pentester, because the target was doing their job well!
I don’t want to spoil it. I’ll just say that it reminds me of the Stealing the network books. It’s both a (little bit) technical & a very entertaining read.
Other amazing things we stumbled upon this week
- Identifying Good Research to actually Learn Something - Cross-site Scripting
- Hacker Breaks Down 26 Hacking Scenes From Movies & TV | WIRED
- Web Hacking Pro Tips #4 with Jason Haddix: Ghostscript
- Securing the Internet-of-Things (IoT) — CyberSpeak Podcast
Conferences & Webcasts
Medium to advanced
- Debug Decompiled Smali Code in Android Studio 3.2
- Oat2Dex | Android Pentesting
- The Powerful Resource of PHP Stream Wrappers
- Abusing insecure docker deployments
- [Video] Proof of Concept: CVE-2018-2894 Oracle WebLogic RCE
- Some of My Favorite Shell Aliases From Over the Years
- Understanding Xxe From Basic To Blind
- Cisco Smart Installs and Why They’re Not “Informational”
- Web Proxy Penetration Lab Setup Testing using Squid
- Socks Proxy Penetration Lab Setup using Microsocks
- Comprehensive Guide on Cewl Tool
- Comprehensive Guide on Hydra – A Brute Forcing Tool
- Exposed Sonos Webinterface
Pentest & Responsible disclosure writeups
- 0-Day in ELBA5’s Network Installation: Overtaking your company’s bank account
- Taking Advantage of AJAX for Account Enumeration
- How we found more than 1.5M user credentials on a public website with Google Dorks queries
Bug bounty writeups
- Ghost Emails: Hacking Gmail’s UX to Hide the Sender
- Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends
- Clickjacking on Google ($7,500)
- Content spoofing on TTS Bug Bounty ($300)
- Mixed content on Casper ($50 for mixed content!)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Swagger-EZ & Tutorial: Simplifying API Pentesting With OpenAPI definitions
- PHP_imap_open_exploit: 0-day exploit in PHP that allows bypassing disabled exec functions by using call to imap_open (Debian & Ubuntu)
- GraphQLParser: A BurpSuite Extension for detecting, parsing and scanning(pentesting) GraphQL based Applications
- New Spiderfoot modules including a SpiderFoot module to query an (unofficial) HackerOne repo for vulnerability disclosures about your target
- SwiftnessX: A cross-platform note-taking & target-tracking app for penetration testers (Windows & Linux)
More tools, if you have time
- Burp Theme Patcher: A tool to simplify the creation of Burp Suite Themes
- hate_crack: A tool for automating cracking methodologies through Hashcat from the TrustedSec team
- Osmedeus: Automatic Reconnaisance & Scanning, includes many modules for: subdomain enumeration, subdomain takeover, screenshots, port scanning, git recon, brute-force & more
- ZIP File Raider: Burp Extension for ZIP File Payload Testing
- SMWYG-Show-Me-What-You-Got: Search https://gotcha.pw for 1.4 Billion clear text credentials which was dumped as part of BreachCompilation leak. Useful for OSINT and reconnaissance on an organisation or an individual
- Djangohunter: Tool designed to help identify incorrectly configured Django applications that are exposing sensitive information
- DeepSearch - Advanced Web Dir Scanner: Advanced Web Dir Scanner
- BabySploit: Beginner Pentesting Toolkit/Framework Written in Python
- wifi_plug: python script that downloads & installs wifi pentest tools
- CloudBunny: Tool to capture the real IP of the server that uses a WAF as a proxy or protection. In this tool we used three search engines to search domain information: Shodan, Censys & Zoomeye
- Apkatshu: Tool for extracting urls , emails , ip address , and interesting data from APK files
- gOSINT: OSINT Swiss Army Knife
Misc. pentest & bug bounty resources
xss_payloads: XSS payloads for edge cases
OWASP DevSlop site, OWASP DevSlop project & OWASP DevSlop Show: New OWASP project, site & Youtube channel. A collection of DevOps-driven applications, specifically designed to showcase security catastrophes and vulnerabilities for use in security testing, software testing, learning and teaching for both developers and security professionals.
Bug bounty news
- Integrate HackerOne directly into your website with Embedded Submissions
- Bugcrowd Releases Vulnerability Rating Taxonomy 1.6: “Misconfiguration or missing DMARC and protection against email spoofing” are now considered more serious (P3/P4)
- I found a security hole in Steam that gave me every game’s license keys and all I got was this… oh nice: $20,000
- How a Nigerian ISP Accidentally Knocked Google Offline
- Most ATMs can be hacked in under 20 minutes
- A leaky database of SMS text messages exposed password resets and two-factor codes
- Clarion call: New cybersecurity declaration receives widespread global support: The Paris Call has no legal binding… “we agree on reconvening at the Paris Peace Forum in 2019 and at the IGF in Berlin in 2019”
- Ruby taken off the rails by deserialization exploit
- Top 5 Factors That Increase Cyber Security Salary The Mosts
- The Motherboard Guide to Not Getting Hacked (version 3.0)
- Fear and hacking on the bug bounty trail
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/09/2018 to 11/16/2018
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…