Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 23 to 30 of November.

Our favorite 5 hacking items #

1. Resource of the week #

WAF/IPS/DLP bypass Cheat Sheet

This is a cheat sheet of techniques for bypassing Web Application Firewalls. It might be useful and help you find bugs that others have missed.

Some of the techniques using double Host headers or double Content-Type headers, entering the HTTP method in lowercase or including tabs, etc.

2. Writeup of the week #

XSS on Instagram

I love how simple yet creative this finding is!

Facebook and Instagram store photos/videos on their CDN subdomains *.fbcdn.net. These URLs can’t be accessed directly without any parameters (“Access denied” error). And hashes sent as GET parameters protect from request tampering (for e.g. modifying file extensions).

A workaround to bypass all these checks is to access the same files through the subdomain’s CNAME record, https://scontent.xx.fbcdn.net/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.html:
instagram.fpnq2-1.fna.fbcdn.net. 3599 IN CNAME scontent.xx.fbcdn.net.

This allows access to any file while bypassing signature checks and without specifying any parameters. Even expired links are accessible!

3. Tool of the week #

BLH Plugin

Broken Link Hijacking Burp Extension is a very nice addition to any bug hunter’s arsenal.

Every time a broken link is detected while you’re testing a target, it is reported as an issue. Then you can test all links for link hijacking, as explained in “Broken Link Hijacking - How expired links can be exploited.” by @EdOverflow.

4. Article of the week #

Abuse MITM possible regardless of HTTPS

Wide use of HTTPS makes Man-in-The-Middle attacks harder to perform today. But they are still possible, as HTTPS can be bypassed if CORS, postMessage, HSTS and WebSockets are not used properly.

This article gives examples of what can go wrong and how HTTPS can be bypassed.

5. Tutorial of the week #

Tcpdump Examples: 50 Practical Recipes for Everyday Tasks

I always forget tcpdump and wireshark filters and syntax. So this list of 50 tcpdump recipes is very handy.

It includes things like: how to display only IPv6 traffic, how to filter traffic by IP, port, protocol or network, how to find HTTP hosts, cookies, user agents, cleartext passwords & more.

Other amazing things we stumbled upon this week #

Videos #

• HackerOne Hacker Interviews: @rohk
• HackerOne Hacker Interviews: @d0nut

Podcasts #

• Why Do Bug Bounty Hunters Do What They Do? We Asked Them.
• Darknet Diaries Ep 27: Chartbreakers
• The History of OWASP (S04E18)
• Unusual Gathering Podcast featuring Casey Ellis and Liz Wharton
• ZeroDayLive Episode 1- PhotoBox- When Stu Met Stuart
• Are Third-Party Vendors Your Biggest Cybersecurity Risk? — CyberSpeak Podcast
• Cybersecurity: Kerckhoffs’ Principle & why attack is the best form of defence

Conferences #

• 13 Life as an iOS Attacker (TenSec 2018)

Slides only #

• Bugbounty Programs
• A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter

Tutorials #

Medium to advanced #

• Escalating SSRF in a Vulnerable Jira Instance to RCE via Docker Engine API
• Impersonating users by abusing broken “Sign in with” implementations
• Fragmented SQL Injection Attacks – The Solution

Beginners corner #

• Learn vim For the Last Time
• Metasploit Basics, Part 21: Post Exploitation with mimikatz
• JAVA RMI (Remote Method Invocation) Exploitation with Metasploit Framework
• Cracking linux full disc encryption, luks with hashcat
• How to hunt insecure CORS…
• CORS attacks

Writeups #

Challenge writeups #

• BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page”
• NodeJS SSRF by Response Splitting — ASIS CTF Finals 2018 — Proxy-Proxy Question Walkthrough
• Android Hook by Frida— ASIS CTF Final 2018 — Gunshop Questions Walkthrough
• PLC Bug Hunt

Pentest & Responsible disclosure writeups #

• CVE-2018-17612: Certificate Management Vulnerability in Sennheiser HeadSetup

Bug bounty writeups #

• Stored XSS on HackerOne ($2,500)
• SQL injection on HackerOne
• Insufficient Session Expiration on HackerOne ($500)
• 2FA bypass on Instagram
• Logic flaw on Facebook ($750)

See more writeups on The list of bug bounty writeups.

Tools #

If you don’t have time #

• brute-sqlcipher: Bash script for brute-forcing encrypted sqlite databases (on mobile devices for example)
• weirdAAL: WeirdAAL (AWS Attack Library) & AWS EC2 instance userData
• EyeWitness updated: Get screenshots of websites and server header info, identify default credentials if possible. What’s new:

EyeWitness no longer has the “—headless”, it now only has “—web” for web screenshots. This uses Firefox in the backend and runs it headlessly, so this will still work on a headless server!

More tools, if you have time #

• Infection Monkey: Automated pentest tool / Open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.
• XSShell: An XSS reverse shell framework in GO
• Shellver: Reverse Shell Cheat Sheet Tool
• CCAT (Cisco Config Analysis Tool): Tool which analyzes the configuration files of Cisco devices based on the Cisco Guide to Harden Cisco IOS Devices

Misc. pentest & bug bounty resources #

• PHP Security Advent Calendar 2018
• fuzz.txt: Potentially dangerous files
• cloud_metadata.txt: Cloud Metadata Dictionary useful for SSRF Testing
• hak.lnk: Project “hak.lnk” - Resource Links For Hackers
• Free, online & interactive @teamKatacoda course on monitor mode, WPA cracking & tshark
• Reddit r/InfoSecInsiders
• List of Google Advanced Search Engine Queries/Dorks

Articles #

• The Difference Between URLs and URIs
• Top 30 Penetration Tester (Pentester) Interview Questions and Answers for 2019

News #

• Introducing Hacker Dashboard: Your personalized HackerOne overview: A personalized overview of your accepted & pending invitations for private programs, plus a feature to bookmark your favorite programs
• The Writable Files API: Simplifying local file access: Allows users to choose files or directories that a web app can interact with on the native file system
• Open Source: It’s turtles all the way down.: A hacker managed to become administrator of an open source NodeJS package by befriending its original developer, then injected malware to steal Bitcoin

Non technical #

• How to balance full-time work with creative projects
• Let’s talk 22nd century: human hacking & cloud security

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/23/2018 to 11/30/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…