The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on December 3, 2018
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 23 to 30 of November.
This is a cheat sheet of techniques for bypassing Web Application Firewalls. It might be useful and help you find bugs that others have missed.
Some of the techniques using double Host headers or double Content-Type headers, entering the HTTP method in lowercase or including tabs, etc.
I love how simple yet creative this finding is!
Facebook and Instagram store photos/videos on their CDN subdomains *.fbcdn.net. These URLs can’t be accessed directly without any parameters (“Access denied” error). And hashes sent as GET parameters protect from request tampering (for e.g. modifying file extensions).
A workaround to bypass all these checks is to access the same files through the subdomain’s CNAME record, https://scontent.xx.fbcdn.net/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.html:
instagram.fpnq2-1.fna.fbcdn.net. 3599 IN CNAME scontent.xx.fbcdn.net.
This allows access to any file while bypassing signature checks and without specifying any parameters. Even expired links are accessible!
Broken Link Hijacking Burp Extension is a very nice addition to any bug hunter’s arsenal.
Every time a broken link is detected while you’re testing a target, it is reported as an issue. Then you can test all links for link hijacking, as explained in “Broken Link Hijacking - How expired links can be exploited.” by @EdOverflow.
Wide use of HTTPS makes Man-in-The-Middle attacks harder to perform today. But they are still possible, as HTTPS can be bypassed if CORS, postMessage, HSTS and WebSockets are not used properly.
This article gives examples of what can go wrong and how HTTPS can be bypassed.
I always forget tcpdump and wireshark filters and syntax. So this list of 50 tcpdump recipes is very handy.
It includes things like: how to display only IPv6 traffic, how to filter traffic by IP, port, protocol or network, how to find HTTP hosts, cookies, user agents, cleartext passwords & more.
See more writeups on The list of bug bounty writeups.
EyeWitness no longer has the “—headless”, it now only has “—web” for web screenshots. This uses Firefox in the backend and runs it headlessly, so this will still work on a headless server!
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/23/2018 to 11/30/2018
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…