Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 07 to 14 of December.

Our favorite 5 hacking items #

1. Slides of the week #

Hidden Gems in APKs

This is a great resource to learn more on testing Android apps. A lot of interesting information can be gathered even if the talk itself isn’t available.

The presentation includes three parts:

1. How to analyze an APK and where to find vulnerable code
2. Two cases studies with many examples of vulnerabilities found on real apps, plus other random findings
3. Tools used: scanapk, kpa_esrever and kpa_esrever (couldn’t find them anywhere)

2. Writeup of the week #

XXE on private program

Wow, this is one impressive finding! I think that most hunters would have stopped testing this vulnerable endpoint after it returned a 404 error. But not @honoki.

He changed the HTTP method from GET to a POST and the Content-Type to application/xml (instead of text/xml). Seeing that the server responded differently, he started submitting different kinds of XML POST data and analyzing the responses until he got a blind XXE that he elevated to a root-level file read access.

All this with no documentation whatsoever on the endpoint and from a 404 page. Again, impressive!

3. Challenge & Tutorial of the week #

XSS challenge & Advanced JavaScript Injections (solution)

If you’ve ever wondered how complex XSS payloads are constructed, this challenge & tutorial are exactly what you need!

Start with the challenge then, if you couldn’t solve it, carefully read the tutorial. It breaks down how to detect the bug and construct a working payload step by step.

4. Non technical item of the week #

Darknet Diaries Ep 28: Unit 8200

This is the tale of Israel Unit 8200, Israel’s equivalent of the NSA. No matter on which side you stand regarding the Palestine/Israel conflict, this is an amazingly entertaining and insightful story.

It explains why a relatively small country such as Israel is so good at cybersecurity, why so many successful startups emerge there, and why mandatory military service can be a good thing for both individuals and the country (if done right).

Also, the narrator is so talented. This particular episode is a must watch.

5. Resource of the week #

APIsecurity.io Issue 10: Unprotected Docker and Ethereum APIs, McAfee 2019 forecast

Apisecurity.io is one of the rare newsletters I follow regularly. It’s a weekly publication focused on news related to API security.

I highly recommend it whether you are a pentester, bug hunter or developer interested in security.

Other amazing things we stumbled upon this week #

Videos #

• Hacker Interviews: Frederik (@stok)
• Server-Side Template Injection w/ Flask | Flaskcards [34] picoCTF 2018
• Hacking Competition in Zhengzhou China - Real World CTF Finals 2018
• Inside the Mind of a Hacker: Interview with @PhillipWylie
• Inside the Mind of a Hacker: Interview with @Hateshape
• Inside the Mind of a Hacker: Interview with @JRoch17
• Bugcrowd Researcher Miguel Regala AKA fisher
• Bugcrowd Researcher Inti De Ceukelaire AKA intidc
• Bugcrowd Researcher Shubham Shah AKA infosec_au
• Bugcrowd Researcher José Sousa AKA Jllas

Podcasts #

• Security In Five Podcast Episode 391 - Tools, Tips and Tricks - Gmail Email Address Trick

Conference slides #

• Bug bounty automation (Zero Nights 2018)

Tutorials #

Medium to advanced #

• iOS Pentesting Tools Part 2: Cycript
• PHP Type Juggling
• How to steal NTLMv2 hashes using file download vulnerability in web application
• Automating AD Enumeration
• Pass-the-Cache to Domain Compromise

Beginners corner #

• Tutorial – Universal Android SSL pinning in 10 minutes with FRIDA
• Multiple Ways to Exploit Tomcat Manager
• Enumerating AD infrastructure
• Shodan, Part 2: Finding Outdated and Vulnerable Systems Around the World

Writeups #

Challenge writeups #

• BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension

Pentest & Responsible disclosure writeups #

• phpMyAdmin (AllowArbitraryServer) Arbitrary File Read Vulnerability
• Get Freebies by Abusing the Android InApp Billing API & Watch Us Abuse the Android InApp Billing API in Fruit Ninja
• How I hacked live broadcasting systems with a left mouse click
• Preparing For a Burglary
• IDORs (Insecure Direct Object Reference) over Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10 (CVE-2018–7690, CVE-2018–7691)
• Übersicht Remote Code Execution, Spotify takeover
• Persistent XSRF on Kubernetes Dashboard using Redhat Keycloak Gatekeeper on Microsof Azure

Bug bounty writeups #

• XXE with local DTD files
• XSS on Google
• Parameter tampering, Authorization flaw & IDOR on Google ($4,133.7)
• OAuth flaw on Twitter ($2,940)
• OAuth flaw on private program
• Subdomain takeover & OAuth flaw on Microsoft
• RCE on Facebook ($5,000)
• Information disclosure on HackerOne ($500)
• Authorization flaw on HackerOne ($2,500)

See more writeups on The list of bug bounty writeups.

Tools #

If you don’t have time #

• Exon/slackapi.py: Python script for extracting stuff from Slack using a leaked xoxp token
• AWSSigner: Burp Extension for AWS Signing
• Regex-Filter: Regex Filter on urls and files. Script for using gitleaks’s custom regex to scan both for github or anywhere(web or local)

More tools, if you have time #

• Dawnscanner: a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
• Cameradar: hacks its way into RTSP videosurveillance cameras
• DevAudit: Open-source, cross-platform, multi-purpose security auditing tool
• htrace.sh: Simple shell script for debugging http/https connection tracing, response headers and mixed-content. Scanning domain using Nmap NSE Library. Support external security tools: testssl.sh, Mozilla Observatory and SSL Labs API
• Pentest tools presented at Black Hat Europe 2018 Arsenal:
  • Kube-hunter: Pentest Platform for Kubernetes Environments
  • Astra: Automated Security Testing For REST API’s
  • DeepExploit: Fully automatic penetration test tool using Machine Learning
  • OWASP Nettacker: Automated Penetration Testing Framework
  • XSSER: From XSS to RCE

Misc. pentest & bug bounty resources #

• The Book of Secret Knowledge: A collection of awesome lists, manuals, blogs, hacks, one-liners, cli/web tools and more.
• Unofficial Google VRP group by @phwd

Articles #

• My Bucket’s Got a Hole in it - Cloud Storage vs Security
• In(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal
• How i became bug hunter without computer
• Hacking 101: An Ethical Hackers Guide for Getting from Beginner to Professional
• Passwords
• Kanye West tops the charts for year’s worst password pratfall

Challenges #

• Small XSS challenge by @RenwaX23

News #

• Hacktivity Disclosure for Private Programs

Vulnerability reports can now be disclosed within a private program. “Within a program” means the report will only be disclosed to other hackers participating in the private program, and not the entire World

• Android Trojan steals money from PayPal accounts even with 2FA on
• Equifax report megathread while I’m on lunch!
• YouTube is reading text in users’ videos

During the video, those URLs were visible in the address bar. It seemed that YouTube had run OCR (optical character recognition) across my entire video and decided to crawl the links within.

• Expediting changes to Google+

With respect to this API (ed Google+ API), apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.

• Electric Vehicle Charging Stations Open to IoT Attacks: A mobile app for remotely controlling a charging station is vulnerable to authentication bypass and buffer overflows. Attackers could stop a car’s charging process or start a fire by increasing the maximum current that can be consumed during charging.
• Hackers bypassed Gmail & Yahoo’s 2FA to target US officials

As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password.

• New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps: Facebook gave developers access to private & unposted photos by mistake. This includes those shared on Marketplace or Facebook Stories (instead of only public photos shared on users’ timeline). So 1,500 third-party apps had access to the unposted Facebook photos of as many as 6.8 million users.
• How one hacked laptop led to an entire network being compromised

Non technical #

• Inside the mind of a hacker 2019 Edition & Key findings
• If your bug bounty program is private, why do you have it?
• Best of 2018: Top Career Advice from our Cyber Security Professionals
• Hawl! Gonny Gee Me a Puddy Up?!
• Hacker Spotlight – Rachel Tobac

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/07/2018 to 12/14/2018

Have a nice week folks!

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…