The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on May 14, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 3 to 10 of May.
This is a great lab if you want to practice finding authentication vulnerabilities. There are 5 bugs: IP based authentication bypass, Timing attack, Client side auth, Leaky JWT and JWT Signature Disclosure (CVE-2019-7644).
Also, if stuck, check out the walkthroughs. I don’t want to read them before doing the challenges but they seem detailed (like 5 articles in 1!).
Information disclosure on Shopify ($802.20)
This is a fun report! The vulnerability is that a GraphQL endpoint reveals sensitive information without authentication: that’s the internal beer consumption (brands & quantities left) at Shopify’s offices.
What’s interesting is how @eraymitrani found the vulnerable GraphQL endpoint. I highly recommend reading the summary where he explains it.
Basically, he saw in a previous report by @rijalrojan that Shopify had an exposed GraphQL endpoint. So he set out to find other exposed endpoints, following these steps:
query string not presenterror
content-type:header to the post request
If you’re always hearing about chaining bugs and wondering how to do it in practice, this is a good example.
Self-XSS and login CSRF are generally not paying bugs by themselves. But, combined, they become more dangerous and worthy of a bounty.
The attack scenario in this case is to enter the XSS payload in the address details of the attacker’s account, and make the victim open this account using the login CSRF. When the victim buys something and wants to select the delivery address, the XSS payload is triggered.
As its name indicates, this is an awesome asset discovery list. In other words, it’s a list of resources to help find all kinds of assets for organization: IP addresses, (sub)domains, emails, open ports, cloud infrastructure, business communication infrastructure, data leaks, source code aggregators, and more.
Some of the tools mentioned are classics that you probably already use, but you might also discover something new!
This is a nice introduction to bug bounty. But even if you’re not a beginner, some resources mentioned might be helpful. Personally, I didn’t know of dkimsc4n (a DKIM scanner) and can’t wait to try it.
Also, thanks for mentioning Pentester Land @vavkamil!
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/03/2019 to 05/10/2019
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…