The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on September 10, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 30 of August to 06 of September.
DerbyCon 9, especially:
- To CORS! The cause of, and solution to, your SPA problems! & CORS Exploitation Framework (CEF)
- REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure
- Assumed Breach: A Better Model for Penetration Testing
- Kerberoasting Revisited
- Old Tools, New Tricks: Hacking WebSockets
- Full Steam Ahead: Serverless Hacking 101
- Red Team Methodology: A Naked Look
- API Keys, Now What?Taking the Pen Test Into the Amazon Cloud
- Red Team Level over 9000! Fusing the powah of .NET with a scripting language of your choosing: introducing BYOI (Bring Your own Interpreter) payloads.
DerbyCon 9 had so many good talks! I’m particularly interested in the ones on CORS, Kerberoasting, WebSOckets, GraphQL, Serverless, API security & red teaming, but many other topics were discussed.
Too bad, this was the last DerbyCon conference!
Add new user with Admin permission and takeover the organization
This is the writeup a privilege escalation on a private program. Starting with a limited user account and no API documentation, the author was looking for admin endpoints.
He tried common ones like
/api/v2/user/… And noticed that existing and non-existing endpoints returned different HTTP codes.
api/v2/user returned a 405 (the method is not allowed). Changing the method from GET to POST, and adding all parameters reported missing by the server, he was able to construct a valid POST request and create a new user. But the reset password functionality didn’t work for that user until he passed the right value (found by bruteforce) to a specific parameter during user creation.
Then he was able to create an admin user by adding “role”=”admin” to the request.
This whole process isn’t complicated but I love how the author relies on parameters guessing and bruteforce, and also chains multiple actions to find hidden functionality and overcome any obstacle faced.
The Same Origin Policy is an essential concept for Web app testers. This article presents the results of research on SOP and CORS on different browsers, as well as 2 CSRF bugs and how CSRF and SOP are related.
The author’s conclusion: “do not use IE or Edge”… They violate the SOP standard, which makes them more vulnerable.
This is a great tool for Github recon. I’ve never seen one like it for two reasons: it does live monitoring with Slack notifications, and it searches all Github not only organization repositories. So even if a developer has a profile that is not explicitly linked to your target organization, gitGrabber will still search for secrets in this repository.
The syntax is basically
gitGraber.py -k KEYWORDSFILE -q QUERY, where QUERY can be your target organization (e.g. yahoo) and KEYWORDSFILE is a file containing keywords like access_key, password, auth…
The tool looks for sensitive data for several online services (Google, Amazon, Paypal, Github, Mailgun, Stripe…) based on regexes and notifies you when potentially sensitive information is found.
This livestreaming trend by bug hunters is getting crazy! I find it harder and harder to keep up with the pace. But these two videos are on the top of my list of things to watch this week.
@tomnomnom answers questions for more than 4 hours. They touch on everything from his peanut butter preferences to why he doesn’t do bug bounty full-time, burnout, VIM, getting into bug bounty, etc.
The stream by @NahamSec covers topics like asset discovery and API fuzzing, and a ~1 hour interview with @fransrosen. I’m a big fan of his, so it’s awesome to hear about his recon approach, research he’s working on, why he doesn’t automate everything, etc.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/30/2019 to 09/06/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…