The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on September 24, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 13 to 20 of September.
This tutorial explains how to find IDORs that are less obvious than just incrementing an ID. The techniques mentioned can be very helpful especially in the context of bug bounty.
Some of them are testing encoded & hashed IDs, adding an ID to the request even if the app didn’t ask for it, changing the request method, etc.
Also, IDOR and self-XSS combined can lead to stored XSS, increasing the impact of the IDOR.
Race Condition that could Result to RCE - (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)
@YoKoAcc, @JRs_Faisal and Tomi teamed up and found a whole bunch of bugs on a private program. They share multiple writeups that each explains different bugs.
This one is interesting because of the weird race condition. Here are my main takeaways:
They couldn’t find any flaws in the main file upload functionality. But the file edit functionality allowed them to change already uploaded files to any extension (including PHP!). Nice way to get unrestricted file upload…
So they could upload Web shells, but didn’t get RCE because uploaded files were moved to AWS after 2 seconds! And here is the weird part: for some reason, the request that modified the uploaded file was vulnerable to a race condition. By sending multiple requests, the server returned the file’s location (before it is moved to AWS). So in the short window where the file was still on the server, they got a reverse shell by requesting the file in a browser.
Not sure why this is happening, but it’s interesting to see a race condition help get RCE via file upload!
Most tools that help with XSS detection are limited because they rely on server response reflection.
The only other tool I’ve seen efficiently help with this was DOMinator Pro, but it was commercial and I can’t find it online anymore. So it is awesome to have a free open source alternative!
I really enjoyed reading this article. After 2 months of bug hunting, @Unknownuser1806 shares 6 problems he faced and how he solved them.
They revolve around productivity and mental health. I feel that we can easily lose sight of these topics when we get engrossed in hacking. Burnout is never that far… So the refresher is great! It’s also nice to see the specific tools a fellow bug hunter found helpful: Engross App, Habitica, Evernote/Diary, Morning habits, meditation & exercise.
- While registering account there’s no fields like address or about me, but they’re exist on the page where you can edit your info after registering account. Try to add them while registering another account and paste payloads in values, this can bypass (XSS/injection) protection
There’s not much to comment here, the tips are self-explanatory.
I’ve never encountered these ideas before and think they’re worth adding to any Web testing methodology!
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/13/2019 to 09/20/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…