The 5 Hacking NewsLetter 107
Posted in Newsletter on May 27, 2020
Posted in Newsletter on January 14, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 03 to 10 of January.
The first video is about an interesting SSRF that was tricky to exploit. @NahamSec explains why it is important to identify the backend, and how to do it (by requesting an image or iframe). In this case, the backend was WeasyPrint. Since it is open source, analyzing its code helped find a tag which was not blacklisted and could be used to read internal and external resources.
The second video taught me 3 new helpful tips on Burp Repeater:
The first writeup is about an impressive XSSI found on Paypal’s login form. It goes beyond simple detection and proof of concept, to show how this can be exploited to take over user accounts. This is also a good opportunity to revisit this old but excellent introduction to XSSI: Cross-Site Script Inclusion: A Fameless but Widespread Web Vulnerability Class.
The second writeup shows how multiple bugs (such as open redirest and SSRF) can be chained to significanlty increase the impact.
SameSite cookies are not yet the end of CSRF. There is a special feature called LAX+POST which basically disables SameSite for 2 minutes. In other words, there is a window of 2 minutes where users are vulnerable to POST CSRF despite the SameSite attribute being used. @RenwaX23 explains some ways in which this behavior can be exploited in real-life attacks. He also provides a challenge if you want to play with this.
The second tutorial is excellent if you want to start leveraging Unicode for bypassing XSS and SQL injection filters.
The need for note making and an organized methodology in Bug Bounty Hunting
@sharathsanketh makes the case for maintaining a written organized methodology. He gives concrete examples of taking notes on CSRF and “Forgot password” bugs.
And most importantly, he explains an essential idea for beginners: No one will give you a ready-to-use complete methodology. You have to read, do deep searches (especially on Twitter) and take notes of anything you learn so that it is not just passive reading.
Nowadays the question is not “Where will I find information?”, but rather “How can I exploit iteffectively?”."
Burp Share Requests is a Burp Suite extension that allows you to share requests with another Burp user. Useful for collaboration or sharing information with triagers! To use it, righ click on any request you want to share, click on “create link” and share the link generated. When the other person opens the link (with the same extension installed), it imports the request into their Burp.
ReconNess seems fantastic for bug bounty. It’s an open source Web app that helps organize recon and is easily extensible. You can add targets, notes, and agents to run any commands (for assets enumeration, port scanning, directory bruteforce, etc). Using custom-built Bashs cripts achieves the same results but this GUI tool can make the process much more pleasant.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/03/2020 to 01/10/2020.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…