Hey hackers! Here’s our collection of the best resources shared this week by pentesters & bug bounty hunters. It covers the week from to the 15th to the 22th of June.

Have a good reading!

Our favorite 5 hacking items #

1. Tutorial of the week #

Credential stealing with XSS without user interaction

This is not a new technique, but it’s a good exploitation scenario to show one pratical risk of XSS vulnerabilities. From experience, using <script>alert(0)</script> in pentest reports is not very convincing for clients.
I try to always include proof of concepts that show what exactly is possible on the particular context being tested: redirection, iframe inclusion, cookie theft, credentials theft from the browser, etc.

2. Writeup of the week #

Unrestricted File Upload at Apple.com by Jonathan Bouman

This is another example of why recon is the most important part of bug bounty hunting. The process is nicely detailed, from subdomain enumeration to analyzing results and detecting the vulnerable server, and will (maybe) help you improve your own methodology.

3. Conference of the week #

Area 41 2018, especially:

• Thomas Debize: Modern Pentest Tricks For Faster, Wider, Greater Engagements
• Lazy Ways To Own Networks by Nicolas Heiniger
• Red Team: Stories From The Trenches by Stefan Friedli and Michael Schneider
• Defense-In-Depth Techniques For Modern Web Applications by Spagnuolo and Weichselbaum
• Amit Dori: Chrome & WebRTC -eq Problems

I particularly loved Thomas Debize’s talk “Modern Pentest Tricks For Faster, Wider, Greater Engagements”! It presents a lot of valuable tips & tools for penetration testers, that I haven’t seen anywhere else. If you are a professional pentester (or want to be), these tricks would make your life easier.

4. (Free) book of the week #

Breaking into Information Security: Learning the Ropes 101 by Andrew Gill

This is a great (and free!) book for anyone starting in InfoSec or who wants to specialize in penetration testing or bug bounty hunting. There’s A LOT to learn, but don’t be overwhelmed. Just start with this introductory book, practice what you learn, read other technical books like Web Hacking 101 and continue practicing.

5. Non technical item of the week #

Cons of Bug Bounty

For anyone starting in bug bounty or thinking of doing it full time, knowing what can go wrong and how to deal with it is primordial. Start with this blog post, and also track other hunters’ feedback (on Twitter particularly) on their frustrations and which programs do not treat researchers fairly and are better avoided.

Other amazing things we stumbled upon this week #

Videos & Podcasts #

• WEBCAST: Testing G Suites with MailSniper
• Absolute AppSec Ep. #20 - Authentication & JWTs
• Storytime With Viss! Offensive Security Fails - Hak5 2414
• HITBSecConf: HITBSecConf 2018 CommSec Track, #HITB2018AMS & Slides, especially:
  • Faster, Wider, Greater: Modern Pentest Tricks by Thomas Debize
  • Brida: When Burp Suite meets Frida by Federico Dotta & Piergiovanni Cipolloni
  • Defense-in-Depth Techniques for Modern Web Apps by M. Spagnuolo & L. Weichselbaum
• The Evolution of Pen Testing

Tutorials #

Medium to advanced #

• Advanced CORS Exploitation Techniques
• CORS Lite
• AWS Privilege Escalation – Methods and Mitigation
• Deserialization Vulnerabilities: Attacking Deserialization in JS
• Shelling Apache Felix With Java Bundles
• Reverse Shell from an OpenVPN Configuration File
• How to bypass certificate validation (SSL pinning)
• Ancient “su - hostile” vulnerability in debian 8 and 9
• Attacking Private Networks from the Internet with DNS Rebinding

Beginners corner #

• Doing RECON the correct way
• Knoxss vs Burpsuite(A practical Demonstration)
• CVV #1: Local File Inclusion
• 7 Security Response Headers Every Security Tester Should Knowt
• All about Robots – All you need to know about robots.txt
• Reflected File Download(RFD) Vulnerability. What? How?
• SSL/TLS for dummies part 1 : Ciphersuite, Hashing,Encryption
• Linux Privilege Escalation by Exploiting Cronjobs

Writeups #

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

• A User can change the personal details of any other user
• Internet of Insecure Things

Tools #

• Recon My Way by Sahil Ahamad: Repository created for personal use and added tools from my latest blog post. https://medium.com/@ehsahil
• CVE-2018-0296 by Yassine Aboukir: Script to test for Cisco ASA path traversal vulnerability (CVE-2018-0296)
• m2p.py by si9int: Convert your masscan-results (80,443,8080) into screenshots for better analysis
• command-injection-attacker by PortSwigger: SHELLING - a comprehensive OS command injection payload generator
• XSS’OR: Online website
• kconfig-hardened-check by Alexander Popov: A script for checking the hardening options in the Linux kernel config
• tld_scanner by ozzi: Scan all possible TLD’s for a given domain name
• house by nccgroup: A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python. https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/june/house-a-mobile-analysis-platform-built-on-frida/
• merge-nmap-masscan by anshumanbh: Merge results from NMAP and Masscan into one CSV file
• mod0BurpUploadScanner by modzero: UploadScanner Burp extension - HTTP file upload scanner for Burp Proxy / Upload Scanner
• similar-request-excluder by tijme: A Burp Suite extension that automatically marks similar requests as ‘out-of-scope’. https://finnwea.com
• SubOver by Ice3man543: A Powerful Subdomain Takeover Tool
• Using IPv6 to Bypass Security (tool)
• ADAPE-Script by Ryan Haus: Active Directory Assessment and Privilege Escalation Script
• LinEnum by rebootuser: Scripted Local Enumeration & Privilege Escalation Checks

Misc. pentest & bug bounty resources #

• Awesome Penetration Testing: List of awesome penetration testing resources, tools and other shiny things
• Awesome Web Security: A curated list of Web Security materials and resources. https://awesomelists.top/#/repos/qazbnm456/awesome-web-security
• Default passwords from CIRT website (https://cirt.net/passwords) formatted in a Markdown table
• Personal RSS feed - Reading list
• Hashcat 4.10 Cheat Sheet v 1.2018.1
• Security Tools for AWS
• Week in OSINT #2018-24
• kmkz/Pentesting/Pentest-cheat-sheet
• Day of Shecurity 2018

Challenges & Training #

• HackerOne CTF

Non technical #

• My Tactical Advice for Clearing Depression
• Hacking how-to’s: Developing your process
• Top Five Actions NOT to Take When Your Pentest Results are High Risk
• My Path to Security – How Kelly Albrink Got Into Cybersecurity
• Three necessary non-technical skills you can work on right now to get ahead in the information technology field
• From Scans to Adversary Emulation, Pentesting is Evolving Rapidly
• Getting Paid for Breaking Things: The Fundamentals of Bug Bounty

Twitter feeds #

• @CtfReminder
• @TheBugBot

Tweets #

More tweets (Tips) #

See you next time!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…