Hey hackers! Here are our favorite resources shared this week by pentesters & bug bounty hunters. It covers the week from to the 22th to the 28th of June.
There are some goodies in this one, it was a lot of fun to compile it.
Our favorite 5 hacking items
1. Videos of the week
I absolutely LOVE watching these interviews! They’re not too long and remind me of a non technical version of Bugbountyforum’s AMAs.
I am in the process of becoming a full-time pentester/bug bounty hunter/ independant security researcher. This is my passion and a 100% what I want & need, but it involves a lot of work and some loneliness in the sense that almost all people around me do not even understand what I do. So watching these amazing people tell their own stories inspires me to keep going on and makes me feel I’m part of a beautiful community.
2. Tool of the week
Testssl.sh is great and should be used for penetration tests but it has room for improvement for scalability reasons.
In my last corporate job, we sometimes had to test hundreds of targets at the same time and generate a detailed report for all findings. It is impossible to do by reading testssl.sh’s results manually!
So we developped an internal script to run it on as many targets as needed, parse its results and output a CSV file containing:
- One target per line
- One security question per column (Weak SSL/TLS algorithm supported, known vulnerabilities, invalid certificate…)
We could then include this table directly in our reports.
Sadly, I cannot publicly disclose this tool because, although I participated in its development, it is not mine to publish.
So I highly recommend IDontSpeakSSL. It’s very similar: It also parses the results of testssl.sh and generates an HTML report of all the findings.
3. Writeup of the week
Bug hunting is a mind game. One of the pitfalls is thinking that, because a target was tested by hundreds of other bug hunters, there were no chances left to find other bugs.
But original thinkers will always find new bugs, and @zseano share with us here his secret: we should develop reflexes like testing from different angles (changing user agents, devices, languages, sessions, etc). Some of these actions may trigger the target to behave differently and introduce new bugs or entry points to attack.
4. Tutorial of the week
This is an awesome tutorial covering all the basics of subdomain takeover! There’s really nothing to say other than… please read it & take notes!
I also recommend reading this writeup by the same author, which shows how he exploited such a vulnerability on Microsoft Azure.
5. Non technical item of the week
This is a comprehensive lexicon of cybersecurity-related terms and acronyms. The first time I came accross words like AMA, OSGi, QA, UX, etc, I was afraid afraid to ask what they mean and did not have enough context to find their meaning using Google. This document would have been a time-saver!
Other amazing things we stumbled upon this week
Stuff to watch
- RuhrSec 2018: “Don’t trust the DOM: Breaking XSS mitigations via Script Gadgets”, Sebastian Lekies
- Layer 8 Conference
- BSides Cleveland 2018, especially:
- A00 Hacking Your Happiness by Chris Gates
- C01 Go hack yourself moving beyond assumption based security by Christine Stevenson
- A03 Whats Changed In The New OWASP Top 10 by Bill Sempf
- A04 Hacking Identity A Pen Testers Guide to IAM by Jerod Brennen
- A06 Mobile Application Privacy and Analytics by Kevin Cody
- B05 Evolving the Teaching of Pen Testing in Higher Ed by Robert Olson
- A07 Hackers Hugs Drugs Mental Health in Infosec by Amanda Berlin
- C04 Securing Code The Basics by Michael Mendez
Medium to advanced
- Subdomain Takeover: Basics
- SSL/TLS for dummies part 3 – Understanding Certificate Authority
- SSL/TLS for dummies part 2 – Understanding key exchange algorithm
- Executing Meterpreter on Windows 10 and Bypassing Antivirus
- Wordpress <= 4.9.6 Arbitrary File Deletion Vulnerability Exploit
- Playing with Relayed Credentials
- Bypassing SQL Server Logon Trigger Restrictions
- Event Injection: A New Serverless Attack Vector
- Exploiting inherited file handles in setUID programs
- Six security vulnerabilities from a year of HackerOne
- Metasploit Basics, Part 12: Creating RC Scripts
- From Zero to Technical Hero - Chapter 1
- Crossdomain Policy Jinx- False Positives
- CVV #2: Open Redirect
- What are Website Backdoors?
- Demonstrating Reflected versus DOM Based XSS
- Server Side Request Forgery (SSRF) Testing
- PowerShell For Pentesters Part 2: The essentials of PowerShell
- Pentesters Guide to PostgreSQL Hacking
- Postgres Hacking Part 2 — Code Execution
- Exploiting Wildcard for Privilege Escalation
- Escalating Privileges in Windows with PsExec and Netcat
You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.
- Planet Fitness: a lazy coder’s way of verifying premium access
- Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users.
- DumpsterDiver by Pawel Rzepa: Tool to search secrets in various filetypes.
- OSINT YOGA
- Mass3: Quickly enumerate through a pre-compiled list of AWS S3 buckets using DNS instead of HTTP with a list of DNS resolvers and multi-threading.
- LeakScraper: An efficient set of tools to process and visualize huge text files containing credentials.
- JSgen.py: Bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
- androidre: Docker image for reverse engineering of Android applications.
Misc. pentest & bug bounty resources
- Appsec e-zine #228
- Red Teaming/Adversary Simulation Toolkit by Rahmat Nurfauzi: A collection of open source and commercial tools that aid in red team operations.
- Week in OSINT #2018–25
- OSINT Resource Classification System (ORCS)
I've just created a project called ORCS (OSINT Resource Classification System) (https://t.co/5qIjsJsdAy) to hopefully bring together OSINT bookmarking site/resource classification systems into a standard.#osint #threatintel— Micah (@WebBreacher) June 24, 2018
- Frequently Asked Questions About Bug Bounty Triage with Ryan Black (Bugcrowd)
- Dealing with Hard Problems
- What The Code of Hammurabi Can Teach Us About Hardware and Software Liability
- Subdomain autofill feature raises questions over LastPass security
- The Threats That Are Your Weakest Link
- I am a Hacker and proud of it
- Defining “Hacker” in 2018
- 70% of IT Pros Want to Redefine “Hacker” in the Cambridge Dictionary
- The Tesla Insider (Newsletter)
- I Did It For The Lulz
- Our Most Vulnerable Devices Are in Our Pockets
- Why Security Skills Should Be Taught, Not Hired
Good to follow
- @secjuice: Freelance writer collective. You can write for them!
- @TheManyHatsClub: Discord group. Get an invite.
Tweeted this week
We created a collection of our favorite pentest/bug bounty related tweets shared this week. You’re welcome to read it directly on Twitter.
Have a nice weekend folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…