The 5 Hacking NewsLetter 11

Hey hackers! Here are our favorite resources for penetration testers and bug bounty hunters for last week (June 29 to July 6).

Our favorite 5 hacking items

1. Podcast of the week

Web Hacking Pro Tips #16 with Bull by Peter Yaworski

I loved watching this podcast! The story of Bull (@v0sx9b) is impressive: he’s a self-taught full-time bug bounty hunter since only 2016 and already making a lot of money. So it’s good to listen to his hunting philosophy and tips.

For example, he focuses on big bugs and doesn’t report small ones, but rather keeps them to chain them and report higher impact bugs. This way, he reports 6/7 bugs a month on average but with high criticality & reward.

2. Tool of the week

h1-search by David Sopas

This is a handy tool for bug hunters. It’ll allow you to quickly grab all publicly disclosed reports of any HackerOne program you are working on.

3. Writeup of the week

The $12,000 Intersection between Clickjacking, XSS, and Denial of Service by Sam Curry

This is a great write-up on how to find high reward bugs on a target that has been tested by hundreds or thousands of other researchers. The tricks mentioned include:

How to bypass an open redirect filter using the //external.site trick
Why you should try both external & internal links when testing for open redirection
How to cause client Denial of Service with %0t
How to create awesome XSS PoCs using clickjacking and highlighting the information that can be stolen (web sockets session stored within the browser’s local storage)

4. Tip of the week

Free Lists - Bug Bounty

This is a new mailing list started by EdOverflow. You can browse the archive and read many good tips for bug hunters like how to escalate stored XSS for a better reward, great subdomain takeover tricks, etc.

5. Non technical item of the week

A Brief History Of Kiwicon Visual Design

Both the contents and the design of this poster are great. It sums up all the excuses I heard from clients as an internal security auditor then pentester.

The first time I saw it, it made me laugh and feel comforted because I felt less alone in this fight against the false obstacles and excuses.

Other amazing things we stumbled upon this week

Stuff to watch/listen to

Videos

Live Web Exploratory Technical Testing Session Example

Podcasts

Conferences

S13 A presentation or presentations because presenting Jason Blanchard
OWASP AppSecEU 2018 – Attacking “Modern” Web Technologies (Slides only)
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour (Slides only)
HIP_2018_The_Past_Present_Future_of_Enterprise_Security.pdf (Slides only)

Tutorials

Medium to advanced

Beginners corner

Writeups

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

Tools

If you don’t have time

Defcon Demo Labs: Many great tools, see my blog post on how to install them to start playing with them
The Majestic Million: Free alternative to Alexa
Hacks by @EdOverflow: Some random scripts. Just trying to be like the cool kids.
Hunter: Find email addresses in seconds, for when you need to drop a responsible disclosure and need to find their CTO
Hackability: Probe a rendering engine for vulnerabilities and other features by https://portswigger.net

More tools, if you have time

Sn1per: Automated Pentest Recon Scanner https://xerosecurity.com (Community & Pro versions)
https://buckets.grayhatwarfare.com/: Online tool to search for Open Amazon s3 buckets
- How to search for Open Amazon s3 Buckets and their contents — https://buckets.grayhatwarfare.com
SSHReverseShell: Reverse Shell over SSH
CVE-2018-0296: Script to test for Cisco ASA path traversal vulnerability (CVE-2018-0296)
JSgen.py: bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
evil-ssdp: Abusing SSDP/UPNP on Windows networks to phish inside Windows Explorer. How to spawn spoofed devices on machines across the LAN, tricking users into visiting a phishing page and capturing the NTLM hash.
Dangerous Methods: A Burp Suite Professional extension for finding the use of potentially dangerous methods/functions in Javascript, jQuery, AngularJS, and others.
TP-Link-defaults: Python script for trying default passwords for some TP-Link Hotspots
domain_hunter: A Burp Suite Extender that search sub domain and similar domain from sitemap
Simple Twitter Profile Analyzer: Tweets metadata scraper & activity analyzer
RouterSploit: Exploitation Framework for Embedded Devices
Msldap: LDAP library for auditing MS AD
Recon using Crt.sh: Perform recon on domains using certificate transparency

Hello folks.! I was working on to create an automated script to gather unique host names from https://t.co/iD06whZgHc and resolve it into the ip. Do check and contribute. https://t.co/qy8GnD0AWe
— The_Maniac (@h4ckologic) June 29, 2018

Burp NTLM Challenge Decoder: Burp extension to decode NTLM SSP headers and extract domain/host information

Wrote my first Burp Extension! Got real tired of using obscure (and often sub-par) python scripts to dump domain Metadata during engagements. https://t.co/3yIIeRzfcD
— Louis Dion-Marcil (@ldionmarcil) June 29, 2018

Misc. pentest & bug bounty resources

Cloud Metadata Dictionary useful for SSRF Testing by Jason Haddix
Hacks by @EdOverflow - Some random scripts. Just trying to be like the cool kids.
Week in OSINT — #2018-26
Penetration Testing Tools Repo: Penetration Testing tools - one repo to clone them all… containing latest pen testing tools
FreeLists - Bug Bounty mailing list
Awesome Ninja Admins: A collection of awesome lists, manuals, blogs, hacks, one-liners and tools for Awesome Ninja Admins
Awesome macOS open source applications: Awesome list of open source applications for macOS
[DRAFT] Recon.JSON - A JSON-based Recon Data Standard: Recon.json is a project dedicated to creating a flexible and consistent JSON format across popular recon tools.
The Easiest Metasploit Guide You’ll Ever Read - An Introduction to Metasploit, featuring VMWare Workstation Pro, Kali Linux, Nessus, and Metasploitable 2 (PDF) / HTML version
OWASP Mobile Security Testing Guide - 1.0 Release (Free)

Challenges

http://leettime.net/xsslab1/chalg1.php

XSS Lab1: https://t.co/ewaYrG5iSo
Payload: <script>alert(document.URL)</ script>, I hope this could help you #XSS #openbugbounty #bugbounty pic.twitter.com/s47Yo9KrtQ
— deb_security (@deb_security) June 29, 2018

https://aspnetctf.asitename.com/sqli_test.aspx

Here is my SQLi ASPNet CTF - pre #AppSecEU 2018: https://t.co/z60ksS2TAJ - hosted on a new server now - dare to challenge yourself even further? through CloudFlare WAF using: https://t.co/g0gzKyzewm Looking forward to see you at https://t.co/VTK4TZOYdO @NCCGroupInfosec https://t.co/isKcs9JKkU
— Soroush Dalili (@irsdl) July 1, 2018

Windows / Linux Local Privilege Escalation Workshop
I have created a CTF. First one to figure it out and get through it, I'll get you a $10 Amazon GC. Good luck.#pentest #ctf #cybersecurity #infosec
— HackerPom (@InfoSec_Pom) July 4, 2018
http://xss.stackchk.fail/

I came across an interesting technique when working on @0x6D6172696F XSS challenge this year. I couldn't really find a direct reference to it anywhere, so I made a challenge: https://t.co/BtSs2xkh4j Your goal is to bypass the XSS auditor on up to date chrome and alert the cookie
— itszn (@itszn13) June 26, 2018

Non technical

Tweeted this week

We created a collection of our favorite pentest/bug bounty related tweets shared this week. You’re welcome to read it directly on Twitter.

Have a nice weekend folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…

Share this article

pentest bug bounty web app security 5 Hacking NewsLetter news hacking resources websec resources