Hey hackers! These are our favorite resources shared last week by hackers, pentesters, bug hunters and red teamers.
This issue covers the week from 10 to 17 of August.
Our favorite 5 hacking items
1. Tips/Video of the week
Burp Hacks for Bounty Hunters by James Kettle (@albinowax)
These are advanced Burp hacks by James Kettle of PortSwigger Web Security. His day job is to design vulnerability detection techniques for Burp Suite, so when he shares tips on how to maximize your Burp ROI, he knows his stuff!
The talk is addressed to bug hunters, but the tips also apply to pentesters. I’ve been using Burp pro for years and wasn’t aware of many of these hacks.
2. Tutorial of the week
@EdOverflow’s Guide To Subdomain Takeovers by EdOverflow
This is a great introduction to subdomain takeovers for bug hunters: what they are, the difference with second-order subdomain takeovers, the methodology and tools to detect them, multiple exploitation scenarios, etc.
3. Writeup of the week
This is a writeup of a bug found on Amazon. It is a real life example of the vulnerability presented at Black Hat USA 2018: Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out.
Here are my main takeways:
- Vuln 1: When Nuxeo is used with Tomcat, it is possible to bypass authentication by requesting /nuxeo/login.jsp;/..;/[unauthorized_area] (Equivalent of /nuxeo/[unauthorized_area]). But you get a 500 error
- Vuln 2: It is possible to access unauthorized Seam servlets by using
user.usernameis the Expression Language (EL) you wan to execute)
- Vuln 3: By chaining two ELs, it is possible to execute an arbitrary EL (the second one) if you can control the value returned by the first one
- Vuln 4: It is possible to bypass Seam’s EL blacklist by changing
- By combining these 4 vulnerabilities, it is possible to inject shellcode (in JBoss EL) and get an RCE
4. Conference of the week
BSides Manchester 2018, especially:
- Practical Web Cache Poisoning: Redefining ‘Unexploitable’ by James Kettle (BSidesMCR 2018)
- It’s A PHP Unserialization Vulnerability Jim, But Not As We Know It by Sam Thomas & Slides
- How CTF Mindset Will Hurt You As A Penetration Tester by Idan Ron
- Cracking The Perimeter: How Red Teams Penetrate by Dominic Chell
- Diversity In InfoSec (Not That Sort!) by Victoria Walberg
- Adventures In WAF by Michael Thompson
- Hospitals And Infosec: The Consequences of Bad Security in Health Care: by Jelena Milosevic
- Social Engineering Tales Of Pirate Queen: by Sharka
It’s been a while since conference videos pertaining to pentest/bug bounty/red team were released. So it was refreshing to watch some of these talks (instead of just reading slides). Some are very technical and advanced, and others are not technical but are still informative. So there should something for everyone here.
5. Non technical item of the week
This is not the kind of music I usually listen to. For hacking/work, I listen exclusively to electro music like Kygo, Avicii or the underrated Vexento.
But I always enjoy discovering new tracks through Defcon music albums. I thing they’re great if you’re looking for “hacker music” that is not too hardcore.
Other amazing things we stumbled upon this week
Stuff to watch/listen to
- HackerOne Hacker Interviews: @GeekBoy by HackerOne
- InSecurity Podcast: Katie Moussouris Breaks Down Bug Bounty Programs
- Ep. 22, Amazing adventures of the RedactedFirm by The Many Hats Club
- Tangled World of Web Technology ― Are we safe?
- AppSec EU 2018
- BSides SATX
- BSides LV
- DEF CON Media Server
- Presentation slides & demos
- Workshop slides
- Black Hat USA 2018*
* To find slides for other talks, just search for
site:https://i.blackhat.com/us-18 in Google
- Remotely Enumerate Anti-Virus Configurations
- Trust no one: TrustKit SSL pinning bypass
- One new Burp Suite feature presented every day
- Discovering CVE-2018-11512 - wityCMS 0.6.1 Persistent XSS
- Sudo Date…Thanks For Read Access To Every Non-Binary File
- I thought I found a browser security bug
- OpenSSH Username Enumeration & Proof of Concept
If you don’t have time
- Massh-enum: OpenSSH 7.x Mass Username Enumeration
- param-miner: Burp extension to identify hidden, unlinked parameters (useful for finding web cache poisoning vulnerabilities)
I didn't have space to discuss this in my talk, but Param Miner is a seriously powerful general purpose tool for finding that extra bit of overlooked attack surface https://t.co/wFbqgN9Xzx— James Kettle (@albinowax) August 13, 2018
If you have the RAM, I highly recommend enabling 'learn observed words' :)
More tools, if you have time
- Singularity of Origin: A DNS Rebinding Attack Framework
- ScanCannon: Combines the speed of masscan with the reliability and detailed enumeration of nmap
- Gopherus: Generates gopher link for exploiting SSRF and gaining RCE in various servers & Detailed description
- No-Script Automation Tool: Designed to solve complexity & management issues surrounding scripting multiple tools batch files or other scripting languages for Windows systems
- Sippts: Set of tools to audit SIP based VoIP Systems
- RidRelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv
- hideNsneak: A CLI for ephemeral penetration testing
Misc. pentest & bug bounty resources
- [technical] Pen-testing resources
- http-state-tokens: Ideas for tightening HTTP state management
A little challenge for all you hackery people :) DM me your solutions https://t.co/UKoLd3bqLR— TomNomNom (@TomNomNom) August 12, 2018
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/10/2018 to 08/17/2018
Have a nice weekend folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…