The 5 Hacking NewsLetter 17

Hey hackers! These are our favorite resources related to pentesting and bug hunters that we came across recently.

This issue covers the week from 17 to 24 of August.

T5HN16.png

Our favorite 5 hacking items

1. Tutorial of the week

How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes by Luke Stephens (@hakluke)

This is a great tutorial on how to set up an automated subdomain takeover scanner “Franz-Rosén style”. The author uses subfinder to find subdomains and Subover to check for subdomain takeover, but you could easily modify the BASH script suggested to add other subdomain tools (like Amass or Massdns).

2. Writeup of the week

Remote Code Execution on a Facebook server by Daniel Le Gall (@Blaklis_)

Daniel Le Gall found a Facebook Django server with debug mode enabled. Sometimes stacktraces are not directly exploitable but in this case, Daniel noticed interesting environment variables that allowed him to forge his own session and therefore execute arbitrary commands on the server. From “technical information disclosure” to RCE, for $5,000!

3. Tool of the week

FindSubDomains: Online tool for subdomains lookup

I’m still playing with this site to determine if it adds value to my current process for finding new subdomains. But this is a nice tool anyway because it allows you to quickly obtain a list of subdomains for when you’re in a hurry or do not have a good network connection to run tools like Amass or Massdns.

4. Tips of the week

Unusual cases of reflected XSS by Mikhail Klyuchnikov (@__Mn1__)

These two unsual reflected XSS cases are nice examples of thinking out of the box to find new XSS flaws on sites that are being tested by myriads of other bug hunters.

In the first case, the Referer header had to match a specific format.
In the second case, a value based on the User-Agent was calculated on-the-fly and sent as a GET parameter for the request to pass. Mikhail created a PHP script which retrieves the victim’s User-Agent, gets the corresponding GET parameter value before redirecting the victim to the vulnerable page. He didn’t share the PHP script’s source code (unless I missed it!) but here is an XSS challenge replicating the same behavior: http://infosec.gearhostpreview.com/9p9ch/.

5. Non technical item of the week

Prioritizing and choosing a program to focus on by HackerOne

The question of choosing a bug bounty program is critical. I used to hesitate a lot and bounce from a program to another without exploring any one deep enough. But the most interesting bugs require good knowledge of the target app!

This blog post is helpful if you too are hesitant when choosing a target: It presents criteria to find the right programs based on your personal goals.

Other amazing things we stumbled upon this week

Videos, Conferences & Podcasts

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Tools

  • Useless CSP: List of sites with misconfigured CSP headers
  • nmap-parse-output: A tool for analyzing Nmap scans
  • SSH Auditor: The best way to scan for weak ssh passwords on your network
  • Scrounger: iOS and Android mobile application penetration testing framework
  • quick-hits.php: A small PHP script to quickly find files in a given host list (by @gwendallecoguic)
  • Apache-Struts-v3: Script to exploit 3 ApacheStruts RCE vulnerabilities

Misc. pentest & bug bounty resources

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/17/2018 to 08/24/2018


Have a nice weekend folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments