Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across recently.
This issue covers the week from 14 to 21 of September.
Our favorite 5 hacking items
It’s weird how often I face a new challenge and, while preparing this newsletter, come across relevant resources without looking for them specifically! This is the case for all 5 items of this week, so I hope that you find them as informative as they were for me.
1. Tutorial of the week
GraphQL is an alternative to Web services like REST. This tutorial is a great introduction to understand their differences, how to find hidden GraphQL endpoints and exploit them to detect SQL injection.
2. Writeup of the week
How I XSS’ed Uber and Bypassed CSP by @mefkansec
I love the creativity of the recon work that led to this XSS: @mefkansec looked for Uber invitation links mentioned everywhere on forums & social media. Then he used a google dork to find a lot more invitation links in order to gather new GET parameters until he found one that was vunerable to a simple reflective XSS.
3. Tip of the week
@Yassineaboukir recommends reverse engineering and analyzing the source code of Electron apps, as an easy way to find hardcoded secrets. The tutorial he mentions is very concise and should help you get started quickly.
Also, @0xibram recommends in the comments using this guide once you have the source code: Electron Security Checklist - A guide for developers and auditors.
4. Resources of the week
@gwendallecoguic suggests 4 blog posts that helped him learn how to bypass Cloudflare. Try the different techniques until you find one that works on your target.
5. Tool of the week
This tool helps monitor Certificate Transparency logs for new subdomains, when you’re targeting a specific bug bounty program or during a long term pentest engagement.
It uses the API of Entrust Datacard’s Certificate Transparency Search Tool.
Other amazing things we stumbled upon this week
Videos, Conferences & Podcasts
- How to rob a bank over the phone by Joshua Naga Crumbaugh (GrrCon 2018)
Medium to advanced
- XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites
- Web Caching
- Subdomain Takeover: Identifying Providers
- A practical guide to testing the security of Amazon Web Services (Part 2: AWS EC2)
- Erlang Authenticated Remote Code Execution
- Basic Penetration testing lab — 1
- Basic iOS Apps Security Testing lab — 1
- Testing Password Reset Functionalities
- How to extract APK file of an Android application
- Content Security Policy
- 5 ways to bypass account lockout in web applications
- How I was able to takeover any Account of the Official Bookstore of the French Senate?
- How I hacked 747 game 😎 | Built Cheat Bot using Deep Learning
- SSRF as a Service: Mitigating a Design-Level Software Security Vulnerability
- Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges
- Gaining RCE by abusing Node-RED
- Security Bugs in Practice: SSRF via Request Splitting
- CertStreamMonitor: Monitor certificates generated for specific domain strings and associated, store data into sqlite3 database, alert you when sites come online
- cookie-decrypter: A Burp Suite Professional extension for decrypting/decoding various types of cookies
- TruePolyglot: Polyglot file generator project. This means that the generated file is composed of several file formats. The same file can be opened as a ZIP file and as a PDF file for example.
- terraform-burp-collaborator: Terraform configuration to build a Burp Private Collaborator Server
- Upload Scanner: HTTP file upload scanner for Burp Proxy (Burp extension)
- SimpleshoT: simple screenshot generator
- TIDoS Framework: The Offensive Web Application Penetration Testing Framework
Misc. pentest & bug bounty resources
- Android-Reports-and-Resources: A big list of Android Hackerone disclosed reports and other resources
- Inside look at modern web browser (part 1) & Part 2
- Top Firewall Misconfigurations that Lead to Easy Exploitations by Attackers
- Search for Simone: A social media investigation
- Hacker Q&A with André Baptista: From CTF Champ to h1-202 MVH
- A Bug Bounty Hunter Tells All
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/14/2018 to 09/21/2018
Have a nice week folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…