Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 16 to 23 of November.
On a personal note, really sorry for the delay. I’ve been under the weather and am still recovering. I’m also working on a training course and a new very exciting project. So there may be less articles (than usual) published in the next few weeks.
Our favorite 5 hacking items
1. Slides of the week
This is a great presentation for both web app pentesters & bug hunters. It presents a lot of tools, techniques and tips around recon, Burp Suite, reporting, testing mobile apps, etc.
I devoured it in order to add anything new to my current methodology. Hopefully, the video will be made public too.
2. Tool of the week
The original Lazyrecon is a Bash script by @nahamsec to automate reconnaissance. It creates a dated folder with recon notes, does subdomain enumeration, screenshots, port scanning, file/directory brute-force, etc.
This fork by @plenumlab builds on these features and adds other useful ones: notifications for potential NS subdomain takeover, subdomain enumeration with massdns, finds target’s IP address space and dead DNS records…
This is a good tool to use as is, or to analyze and maybe get new ideas for improving your own recon tools.
3. Writeup of the week
This is an interesting authentication bypass, due to SQL injection on a JavaScript app.
The app expects this kind of POST data: {“username”:”bl4de”,”password”:”secretpassword”}
. Poking with it showed that:
{“username”:[[]],”password”:”secretpassword”}
triggers a MySQL error typical of SQL injection{“username”:[0],”password”:”secretpassword”}
triggers a request to port 21110 with an Authorization header (for Basic auth) including secretpassword and the username super.adm. But the password is rejected{"username":[0,1,2,30,50,100],"password":"secretpassword"}
allows enumerating other usernames (but password still rejected){“username”:[0],”password”:true}
triggers a request to port 21110 resulting in successful authentication as the super.adm user!
4. Tutorial of the week
Browsing the Internet While Using Burp Suite: and Other Productivity Hacks
Do you use the same browser instance to browse the Internet while doing tests and intercepting all requests with Burp? If yes, this tutorial is for you! Leverage Chrome browser profiles to run multiple instances at the same time: One for testing, one normal browsing, one for sensitive sites (like banking apps)…
I’ve been doing this for years with the Profile Switcher extension. I prefer Firefox to Chrome, but this extension is incompatible with the latest versions of Firefox.
If you know an equivalent and up-to-date Firefox extension, please share it with us!
5. Conference of the week
NDC Sydney 2018, especially:
I love these two talks! The first one is about advanced bugs that have become very popular in the bug bounty world (template injection, web cache poisoning, XXE, XSLT, SSRF…).
They are less known than XSS, SQL injection, open redirect, etc, but can have serious impacts and be highly rewarded.
The second one is almost an hour full of tips to help you decide if remote work is something for you or not, and how to navigate it successfully. A must watch if you’re considering remote work!
Other amazing things we stumbled upon this week
Videos
- HackerOne Hacker Interviews: @rhynorater
- End-to-End Encryption in the Browser Impossible? - ProtonMail
Podcasts
Conferences
- Deserialization: what, how and why [not] (AppSecUSA 2018)
- “If we win, we lose” & Slides (Microsoft BlueHat v18)
Slides only
- Abusing MSSQL, part 1 (Null Mumbai)
- New PHP Exploitation Techniques (PHP RUHR 2018)
- The use of radio attacks in red team and pentests (Security PWNing 2018)
- Flying under the radar
- Getting Buzzed on Buzzwords & Lambda Intruder
- WebGoat.SDWAN.Net in Depth (Power of Community 2018)
- A little bit about code injection in WebApplication Frameworks (CVE-2018-14667) (H2HC 2018)
Tutorials
Medium to advanced
- Exploring and Modifying Android and Java Applications for Security Research
- Escaping from Mozilla Firefox in Restricted Environments
- Getting Started With Objection + Frida
- Pentesting Dropbox on Steroids
Beginners corner
- Metasploit Basics, Part 20: Creating a Fake SMB Server to Capture Credentials
- Regular Expressions In grep examples
Writeups
Pentest & Responsible disclosure writeups
- How I hacked into an internet cafe?
- How did I hack Godaddy 2-step Authentication of my own account
- My name is Johann Wolfgang von Goethe – I can prove it
- phpBB 3.2.3: Phar Deserialization to RCE
- DirtyCOW Bug Drives Attackers to A Backdoor in Vulnerable Drupal Web Servers
- Authenticated RCE in Polycom Trio 8800 pt.1
- Path traversal in mozilla pdf.js
Bug bounty writeups
- XSS & Web cache poisoning on Discourse ($256)
- Logic flaw on Google ($15,600)
- XS-Search attack on Google ($9,400)
- SSRF escalated to LFI on private program
See more writeups on The list of bug bounty writeups.
Tools
If you don’t have time
- Asnlookup: Look up IP addresses (IPv4 & IPv6) registered and owned by a specific organization for reconnaissance purposes (Integrated to Lazyrecon)
- BurpelFish: Burp extension that adds Google Translate to Burp’s Context Menu. Useful for testing sites in foreign languages
- findsubdomains.py: Output all the data from https://findsubdomains.com/ into a JSON structure
More tools, if you have time
- Blacklist3r & Project Blacklist3r Introduction
- BbSpider: Simple spider for bug bounty recon & example
- ParamPamPam: tool for brute-forcing GET and POST parameters (without Burp)
- NodeJsScan: A static security code scanner for Node.js applications
- ipv666 & IPv666 – Address of the Beast: Golang IPv6 address enumeration
- Maai: Scanner that uses the python libraries for nmap to run full port masscan on targets, then runs nse nmap scans on only found open ports
- SubDomainizer: A tool to find subdomains hidden in inline and external Javascript files of page
- SubFl0w: A tool which gives it a subdomains list and it’s search on it for a subdomain takeover and tells you
- CredCatch: Find plaintext credentials from emails in bulk from password dumps
Misc. pentest & bug bounty resources
- Open Source Intelligence (OSINT) Tools & Resources
- Discord server for OSINT, netsec and developing security tools with Go
- What are the monthly earnings of a bug hunter professional with 5 years of experience?
Articles
Yet another memory leak in ImageMagick or how to exploit CVE-2018–16323.
- OAuth 2.0 Threat Landscape
- Web Browser Address Bar Spoofing
- The passwordless web explained
- From Novice to Apprentice: How to Start Participating in Capture the Flag Events
News
Full account takeover … will be rewarded an average bounty of:
- $40,000 if user interaction is not required at all, or
- $25,000 if minimum user interaction is required. we will not require a full exploit chain in cases where leveraging the vulnerability requires bypassing our Linkshim mechanism.
By finding as few as 3 flags, you’ll automatically be added to the priority invitation queue for private program invitations and will receive one the following day. For every 26 points you earn on the CTF, you’ll receive another invitation
- How Hired Hackers Got “Complete Control” Of Palantir
- 75% of users reuse passwords across different accounts – this is up from 56% in 2014!
Non technical
- Researcher Spotlight – Phillip Wylie Ambassador
- Real Hackers Tell Us Why They Love the Movie ‘Hackers’
- That Black Mirror episode with the social ratings? It’s happening IRL
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/16/2018 to 11/23/2018
Have a nice week folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…
Comments