The 5 Hacking NewsLetter 30

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 23 to 30 of November.

T5HN30.png

Our favorite 5 hacking items

1. Resource of the week

WAF/IPS/DLP bypass Cheat Sheet

This is a cheat sheet of techniques for bypassing Web Application Firewalls. It might be useful and help you find bugs that others have missed.

Some of the techniques using double Host headers or double Content-Type headers, entering the HTTP method in lowercase or including tabs, etc.

2. Writeup of the week

XSS on Instagram

I love how simple yet creative this finding is!

Facebook and Instagram store photos/videos on their CDN subdomains *.fbcdn.net. These URLs can’t be accessed directly without any parameters (“Access denied” error). And hashes sent as GET parameters protect from request tampering (for e.g. modifying file extensions).

A workaround to bypass all these checks is to access the same files through the subdomain’s CNAME record, https://scontent.xx.fbcdn.net/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.html:
instagram.fpnq2-1.fna.fbcdn.net. 3599 IN CNAME scontent.xx.fbcdn.net.

This allows access to any file while bypassing signature checks and without specifying any parameters. Even expired links are accessible!

3. Tool of the week

BLH Plugin

Broken Link Hijacking Burp Extension is a very nice addition to any bug hunter’s arsenal.

Every time a broken link is detected while you’re testing a target, it is reported as an issue. Then you can test all links for link hijacking, as explained in “Broken Link Hijacking - How expired links can be exploited.” by @EdOverflow.

4. Article of the week

Abuse MITM possible regardless of HTTPS

Wide use of HTTPS makes Man-in-The-Middle attacks harder to perform today. But they are still possible, as HTTPS can be bypassed if CORS, postMessage, HSTS and WebSockets are not used properly.

This article gives examples of what can go wrong and how HTTPS can be bypassed.

5. Tutorial of the week

Tcpdump Examples: 50 Practical Recipes for Everyday Tasks

I always forget tcpdump and wireshark filters and syntax. So this list of 50 tcpdump recipes is very handy.

It includes things like: how to display only IPv6 traffic, how to filter traffic by IP, port, protocol or network, how to find HTTP hosts, cookies, user agents, cleartext passwords & more.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

EyeWitness no longer has the “—headless”, it now only has “—web” for web screenshots. This uses Firefox in the backend and runs it headlessly, so this will still work on a headless server!

More tools, if you have time

Misc. pentest & bug bounty resources

Articles

News

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/23/2018 to 11/30/2018


Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments