Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 30 of November to 07 of December.
Our favorite 5 hacking items
1. Conference of the week
BSides Lisbon 2018, especially:
If you’re a professional pentester or looking for a pentesting job, then you should really watch the talk “How To Build Your Own Infosec Company”. It tackles a lot of topics: the advantages of small vs big pentesting companies, how to grow your own name and find your first client, how to organize your work and emails, plus many other tips.
2. Writeup of the week
This is a great writeup to learn about server-side template injection in HubL.
It’s written like a tutorial, with details on how to go from detection (entering {{7*7}} and getting ‘49’ displayed back) to information gathering and full remote code execution.
3. Challenges of the week
Hackerone challenges on HackEDU
Hackerone and HackEDU teamed up to offer the community 5 hacking challenges (“hackboxes”). These are great because they mirror real bugs found by Hackerone bug hunters and disclosed on Hacktivity, and they’re free.
The bugs and reports are listed on this blog post: Test your hacking skills on real-world simulated bugs.
4. Non technical item of the week
The Paradox of Choice: Learning new skills in InfoSec without getting overwhelmed
As pentesters / bug hunters, we’ve all asked ourselves at some point: Where do I start? How do I become good at this? Or… How do I master it?
These are questions that Azeria already tried to answer in a previous talk and is now digging deeper in this new mini-series.
I strongly recommend reading both no matter where you are on the pentest / bug hunting mastery spectrum. Trying the strategy presented might help you deal better with the information overload that we all face in this field.
5. Article of the week
This is a good resource for digging deeper into Blind XSS vulnerabilities. It doesn’t explain the basics, but includes a polyglot, a list of payloads and links about AngularJS Blind XSS in particular.
This is specific enough to maybe help you (and me) find less trivial XSS bugs.
Other amazing things we stumbled upon this week
Videos
- Hacker101- Source Review
- Hacker Interviews: Sean Melia (@Meals)
- OWASP DevSlop E06 - How to Hack Your Own Apps
Podcasts
- The Extremely Unabridged History of SQLi and XSS(S04E19)
- 7MS #339: A Pulse-Pounding Impromptu Physical Pentest
Conferences
- WEBCAST: Raising Hacker Kids / Podcast
- 10 Proven Security Awareness Tips to Implement Now - Webinar / Podcast
Slides only
- Web Vulnerabilities And The People Who Love Them
- Serverless Security Workshop
- Testing python security PyCon IE & Github repository
- Where 2 worlds collide: Bringing Mimikatz et al to UNIX
- When everyone’s dog is named Fluffy: Abusing the brand-new security questions in Windows 10 to gain domain-wide persistence & Introductory article
Tutorials
Medium to advanced
- From CSRF to Unauthorized Remote Admin Access
- iOS Bug Hunting – Web View XSS
- RCE in PHP or how to bypass disable_functions in PHP installations
- Penetration testing & window.opener — XSS vectors part 1
- Analysing and Exploiting Kubernetes APIServer Vulnerability- CVE-2018–1002105
- Tabnabbing Protection Bypass
- Bypass of Disabled System Functions
Beginners corner
Writeups
Pentest & Responsible disclosure writeups
- Pwning JBoss Seam 2 like a boss
- A small bug in the Election portal !!!
- How To Upload Any File To Amazon’s Free Unlimited Photo Storage Space
Bug bounty writeups
- Improper access control flaw on Liberapay
- CSRF on Discourse ($512)
- Insufficient Session Expiration on Hackerone ($500)
- Information disclosure on Hackerone ($500)
- Billion Laugh Attack in https://sites.google.com ($500)
- GitHub Desktop RCE (OSX)
- [BBP系列三] Hijack the JS File of Uber’s Website ($6,000)
Other writeups
- Here is how the entire #pewdiepie printer hack went down
- Exploiting Developer Infrastructure Is Ridiculously Easy
- Implementation of the OWASP Mobile TOP 10 methodology for testing Android applications
See more writeups on The list of bug bounty writeups.
Tools
If you don’t have time
- Scan Check Builder: BurpBounty made available on BApp store. Burp Suite extension to improve the active & passive scanner by means of personalized rules (requires Burp Suite Pro)
- Scavenger: A multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as “interesting” files containing sensitive information
More tools, if you have time
- S2_Jasper_RCE.jrxml: JasperReports Remote Code Execution with a single .JRXML file (useful if JARs are not allowed)
- The OWASP ZAP Heads Up Display (HUD) & Hacking with a Heads Up Display: New interface that provides the functionality of ZAP directly in the browser
- domainresolver: A bash based tool to test if the domains/subdomains on the given file resolves and then save the output
- Linikatz: A tool to attack AD on UNIX
- BruteX: Automatically brute force all services running on a target
- Hayat: Google Cloud Platform Auditing & Hardening Script
- PENTOL: Pentester Toolkit for Fiddler2
Misc. pentest & bug bounty resources
- Named vulnerabilities and their practical impact
- KringleCon: Register for the free virtual conference if you haven’t already. It’s happenning soon!
- Pentest-guide: Penetration Test Guide based on the OWASP + Extra (Penetration tests cases, resources and guidelines)
- Introducing the NEW SANS Pen Test Poster - Pivots & Payloads Board Game
Challenges
- Try Hack Me
- Pwn-School-WAPT-Kali.ova: VM built by @PhillipWylie for a web app pentesting workshop he gave at @BSidesDFW. It has 8 different vulnerable Dockerized apps on a Kali VM
- flAWS 2: Challenges focused on AWS specific issues (no buffer overflows, XSS, etc)
- Top Hacking Simulator Games Every Aspiring Hacker Should Play: Part 1
Articles
- OPINION: It’s too late now to say sorry, Mark Zuckerberg.
- HTTPS in the real world
- Major sites running unauthenticated JavaScript on their payment pages
- What Moving To the Bay Area Taught Me About Loving My Pentesting Tools
- Securing Your Site like It’s 1999
- The Biggest Bugs in 2018 and What’s to Come
- Kubernetes being hijacked worldwide
News
Beginning today all Bugcrowd VDP or Bug Bounty programs will include Disclose.io messaging as the default policies within the program briefs
A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl command unauthorizedly
The personal information of 500 million guests stolen What makes this breach stand apart … is the data that was taken. Hotels collect more PII data than most enterprise organizations (birthdays, passport numbers, email and mailing addresses, and phone numbers)
Non technical
- Dos and Don’ts About Presenting In Public
- Healthy Hacking with the Treadmill Elliptical Desk: My journey to staying healthy while hacking!
- [email protected] 2018: Hackers Explain Why They Hack and How Orgs Benefit From What They Do
- The adventures of lab ED011—“Nobody would be able to duplicate what happened there”
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/30/2018 to 12/07/2018
Have a nice week folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…
Comments