The 5 Hacking NewsLetter 45

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 8 to 15 of March.

T5HN45.png

Our favorite 5 hacking items

1. Conference of the week

OWASP AppSec California 2019, especially:

OWASP AppSec conferences are great for anyone interested in (both offensive and defensive) Web app security. This one is particularly good, as you can judge from the list of talks above that I’m planning to watch!

Some of the topics addressed are: extracting endpoints from JS files, FaaS & GraphQL security, Web Caching vulnerabilities, scaling visual identification for bug hunters, new features in ZAP, interesting OWASP tools for white box pentesting…

The only thing missing is the video/slides from workshops which look really interesting. Gonna have to go there myself some day!

2. Article of the week

Exploiting CVE-2018-1335: Command Injection in Apache Tika

Have you ever found an open port on a target, and the service’s version had a CVE but no disclosed exploit? This might happen a lot, especially on (internal) pentests where the number of open ports is generally higher than during bug bounty.

This article is a great example of you how to reverse engineer the patched version and locate the vulnerability - an RCE in this case, using diff (or rcdiff).

3. Tool of the week

Sublert & Introduction

This is a new recon tool by @yassineaboukir who also wrote Asnlookup. They’re both very handy tools for bug hunters.

Sublert monitors changes in CT logs, and notifies you via Slack when a new SSL/TLS was issued for the organization you’re monitoring.

What’s new compared to existing CT monitoring tools like Facebook’s CT tool or CertSpotter is that it was created by a bug hunter for bug hunters. It won’t spam you with irrelevant results, you can enable DNS resolution, disable monitoring for specific domains, and since it’s in Python, you can integrate it with any bug hunting (automated) scripts you are already using.

4. Slides of the week

Pwning mobile apps without root or jailbreak

This is an awesome presentation if you’re into mobile app testing! It’s understandable even without video.

The question answered is: how do you test the security of an app if for some reason you can’t use a rooted/jailbroken device? This happens when the app refuses to run on a rooted device, or when it requires an iOS version that doesn’t have a public jailbreak.

Solutions explained including commands and resources are:

  • For Android, modify the APK, enable backups, enable debugging, repackage the app, bypass certificate pinning manually using grep, bypass root detection manually, or do the same thing using Frida
  • iOS repackaging or use Frida
  • Use Objection (wrapper around Frida)

5. Resource of the week

Bypassing XSS Detection Mechanisms

This is a great resource for learning how to bypass WAFs for XSS, by the author of XSStrike & Photon.

I often see people sharing complex XSS payload on Twitter. But without context, I don’t find them very useful. This paper is a much better resource for understanding what filters do and how to bypass them with a solid methodology, as opposed to randomly running a list of payloads.

The steps proposed are:

  1. Determining the payload structure based on the context where you are injecting (HTML inside or outside tag, JavaScript…)
  2. Probing to determine the regex used
  3. Obfuscation

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Stepper: A natural evolution of the Repeater tool for Burp Suite! Create sequences of requests to simplify testing of multi-stage endpoints, and create regular expressions to define variables for use in later steps.

More tools, if you have time

  • Graudit: Grep rough audit - source code auditing tool
  • TLS-Attacker-BurpExtension: Tool based on TLS-Attacker to assist pentesters and security researchers in the evaluation of TLS Server configurations with Burp Suite
  • VulEdiWi & Introduction: A tool to find all publicly editable Github wikis of an organisation and publish your demo page on it
  • PandorasBox & Writeup: Find Enterprise Box accounts and enumerate for shared files and folders
  • Goca: a FOCA fork written in Go, which is a tool that finds metadata and hidden information in the documents its scans. These documents may be on web pages, and can be downloaded and analyzed with Goca
  • HashSlack: Small utility script to notify via Slack about Hashcat’s progress during a password cracking session & How to specify which channel to use
  • Cat-nip: Automated Basic Pentest Tool - Designed For Kali Linux
  • Initial scan: A tool for performing an initial, information-gathering scan of websites for penetration tests
  • PWSP : ClickJack Test: Online tool to test if a given URL is vulnerable to clickjacking
  • frida-extract-keystore.py & Introduction: Automatically extract KeyStore objects and relative password from Android applications with Frida
  • BuildReview-Windows: A PowerShell script for performing a build review of a Windows host
  • Wesng: Windows Exploit Suggester (based on systeminfo)
  • RootOS: macOS Root Helper. Tries to use various CVEs to gain sudo or root access

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty news

Breaches & Vulnerabilities

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/08/2019 to 03/15/2019


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments