The 5 Hacking NewsLetter 51

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 19 to 26 of April.

T5HN51.png

Our favorite 5 hacking items

1. Challenge of the week

CTF Challenge

I haven’t had the time yet to do this CTF, but it’s on my todo list because it seems different. It’s a Web CTF that involves multiple subdomains, directory bruteforce, and different attack vectors.

So it’s a nice opportunity to practice recon. But make sure to respect the rules (attacking the infrastructure/ports other than 443 is not allowed).

2. Writeup of the week

Session fixation on Shopify ($5,000)

This is an excellent session fixation report. It is well-written, detailed and a good example of a real-life session fixation attack. So it’s a great read if you want to learn about this kind of bugs.

Also, it’s interesting to see how @filedescriptor found the bug and chained it with an out of scope vulnerability: He found an XSS but XSS was out of scope. So he kept playing with the apps and noticed that some session IDs generated didn’t change after logging in, which meant session fixation. So he leveraged the XSS to exploit the session fixation.

3. Article of the week

“CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter A list of the most common [secure] variables from 5,302,677 build logs on Travis CI

This is awesome research and collaborative work! I loved reading about:

  • How they came up with this research topic
  • How they started with a list of bug bounty programs, found their Github organizations (using Google), then their Travis CI projects (using a bookmarklet)
  • How they grepped through the sizeable data retrieved (using Ripgrep)
  • How the tools they used to fetch build logs were created with availability in mind (to avoid causing any service disruption)
  • Which kind of information to look for when analyzing Travis CI logs
  • Several examples of bugs found on bug bounty programs

4. Resource of the week

Keyhacks

Keyhacks is a Github repo listing ways in which API keys can be checked to see if they’re valid.

It can be handy to quickly show the impact of API keys leaked by bug bounty targets. It’s particularly interesting after reading the research about finding sensitive information in Travis CI logs.

5. Tutorial of the week

How to Hunt Bugs in SAML; a Methodology - Part I, Part II & Part III

If you’ve come accross SAML during testing and didn’t know which kinds of bugs to look for, these tutorials are for you!

They’re a good introduction including how SAML works, common vulnerabilities, tools, a testing methodology, and resources.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • X41 BeanStack & Introduction: Java Fingerprinting using Stack Traces
  • SmartProxy: SmartProxy will automatically enable/disable proxy for the sites you visit, based on customizable patterns
  • BugHunter: A Bug management project for Bug Hunters
  • RCEvil.NET & Slides: A tool for signing malicious ViewStates with a known validationKey
  • Viewgen: ASP.NET ViewState generator, When to use it & Related research
  • Thief: Subdomain hijack automation. Wrapper around Sublist3r & Subjack
  • Findomain: A tool that use Certificate Transparency logs to find subdomains
  • Reverie: Wrapper around pentest tools with automated reporting (for Parrot Linux)
  • GitHacker: A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers’ mind
  • Csp-analyzer.py: Python script that displays the Content-Security-Policy of a given url
  • Netmap.js: Fast browser-based network discovery & port-scanning module
  • Termshark: A terminal user-interface for tshark
  • SAP Gateway RCE exploits

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty news

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/19/2019 to 04/26/2019


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments