The 5 Hacking NewsLetter 53

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 3 to 10 of May.

T5HN53.png

Our favorite 5 hacking items

1. Challenge of the week

Authentication Lab (online), Source code & Walkthroughs

This is a great lab if you want to practice finding authentication vulnerabilities. There are 5 bugs: IP based authentication bypass, Timing attack, Client side auth, Leaky JWT and JWT Signature Disclosure (CVE-2019-7644).

Also, if stuck, check out the walkthroughs. I don’t want to read them before doing the challenges but they seem detailed (like 5 articles in 1!).

2. Writeup of the week

Information disclosure on Shopify ($802.20)

This is a fun report! The vulnerability is that a GraphQL endpoint reveals sensitive information without authentication: that’s the internal beer consumption (brands & quantities left) at Shopify’s offices.

What’s interesting is how @eraymitrani found the vulnerable GraphQL endpoint. I highly recommend reading the summary where he explains it.

Basically, he saw in a previous report by @rijalrojan that Shopify had an exposed GraphQL endpoint. So he set out to find other exposed endpoints, following these steps:

  • Subdomain enumeration
  • Request /graphql on all subdomains using wfuzz
  • Filter by 200 responses
  • Send introspection queries to all of them in Burp Repeater
  • Got query string not present error
  • Solve it by adding the content-type: header to the post request
  • Look for a domain that leaks private information

3. Article of the week

Bug Chain Tales: P5+P5=P3

If you’re always hearing about chaining bugs and wondering how to do it in practice, this is a good example.

Self-XSS and login CSRF are generally not paying bugs by themselves. But, combined, they become more dangerous and worthy of a bounty.

The attack scenario in this case is to enter the XSS payload in the address details of the attacker’s account, and make the victim open this account using the login CSRF. When the victim buys something and wants to select the delivery address, the XSS payload is triggered.

4. Resource of the week

Awesome-Asset-Discovery

As its name indicates, this is an awesome asset discovery list. In other words, it’s a list of resources to help find all kinds of assets for organization: IP addresses, (sub)domains, emails, open ports, cloud infrastructure, business communication infrastructure, data leaks, source code aggregators, and more.

Some of the tools mentioned are classics that you probably already use, but you might also discover something new!

5. Slides of the week

Bug bounty - Work smarter not harder

This is a nice introduction to bug bounty. But even if you’re not a beginner, some resources mentioned might be helpful. Personally, I didn’t know of dkimsc4n (a DKIM scanner) and can’t wait to try it.

Also, thanks for mentioning Pentester Land @vavkamil!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • awesome-jenkins-rce-2019: There is no pre-auth RCE in Jenkins since May 2017, but this is the one!
  • Natlas: Scaling Network Scanning
  • ggroup.py: Check for public Google groups given a list of domains
  • Horn3t: Powerful Visual Subdomain Enumeration at the Click of a Mouse

More tools, if you have time

  • doNmap.sh: Bash wrapper for nmap scans
  • Final Recon: OSINT Tool for All-In-One Web Reconnaissance
  • awsEmailCheck.py: Determines if there is an AWS account associated with a given email address
  • Scan.sh: Initial recon automation (masscan + nmap import into metasploit db)
  • wpBullet Build Status: A static code analysis for WordPress Plugins/Themes (and PHP)
  • autOSINT: Recon tool. Uses recon-ng & hunter.io
  • ReconT: Reconnaisance, footprinting & information disclosure
  • Shiva: An Ansible playbook to provision a host for penetration testing and CTF challenges
  • QRGen: Simple script for generating Malformed QRCodes
  • Jalesc: Just Another Linux Enumeration Script: A Bash script for locally enumerating a compromised Linux box
  • LDAP_Search: Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
  • SharpClipHistory: A .NET application written in C# that can be used to read the contents of a user’s clipboard history in Windows 10 starting from the 1809 Build

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug Bounty / Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/03/2019 to 05/10/2019


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments