The 5 Hacking NewsLetter 70

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 30 of August to 06 of September.

T5HN70.png

Our favorite 5 hacking items

1. Conference of the week

DerbyCon 9, especially:

DerbyCon 9 had so many good talks! I’m particularly interested in the ones on CORS, Kerberoasting, WebSOckets, GraphQL, Serverless, API security & red teaming, but many other topics were discussed.

Too bad, this was the last DerbyCon conference!

2. Writeup of the week

Add new user with Admin permission and takeover the organization

This is the writeup a privilege escalation on a private program. Starting with a limited user account and no API documentation, the author was looking for admin endpoints.

He tried common ones like /api/v2/member/, /api/v2/members/, /api/v2/users/, /api/v2/user/… And noticed that existing and non-existing endpoints returned different HTTP codes.

api/v2/user returned a 405 (the method is not allowed). Changing the method from GET to POST, and adding all parameters reported missing by the server, he was able to construct a valid POST request and create a new user. But the reset password functionality didn’t work for that user until he passed the right value (found by bruteforce) to a specific parameter during user creation.

Then he was able to create an admin user by adding “role”=”admin” to the request.

This whole process isn’t complicated but I love how the author relies on parameters guessing and bruteforce, and also chains multiple actions to find hidden functionality and overcome any obstacle faced.

3. Article of the week

Same-Origin Policy: From birth until today

The Same Origin Policy is an essential concept for Web app testers. This article presents the results of research on SOP and CORS on different browsers, as well as 2 CSRF bugs and how CSRF and SOP are related.

The author’s conclusion: “do not use IE or Edge”… They violate the SOP standard, which makes them more vulnerable.

4. Tool of the week

gitGraber

This is a great tool for Github recon. I’ve never seen one like it for two reasons: it does live monitoring with Slack notifications, and it searches all Github not only organization repositories. So even if a developer has a profile that is not explicitly linked to your target organization, gitGrabber will still search for secrets in this repository.

The syntax is basically gitGraber.py -k KEYWORDSFILE -q QUERY, where QUERY can be your target organization (e.g. yahoo) and KEYWORDSFILE is a file containing keywords like access_key, password, auth… The tool looks for sensitive data for several online services (Google, Amazon, Paypal, Github, Mailgun, Stripe…) based on regexes and notifies you when potentially sensitive information is found.

5. Videos of the week

TomNomNom answers questions for 4 hours straight
8/25/2019 - Live Bug Bounty Recon Session w/ @FransRosen

This livestreaming trend by bug hunters is getting crazy! I find it harder and harder to keep up with the pace. But these two videos are on the top of my list of things to watch this week.

@tomnomnom answers questions for more than 4 hours. They touch on everything from his peanut butter preferences to why he doesn’t do bug bounty full-time, burnout, VIM, getting into bug bounty, etc.

The stream by @NahamSec covers topics like asset discovery and API fuzzing, and a ~1 hour interview with @fransrosen. I’m a big fan of his, so it’s awesome to hear about his recon approach, research he’s working on, why he doesn’t automate everything, etc.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • TorIpRotate: Simple burp extension for routing traffic over tor. It instruments tor to switch to a new circuit after every N requests.

More tools, if you have time

  • Requests-Racer & Introduction: A Python Library for Exploiting Concurrency-Related Vulnerabilities in Web Applications
  • massNS: A tool that turns the authoritative nameservers of DNS providers to resolvers and resolves the target domain list
  • Encoderama: String or worldlist encoder for use in fuzzing or web application testing
  • Liffier: Tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL
  • C3 & Introduction: Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits
  • SharPersist & Introduction: Windows Persistence Toolkit in C#
  • ActiveReign: A Network Enumeration and Attack Toolset. Similar to CrackMapExec with less functionalities but with a few modifications that might be handy
  • Httptools: A python package that lets you to capture, repeat and live intercept HTTP requests with scripting capabilities, built on top of mitmproxy

Misc. pentest & bug bounty resources

Challenges

  • GTH CTF challenge: XSS, IDOR, injection, content discovery, enumeration, bruteforce…

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/30/2019 to 09/06/2019.


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments