The 5 Hacking NewsLetter 74

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 27 of September to 04 of October.

T5HN74.png

Our favorite 5 hacking items

This time, exceptionally, we’re featuring way more items than usual… Why limit ourselves to 5 if both quantity and quality are there?

The following links are all really worth checking out if you are into Web application security.

1. Articles of the week

HTTP Desync Attacks: what happened next
Karim Rahal: Security Features of Firefox
The Top 8 Burp Suite Extensions That I Use to Hack Web Sites
5 Subdomain Takeover ProTips

These articles are, in order, about:

  • New research by @albinowax on HTTP Request Smuggling
  • 3 Firefox security features explained by @KarimPwnz, with good tips on how to use the “Multi-Account Containers” extension for hacking
  • A list of 8 Burp extension worth using, with everything you need to know about them in one page (what they do, installation & usage tips)
  • 5 tips by subdomain takeover master @0xpatrik

2. Writeup of the week

Google Paid Me to Talk About a Security Issue!

Google sponsored @LiveOverflow for making this video. It is a writeup of a bug found by @wtm_offensi on Google’s Cloudshell.

Basically, Git cloning a repo with Cloudshell lead to RCE. But this is not a simple bug and I am not going to try to sum it up in a few words like I usually do. This finding is probably the result of hundreds of hours of work.

This is why I find it so inspiring. The level of persistence and work involved to understand both the technologies behind Cloudshell and its inner workings is amazing.

It is also interesting to hear about @wtm_offensi’s thought process: How he chose the target to focus on based on criticality, how he keeps asking himself questions to really understand the app (almost like an investigation), how he doesn’t look for a technical vulnerability but for an outcome (RCE), and for any conditions that could lead to that outcome…

3. Tool of the week

Varanid.io
Cyber.dic & Introduction
Mobexler & Introduction
Swamp
Syborg
Fav-up
Dnsgen, Introduction

  • Varanid.io is an all-in-one tool that makes it really easy to monitor a lot of thing for pentest/bug bounty purposes. This includes DNS records, SSL certificates, file changes (e.g. changes to JavaScript files), response headers, status codes, page title, up/down time and more. I’ve never seen all these features on one site, with such ease of use!
  • Cyber.dic is a spellcheck dictionary to add support of 1700+ technical terms to Microsoft Word & LibreOffice Writer. Finally, I can write “pentest” without it being highlighted as a mistake…
  • Mobexler is a customised virtual machine, based on Elementary OS, designed to help in penetration testing of Android & iOS apps. I like the idea of having all (or most) of the tools you need for mobile testing already installed on a VM. It’s like the Kali of mobile testing.
  • Swamp is an OSINT tool for discovering associated sites through Google Analytics Tracking IDs. It’s not a novel idea but being able to automate this is helpful for recon.
  • Syborg is a recursive DNS Domain Enumerator with dead-end avoidance system. It is inspired from a discussion between @tomnomnom and nahamsec on the drawbacks of current subdomain enumeration tools.
  • Fav-up* is so creative! It helps you find a server’s origin IP behind Cloudflare by looking up its favicon on Shodan.
  • Dnsgen is like altdns on steroïds. It generates a combination of domain names from provided input. This is useful for finding new subdomains and account takeovers. And apparently, it generates way more combinations than altdns.

4. Non technical item of the week

My baby steps towards Bug Bounty Hunting — an arduous yet exciting journey

@sharathsanketh recounts how he went from knowing nothing in Web hacking to his first bounty.

He doesn’t give any technical advice, but I think his story and advice are so relatable and useful for beginners. He did two things I find noteworthy: He forced himself to focus on learning, not bug hunting without knowing the basics. And he didn’t start with the most recommended books on bug bounty. He started with less known introductory books on how technology and the Web work, because that’s what he needed to understand before going deeper.

This is a great mindset to adopt: “You need to know where you stand and reverse engineer in order to even know what you have to learn”.

5. Tips of the week

What are some endpoints that make you excited when it pops up while performing a directory brute force? Any way to import a big url list into burpsuite?

It’s always fun to get a peak at what other hackers are using as tools and wordlists. The first link is basically a crowdsourced list of interesting endpoints to add to your directory bruteforce wordlist. The second one is about several ways for importing a list of URLs to Burp: using Burp API, BurpFeed, Burp-Importer…

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Misc. pentest & bug bounty resources

Challenges

Articles & Papers

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/27/2019 to 10/04/2019.


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments