Hi, I recently found a .git folder exposed on a public bug bounty program and used it to reconstruct the Web app’s source code. I can’t disclose specific details yet, but wanted to share with you this tutorial on how to find and exploit this kind of bugs.
.git exposure can pay well or not, depending on the assets found. But it is interesting anyway because:
- It is very easy to detect
- Analyzing the source code can reveal other vulnerabilities that are even more critical and interesting
More …
Hi, if you ask any experienced bug hunter or pentester, they’ll tell you that Twitter is one of their main sources of information & learning resources.
But keeping up with all the tweets, tips, tools and links shared there is not an easy task. It requires a bit of organization.
The following 5 features combined together will help you stay up to date without feeling overwhelmed. They’ll also end your search for old tweets and the need to scroll your bookmarks endlessly to find something saved before.
More …
Hey hackers! Here are our favorite resources for pentesters and bug hunters discovered last week.
This issue covers the week from 12 to 19 of October.
Our favorite 5 hacking items
Embedding Meterpreter in Android APK by Black Hills Information Security
AndroidEmbedIT
This is a great tutorial on how to embed a Metasploit payload into a legitimate Android app. It is accompanied by AndroidEmbedIT, a tool to automate the process, but you’ll find the most value in the tutorial.
Even if you’re not planning on tricking all your friends or deploying the next Android malware botnet, you could still learn a lot from it: decompiling APKs, integrating Metasploit payloads, adding permissions, recompiling and signing APKs…
More …
Hi, this is a quick tip for anyone interested in testing the security of Android apps without using a physical device.
Genymotion is generally recommended over using the Android SDK emulator provided with Android Studio, because it is more performant.
Only Genymotion is x86-based, so if you try to install an app including ARM code on any Genymotion device, you will get this error that you wouldn’t have on a physical device:
An error occured while deploying the file.
This probably means that the app contains ARM native code and your Genymotion device cannot run ARM instructions. You should either build your native code to x86 or install an ARM translation tool in your device.
This will prevent you from installing a lot of apps that you may need for bug bounty hunting like Twitter, Netflix, Pinterest, Snapchat, etc.
More …
Hi, these are the notes I took while watching the “Practical recon techniques for bug hunters & pen testers” talk given by Bharath Kumar on LevelUp 0x02 / 2018.
Links
About
This talk is about some practical recon techniques for bug hunters & pentesters. It’s a continuation of Bharath’s talk about niche subdomain enumeration techniques.
More …
