Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 26 of October to 02 of November.
OMG, this is a spooky one! The story of a whitehat hacker (maybe) wrongfully convicted, CIA agents killed because of Google dorking, researchers theorizing about human memory hacking… Plus the quantity of items listed this time!
There was so many good things shared that I could hardly choose, so this newsletter is even longer than usual. But of course, you don’t have to consume everything if you’re short on time. Just start with what interests you more, as many different topics are covered.
Enjoy and you can share feedback, suggestions, questions, likes… whatever you feel like.
Our favorite 5 hacking items
1. Tutorial of the week
How to perform the static analysis of website source code with the browser — the beginner’s bug bounty hunters guide
If you can only check one item from this newsletter, this is it! Reading and analyzing HTML & JavaScript code when testing web applications is a must. But it can be difficult for non-developers, especially because the best bugs are generally found manually.
This guide explains everything: the tools you need, what to look for and where, how to use a JS debugger, etc.
So if you’ve been wondering how to get better at bug bounties, drop everything and read this.
More …
Hi, this is a cheat sheet for Open redirect vulnerabilities.
It’s a first draft. I will update it every time I find a new payload, tip or writeup. So if you’re interested in open redirects, keep an eye on this page!
Fuzzing (Detection)
Open redirect payloads
Payloads to detect open redirection:
Common injection points / parameters
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
How to find entry points to test?
- Burp Proxy history & Burp Sitemap (look at URLs with parameters)
- Google dorking. E.g:
inurl:redirectUrl=http site:target.com
- Functionalities usually associated with redirects:
- Login, Logout, Register & Password reset pages
- Change site language
- Links in emails
- Read JavaScript code
- Bruteforcing
- Look for hidden redirect parameters, for e.g.:
/redirect?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}/?url={payload}&next={payload}&redirect={payload}&redir={payload}&rurl={payload}&redirect_uri={payload}
Responses to look for when fuzzing
- HTTP redirect status codes
- Alert box popping up
Tips
- Try using the same parameter twice:
?next=whitelisted.com&next=google.com
- If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
- Try a double-URL and triple-URL encoded version of payloads
- Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
- For XSS, try replacing alert(1) with prompt(1) & confirm(1)
- If extension checked, try
?image_url={payload}/.jpg
- Try
target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
- Use /U+e280 RIGHT-TO-LEFT OVERRIDE:
https://[email protected]%E2%80%[email protected]
- Burp Intruder & Burp Repeater
- open-redirect-scanner
- Dirsearch with an open redirect payloads list (instead of the default list, or combined)
Exploitation
- Phishing
- Chaining open redirect with
- SSRF
- OAuth token disclosure
- XSS
- CRLF injection
Resources
Open redirect writeups
Let me know if you have any comments, requests, questions… Feedback is always welcome.
See you next time!
Hi, today I’m going to share with you some advice that I wish somebody told me as a beginner penetration tester.
Working on your technical skills is important. But from my experience, mindset and productivity/organizational habits are even more important. They are the basis on which you will build solid technical skills, while maximizing your time and efforts.
The following tips are not exotic or extraodinary. But if you apply them and make them habits, they will help you up your game as a pentester and bug hunter.
More …
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 19 to 26 of October.
Our favorite 5 hacking items
1. Conference of the week
Beyond your studies & Slides by Ange Albertini
Wow, this talk is a gem (the slides also)! I wish I’d seen it as a teenager. It puts a light on so many truths related to infosec, job search, corporate environments, studies, the mold society tries to put you in, etc.
Watch it, even if you’re not a student or that young. If applied, this is life-changing advice.
More …
Hi, I recently found a .git folder exposed on a public bug bounty program and used it to reconstruct the Web app’s source code. I can’t disclose specific details yet, but wanted to share with you this tutorial on how to find and exploit this kind of bugs.
.git exposure can pay well or not, depending on the assets found. But it is interesting anyway because:
- It is very easy to detect
- Analyzing the source code can reveal other vulnerabilities that are even more critical and interesting
More …
