Bug Bytes #45 – DEFCON 27 Recap, JWT Playbook, Leaky repo & new XSS challenge
By Intigriti
November 19, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 08 to 15 of November.
Intigriti news
We launched another XSS challenge! You can win a Burp Suite Pro license if you solve it before Monday. Check it out:
We're celebrating 10K followers with a challenge! 🎉
Find the XSS flaw and WIN a @burp_suite license! 👇
🏆 Challenge: https://t.co/dYnctSfAAq
ℹ️ More info: https://t.co/CllyXhC7oL pic.twitter.com/lRfN0wndkl— Intigriti (@intigriti) November 18, 2019
Our favorite 5 hacking items
1. Conference of the week
Finally, DEF CON 27 videos are released! There is no introduction needed, right?
I’m watching this first: “Owning The Clout Through Server Side Request Forgery” by @NahamSec & @daeken. What about you?
2. Resource of the week
This is a wiki for the [jwt_tool](https://github.com/ticarpi/jwt_tool) toolkit for testing JSON Web Tokens. I was surprised to see how detailed it is.
It explains everything from recognizing and reading JWTs, an attack methodology, how to test for known exploits, fuzzing, stealing JWTs by exploiting other vulnerabilities, and more. An excellent resource to get into hacking JWTs!
3. Challenge of the week
This Github repository has many vulnerabilities. It is intended to be used as a target for benchmarking tools like github-dorks or truffleHog.
Personally, I also plan on using it as a challenge to practice finding secrets on Github.
4. Non technical item of the week
Tips for an Information Security Analyst/Pentester career – Ep. 78 – Nothing is impossible
This is @mattiacampagnan’s story on how he found a pentesting job. Basically, he created a blog and wrote dozens of articles related to penetration testing. This gave him some exposure. A company contacted him for an interview, he got a remote part-time position, did the work for 3 months, and finally it became a full-time position.
I loved reading this story because it is another reminder that there is no secret way to success. Do your work and find a way to differentiate yourself. Simple, but a lot of people do not want to hear that…
I personally can attest to the same thing: Maintaining a blog and being consistent opens up so many possibilities and professional options. If you are struggling to find work, you should really consider starting a blog, video course or Youtube channel. Anything that you put out there that shows technical abilities and professionalism will help you find employers or customers.
5. Tutorials of the week
– Fasten your Recon process using Shell Scripting
– Different Approaches For Reconnaissance — Bug Bounty’s
These are two nice tutorials that go a bit further that most typical recon articles.
Apart from classic subdomain enumeration, they show how to programmatically fetch URLs with their status code & page title, and search results for keywords. This will certainly aid process data collected from large scope bug bounty programs (or pentest targets).
Other amazing things we stumbled upon this week
Videos
Live Bug Bounty Recon Session on Verizon Media’s Yahoo.com with @0xteknogeek
Bounty Thursdays – Live from HackerOne’s H1213 with (STÖK, Nahamsec, TomNomNom, BugbountyHQ)
RECON with random internet ip addresses & BUG Bounty (Playing around RECON/METASPLOIT/SSH)
SQL and XSS Vulnerability Code Review [25] #CodeReview
10 Minute Tip: Using Web Developer Tools with Instagram and Pinterest for OSINT
Red Team Operations with Cobalt Strike (2019): Free course on course on Adversary Simulations and Red Team Operations using Cobalt Strike 4.0
Complete bug bounty tutorial of 2019 – common web attacks for beginners
Podcasts
InfoSec Career Podcast – Episode 4: Interview with Ed Skoudis
Risky Business #562 — Two former Twitter staff charged over Saudi spying
Webinars & Webcasts
SANS Dark Web Solutions Forum – Illuminating the Dark Web: Harvesting and Using OSINT Data from Dark Web Resources (Free registration required)
Successful Infosec Consulting: Lessons from Three Decades in The Field (Free registration required)
Conferences
Slides only
Tutorials
Medium to advanced
Exploiting SQL Server Global Temporary Table Race Conditions
RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients & RdpThief
Beginners corner
Writeups
Responsible(ish) disclosure writeups
Microsoft Edge – Local File Disclosure and EoP #Web #Browser
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service #PrivilegeEscalation #Windows
Ghost Potato #Windows #NTLM
Bug bounty writeups
Broken API authorization ($440)
CSS injection on Slack ($500)
XXE on Starbucks ($4,000)
OS command injection on Starbucks ($4,000)
Information disclosure on HackerOne ($1,000)
SSRF in Python (IBB) ($500)
XSS on WordPress ($350)
See more writeups on The list of bug bounty writeups.
Tools
CSVPretty: Pretty print csv files
Gplaycli: Google Play Downloader via Command line
Projectdiscovery.io & Reconnaissance – The way it should be: Automated asset recon and monitoring solution
Automated-Scanner: Trying to make automated recon for bug bounties
Rsdl: Subdomain Scan With Ping Method
HostInjector: Multithreaded Host Header Redirection Scanner
Diggy: Extract endpoints from apk files
Monitorizer: The ultimate subdomain monitorization framework
tfsec:Static analysis powered security scanner for your terraform code
Recon tools: Bash script to automate running subdomain enumeration, screenshots and directory enumeration tools
SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
Misc. pentest & bug bounty resources
WP-XSS-Admin-Funcs: JavaScript functions intended to be used as an XSS payload against a WordPress admin account
Notes for @thecybermentor’s Beginner Network Pentesting Course
New on Web Security Academy: Cross-origin resource sharing (CORS)
Challenges
Articles
Modern Wireless Tradecraft Pt III — Management Frame Access Control Lists (MFACLs) & Pt II — MANA and Known Beacon Attacks
News
Bug bounty & Pentest news
Sounds like AWS fixed @albinowax’s HTTP request smuggling issues in ALBs on Monday
If you need a primer on the Coalfire Pentester situation, read this.
Supporting the Source: Why HackerOne is Upgrading its Free Tools for Open Source
Great news: AutoChrome is back to a working state, thanks to Marmelatze’s work
Reports
IoT security: Bug bounties a vital last line of defense, academic study suggests
Healthcare security report: Organizations face ‘uphill battle’ against cybercriminals
Vulnerabilities
Just-Released Checkra1n iPhone Jailbreak Stirs Security Concerns
Popular Android phones can be tricked into snooping on their owners
[CVE-2019-11931: A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user]
Breaches & Attacks
Spam campaign uses ‘double-loaded’ ZIP to smuggle malware onto Windows devices
Breach affecting 1 million was caught only after hacker maxed out target’s storage
Other news
Non technical
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2019 to 11/15/2019.
Disclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023