Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 13 to 20 of September.

Our favorite 5 hacking items

1. Tutorial of the week

This tutorial explains how to find IDORs that are less obvious than just incrementing an ID. The techniques mentioned can be very helpful especially in the context of bug bounty.

Some of them are testing encoded & hashed IDs, adding an ID to the request even if the app didn’t ask for it, changing the request method, etc.

Also, IDOR and self-XSS combined can lead to stored XSS, increasing the impact of the IDOR.

2. Writeup of the week

@YoKoAcc, @JRs_Faisal and Tomi teamed up and found a whole bunch of bugs on a private program. They share multiple writeups that each explains different bugs.

This one is interesting because of the weird race condition. Here are my main takeaways:

They couldn’t find any flaws in the main file upload functionality. But the file edit functionality allowed them to change already uploaded files to any extension (including PHP!). Nice way to get unrestricted file upload…

So they could upload Web shells, but didn’t get RCE because uploaded files were moved to AWS after 2 seconds! And here is the weird part: for some reason, the request that modified the uploaded file was vulnerable to a race condition. By sending multiple requests, the server returned the file’s location (before it is moved to AWS). So in the short window where the file was still on the server, they got a reverse shell by requesting the file in a browser.

Not sure why this is happening, but it’s interesting to see a race condition help get RCE via file upload!

3. Tool of the week

Most tools that help with XSS detection are limited because they rely on server response reflection.

Tracy tries to go further by helping you identify sources of input and their corresponding outputs (or sinks). You can trace risky input throughout the DOM, even in apps that use a lot of JavaScript. This helps detect harder-to-find XSS types like DOM XSS.

The only other tool I’ve seen efficiently help with this was DOMinator Pro, but it was commercial and I can’t find it online anymore. So it is awesome to have a free open source alternative!

4. Non technical item of the week

I really enjoyed reading this article. After 2 months of bug hunting, @Unknownuser1806 shares 6 problems he faced and how he solved them.

They revolve around productivity and mental health. I feel that we can easily lose sight of these topics when we get engrossed in hacking. Burnout is never that far… So the refresher is great! It’s also nice to see the specific tools a fellow bug hunter found helpful: Engross App, Habitica, Evernote/Diary, Morning habits, meditation & exercise.

5. Tips of the week

There’s not much to comment here, the tips are self-explanatory.

I’ve never encountered these ideas before and think they’re worth adding to any Web testing methodology!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

If you don’t have time

Pixload: Image Payload Creating/Injecting tools

Bass: A tool that combines valid DNS resolvers from various DNS Providers of your target and generates a maximum final list of DNS resolvers. Add anywhere from 100-4k resolvers to your ‘resolver.txt’ (TL;DR)

Docem: Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)

Curryfinger & Introduction: A Go tool for finding the server behind popular CDNs through SNI & Host header spoofing

Dupe Key Injector: A Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 “SSO Wars: The Token Menace” presentation

G-Calendar-Audit: A Python script to check for public Google calendars

Lockdoor Pentesting Framework: A Penetration Testing framework with Cyber Security Resources

Dnmasscan: A script that can resolve an input file of domains & scan them with masscan

EZDomain: Python script for subdomain, file, directory & S3 bucket bruteforce

Dr Robot: A tool for Domain Reconnaissance and Enumeration

Dolos Cloak: Automated 802.1x Bypass

Cryptbreaker & Introduction: A cloud-backed password cracking and assessment tool

Misc. pentest & bug bounty resources

Challenges

Articles & Papers

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/13/2019 to 09/20/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…