Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 06 to 13 of September.

Our favorite 5 hacking items

1. Video of the week

Watch @uraniumhacker hack a fake university for 2 hours. The vulnerable subdomains (and ports) don’t seem to be up anymore, but it’s an excellent walkthrough on hacking Web apps and APIs.

@uraniumhacker explains his methodology, what to look for at each step, how to exploit bugs like SSRF on Jira, IDOR, RCE, how to take notes with screenshots and proofs during the whole pentest process, etc.

2. Writeup of the week

This is a great walkthrough of a blind XSS found in a file upload functionality. It is really well-written and encompasses many interesting takeaways:

The file upload functionality had only client-side validation. It was possible to upload files with arbitrary extensions by modifying the upload request in Burp.

The server returned a 500 error, but it was misguiding since the file was listed as uploaded anyway.

@HackerOn2Wheels uploaded an HTML file that included a blind XSS payload (using XSS Hunter). Since the payload fired, it meant that he could have uploaded an EXE file and obtained a reverse shell! So the blind XSS was proof of potential RCE.

Explaining this bug’s impact was instrumental in convincing triage to fix the bug and getting a good bounty. Risk isn’t always so obvious!

3. Article of the week

Adam Leos found a bug in LinkedIn that allows for getting more search results than what is normally allowed for a free account. Basically, the API returns more information than what is visible to the user and you can query it directly to bypass any limits.

LinkedIn hasn’t fixed this, so the technique and extension Adam provides could be very helpful for OSINT and recon.

4. Resource of the week

OWASP released the API Security Top 10 Release Candidate. The final version will not be available before September 26, but everyone is welcome to share any feedback or even disagreement before the official version is released. Also, pentesters might want to start adapting their report templates or checklists.

The two documents you want to read are the Top 10 PDF and the presentation slides.

Among the 10 categories, some are common with the OWASP Top 10 2017. Others are specific to APIs like Mass Assignments, Improper Assets Management and Lack of Resources & Rate Limiting.

5. Tutorial of the week

This is a short introduction to JSON Web Tokens (JWT), how they compare to cookies, and how you can exploit an XSS to steal them.

This is basic stuff but it could be helpful for beginner pentesters/bug hunters who are short on time and want to quickly learn a practical way for increasing XSS impact.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

shhgit: Find secrets & sensitive files across GitHub code & Gists committed in near real time by listening to the GitHub Events API

PyScripter-er: A framework built on top of Burp’s Python Scripter extension

Jsearch: A Python script that greps info from javascript files (like AWS endpoints, api URLs…)

Kicks3: S3 bucket finder from html,js and bucket misconfiguration testing tool

XSS-flare: XSS hunter on cloudflare serverless workers

Enumeration-Script: Bash Enumeration Script

Social Mapper: A Social Media Mapping Tool that correlates profiles via facial recognition

fileGPS: A tool that help you to guess how your shell was renamed after the server-side script of the file uploader saved it

SharpSniper: Find specific users in active directory via their username and logon IP address

Sepriv: Tool to manage user & process privileges

BOtB: A container analysis and exploitation tool for pentesters and engineers

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/06/2019 to 09/13/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…