Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 20 to 27 of September.

Our favorite 5 hacking items

1. Slide/Tool of the week

I hope this talk’s video will be released soon. But even without it, this presentation is very helpful in understanding what to look for in JavaScript files, existing tools for automation, and what can/cannot be automated.

Techniques mentioned include endpoint discovery, reversing source maps, technology fingerprinting, detecting sources and sinks, detecting ReDoS, detecting secrets, detecting vulnerable third-party components, etc.

As a bonus, LewisArdern provides MetaSec.js, a wrapper around several open source tools to automate JS file analysis.

2. Writeup of the week

This is an SSTI writeup. Detection was pretty straightforward: @err0rrrrr injected {{7*7}}{{7*7}} as a comment and received an email notification containing 4949 .

The interesting part is that exploitation was hindered by some kind of blacklisting. He could bypass it by bruteforcing local variable names using this custom wordlist. That’s worth adding to Burp to help with stubborn SSTIs!

3. Article of the week

This is an excellent article on automation using Burp and Aquatone.

The novel idea is to use visual identification, not for checking subdomains, but when you’re testing a large Web app. When you’re limited on time as a pentester, you want to quickly assess a lot of URLs to cover the maximum surface.

@ryanwendel explains how he gets a list of URLs from Burp’s proxy history, and passes them to Aquatone to take screenshots. If authentication is required, he makes Aquatone use Burp as a proxy, and leverages Session Handling rules to maintain an authenticated state. So handy!

4. Resource of the week

This is the most comprehensive XSS cheatsheet I’ve seen.

What is also unique about it, apart from the number of payloads, is that it is interactive. You can filter payloads by tag, event handler and browser.

It also features entirely new XSS payloads that @garethheyes found and presented at Global AppSec 2019. The talk wasn’t recorded but the slides are available: XSS Magic tricks.

All this should be really helpful with HTML filter and WAF bypass.

5. Video of the week

If you’re a fan of @Yaworsk, his books “Real-World Bug Hunting: A Field Guide to Web Hacking” and Web Hacking 101, or his Youtube channel, then you will love this video!

For, once he is the interviewee not the interviewer. The discussion starts at 1h55m00s and covers many topics: Peter’s way of doing recon, his testing methodology, his areas of improvements, how he does JS analysis, why he doesn’t set Burp scope to only the target app, burnout and way more.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

If you don’t have time

Mongo-objectid-predict: Predict Mongo ObjectIds to exploit IDORs

Keyhacks.sh: No matter what tool you use to find secrets in Github, this Bash script will help test your findings

Secret-bridge, Introduction & TOOLS.md: Monitors Github for leaked secrets

Shhgit Live: Live stream of shhgit (Github monitoring tool) in action

WaybackRust: A tool written in Rust to query the WaybackMachine

Andromeda: Interactive Reverse Engineering Tool for Android Applications

CredNijna: A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB

Thetick: A simple embedded Linux backdoor

Navi: An interactive cheatsheet tool for the command-line

SKA: Simple Karma Attack

nmapAutomator: A script that you can run in the background!

SearchOpenFileShares & Introduction: Searches open files shares for potentially sensitive information (password files, database backups, etc)

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/20/2019 to 09/27/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…