Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 16 to 23 of August.

Our favorite 5 hacking items

1. Article of the week

This article is an analysis of publicly disclosed SSRF writeups.

@vickieli7 curated 76 unique reports, then read each one and categorized them following criteria like: vulnerable feature, presence of SSRF protection, criticality/impact, type of fix implemented…

She gives interesting statistics on each category. For example, 27 of the 76 bugs affected an image/file upload feature.

I love this idea of studying a vulnerability class by producing statistics based on specific criteria. This can be scaled to include other bug types and more writeups.

It’s also a great idea to look for bypasses each time you read a writeup. This is what allowed @vickieli7 to find one bug while learning about SSRF!

2. Writeup of the week

The chain of bugs described in this writeup are simple but critical. File/directory bruteforce revealed a Trace.axd file that redirected to a login page.

Trace.axd is ASP.NET’s trace feature that helps developers debug the app.

Tests credentials worked and gave @arinerron access to a lot of sensitive information through that debug page: tokens, passwords, new endpoints… One of them was vulnerable to SQL injection.

An interesting idea to keep in mind if you find a SSRF on an ASP.NET app, is to look for Trace.axd to escalate it.

3. Tool of the week

This is such a useful Burp extension! It’s easy to install/use, and allows you to manage a list of URLs marked as “analyzed” or “not analyzed”.

You may already be using lists of endpoints during tests to keep up with large scopes, but now you can do it directly from Burp. It allows you to highlight requests, retrieve URLs from other Burp tabs, send requests you want to analyze to Burp repeater, import/export state files…

The only downside I see is that the import/export function makes my Burp freeze. I need more RAM but the other functionalities work fine.

4. Tutorial of the week

This tutorial explains why JSON CSRF is harder to exploit than CSRF: You can’t send JSON Content-Type using an HTML form. You need AJAX which can be blocked by CORS.

So to exploit JSON CSRF, you either need to bypass CORS or one of the two techniques presented here: Change the request’s Content-Type from Content-Type: application/json to Content-Type: text/plain or to Content-Type: application/x-www-form-urlencoded .

If one of these is accepted by the server, they allow you to exploit the CSRF by creating an HTML form, bypassing the previous limitation.

5. Non technical item of the week

I would have loved to have this study years ago when I was negotiating (rather begging for) remote work with my previous employers. Home office is one of the reasons that pushed me towards self-employment.

If you’re in a similar situation, the results could help you convince management. It basically says that “If an employee has a strong track record and can do most of their work independently, research shows that allowing them to work from anywhere would benefit both the individual and organization”.

Also, the study distinguishes between Work From Anywhere (WFA, meaning geographic flexibility) and Work from Home (WFH). The first gives more flexibility and people who transitioned from WFH to WFA had their productivity increase by 4.4%!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

If you don’t have time

Misc. pentest & bug bounty resources

Articles

News

Bug bounty & Pentest news

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/16/2019 to 08/23/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…