Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 14 to 21 of June.

Our favorite 5 hacking items

1. Video of the week

Oh my! We’re really spoilt this week between this video tutorial with @tomnomnom and @nahamsec’s recon tips video (see below).

@tomnomnom shares so many tips that are worthy to discover whether your are a beginner or seasoned bug hunter. This includes the tools he uses for recon (including custom ones like assetfinder and html-tool), BASH basics, how to manually search for secrets in Git repos, how to use (and exit) VIM and a lot more.

This is a must watch if you’re into Web app security!

2. Writeup of the week

@jon_bottarini shares here a technique that allowed multiple times to access unreleased beta and admin features (i.e. escalate his privileges).

The idea is that if you see the server always returning some “false” value, you can use Burp Suite’s match and replace rule to change the server’s response body from “false” to “true”. Sometimes this triggers client-side code that was hidden or unaccesible.

Similarly, you can replace "userlevel":READONLY with "userlevel":ADMIN , or "subscriptionlevel":"BASIC" with "subscriptionlevel":"PROFESSIONAL" .

Pretty straightforward. Must try now!

3. Resource of the week

This is a remarkable Twitter feed initiated by @intigriti who asked hackers to share their best bug bounty tip. A lot of people chimed in. Here are some of my favorite responses:

“Create daily diffs of JavaScript files to find new features, endpoints and keep an eye on endpoints that disappear but still work, they might conflict with the future design of the product and induce a vulnerability.”

“Sometimes your target asks you to pay to access an account/premium features. If they use services like “Stripe”, try paying with “test cards” and check if you can have a premium account/features, for free!”

“Change the host header to “localhost”, its IPv4/IPv6 equivalents or even better the internal IP of the server!” and “if you get a 403 with that, adding X-Fowarded-For:localhost might do the trick! :)”

“If http://bugbountytarget.com does not verify e-mail addresses, try signing up with a @bugbountytarget.com email address! You may get access to special features or discounts!”

4. Tool of the week

If you’re currently doing your recon manually, this will be a very handy tool. It’s a wrapper around many staple tools and looks like a good basis to build upon and customize to your own needs.

I already have a custom recon tool. But regular readers of this newsletter know by now that I lo-o-ove going through repos like this one. I look for any good ideas that can be replicated and improve my own scripts.

5. Tutorial of the week

Bookmark this one. It will be really helpful if you need to direct all (and only) your Burp traffic through a remote VPN.

This is a little more complicated than running a VPN on your local machine, but sometimes you don’t have a choice. Bug bounty program and pentest client can require that you use a remote VPN.

So check out this awesomly detailed guide. You will need PuTTY, OpenVPN, one VPS or two (if you have a dynamic IP) and the Switchy Omega browser extension.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

SUE2019 - Entering NIPRNET: SSRF, cloud attacks & case study on abusing jira to gain internal network access on the US DoD (by @Alyssa_Herrera)

How To Frida Good

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

If you don’t have time

Redirector: Online open redirect / SSRF payload generator

Droidstatx: Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis. The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment.

Konan: Advanced Web Application Dir Scanner

Prithvi: Report Generation Tool

T1tl3: A simple python script which can check HTTP status of branch of URLs/Subdomains and grab URLs/Subdomain title

Detect-techs.py: A simple tool written in python3 used to read a list of websites and enumerate Wordpress sites, you can change Wordpress to any other technology and use it

EnumUserInFiles.sh: Script for searching usernames in files (nearly all filesystem) for getting sensitive files

0xsp-Mongoose: Privilege Escalation Enumeration Toolkit (ELF 64/32 ) , fast , intelligent enumeration with Web API integration

Constole: Scan for and exploit Consul agents

Sliver: A general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), & DNS

Slackor & Introduction: A Golang implant that uses Slack as a command and control server

Misc. pentest & bug bounty resources

Articles

News

Bug bounty news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/14/2019 to 06/21/2019

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…