Hi ! I hope you are well!
Welcome in the new issue of the BBRE Newsletter🔥. This time, again, it's the premium version that you received for free!
Here's what I prepared for you today:
- DNS takeover vulnerability
- Browsing files from your VPS using Visual Studio Code
- Should you stop using alert() in XSS?
- Collaborating in bounties
- The book of secret knowledge
- Examples of dangerous code in Java, .NET, PHP and Ruby
- How to identify an unknown secret?
- Why you should fail more?
$20,000 RCE in GitLab via 0day in exiftool
If you haven't yet watched my video from last week, please watch it or add it to the "Watch Later" playlist. In my opinion, it's a really cool bug!
https://youtu.be/YYLqzj5-N7w
DNS takeover vulnerability
Standard subdomain takeovers are done using dangling CNAME records. This type of vulnerability is so popular that it's highly automated by now. However, it's not the only type of subdomain takeover. There's also a subdomain takeover that relies on leftover NS records, called by some DNS takeover.
Let me give you a quick example of how this works. For a domain bountyexplained.com (I use it mostly for hosting labs for trainings) I have:
The setup I have is that in Namecheap DNS configuration I point the NS records to DigitalOcean.
Because of that, whenever Namecheap's DNS is asked about the bountyexplained.com domain, it tells the person querying it to go and query DigitalOcean's DNS server because they know.
Then, in DigitalOcean I have A records for that domain with my IP addresses.
My domain would be vulnerable to DNS takeover when I would delete my domain in DigitalOcean but I would left NS records in Namecheap pointing to DigitalOcean.
The attacker would know that because the query for this domain would return SERVFAIL status while the domain would still have NS records pointing to DigitalOcean's servers.
Then, any DigitalOcean user can go and create a domain bountyexplained.com in DigitalOcean and set arbitrary A records with their IP addresses, taking over the domain and its subdomains.
I actually did that. On my primary DigitalOcean account, I removed my bountyexplained.com domain. Then, from my second account and I could add it and set arbitrary records. I didn't have to confirm I own it in any way.
In some service providers even with such misconfiguration, the vulnerability is not exploitable. However, DigitalOcean is one of the vulnerable ones. How do you know which service provider is potentially vulnerable and which one is secure?
Indiana Json created a repo can-i-take-over-dns inspired by EdOverflow's can-i-take-over-xyz.
You can find there which providers are vulnerable, what nameservers they use with instructions on how to claim a domain if it is vulnerable.
Here's the link to the repo: https://github.com/indianajson/can-i-take-over-dns
And here's a more detailed article about DNS takeover:
https://0xpatrik.com/subdomain-takeover-ns/
Speaking of DigitalOcean, if you want to create an account there, you can use my referral link to get $100 to use for 2 months. It will be more than enough for a very strong VPS.
https://m.do.co/c/cc700f81d215
Browsing files from your VPS using Visual Studio Code
Many hackers use VPS a lot. VPS stands for virtual private server and it's basically a machine somewhere in the cloud that you control. Some benefits from using them are that you don't need to install all hacking tools on your personal machine and if your IP gets blocked for some reason, you just create another VPS with another IP address.
Usually, you connect to the VPS using SSH. It gives you a remote shell. You can do all the things from the terminal but in some cases, eg. browsing the code, it's better to use a graphical interface and an IDE like Visual Studio Code.
For a long time, when I wanted to open a file stored on the VPS using Visual Studio Code, I downloaded the file using scp (this tool allows downloading files using SSH) and then opened it from the local disk. It's not the end of the world in terms of time wasted but it gets really messy when you then find yourself with 2 copies of the same file that are not synchronised.
The good news is that you don't have to do this. Visual Studio Code can connect straight to your VPS and you can interact with files remotely.
First, install the extension Remote - SSH in Visual Studio Code.
Then, open the tab from the left-hand side menu and click the plus sign next to "ssh targets".
You will be asked for the server IP and credentials. If you log in using the SSH private key, Visual Studio Code will also handle that and you won't be asked for a password.
And that's basically it. Now, you open a folder and you can browse files just like they were on your local machine. Also, if you want, you can use terminal straight from Visual Studio Code using the window at the bottom.
It's a really handy trick for working with VPS.
Should you stop using alert() in XSS?
You say XSS, I think alert(). However, it might no longer be the ideal proof of concept for cross-site scripting.
Some malicious adverts were using alert() for social engineering from iframes on legit websites. Chrome made the decision that alerts will no longer work in cross-domain iframes. The change will be implemented in version 92 that lands on 20th July, 2021. It happens to be... TODAY.
Exploiting XSS in cross-domain iframe is probably not the most common XSS you find. This change doesn't impact the exploitability of any XSS. It just makes it impossible to show the proof of concept popping an alert() in case of cross-domain iframe.
If you keep using alert() to detect your XSSes, sooner or later you might miss some of them.
So we may want to start using a different one for POCs. Something that will work in all contexts. If you are thinking about confirm() or prompt() - nope. These are blocked as well.
What Gareth & James from Portswigger concluded, the best successor for alert() is...
print() function
Unlike in many programming languages, print() is not used to write the output to the console. In JavaScript, it's used to actually print the page using a printer. It's a good replacement for the alert because you will surely notice the pop-up, even if your XSS triggers in an invisible element.
Portswigger is also changing their labs and XSS cheat sheet to support payloads using the print() function as well as the alert().
For me, as much as this seems strange to not use alert() anymore, it's hard to find a reason to use alert() over print(). In the end, you can find XSSes using print() and when you find one, you can check if alert() works too. If it does, you can write the report with alert() in order to avoid confusion among your fellow pentesters or the triager that are not up-to-date with the latest news in the industry. In case it will be the XSS in the cross-domain iframe, you will have a good justification to leave the POC with the print().
Source: https://portswigger.net/research/alert-is-dead-long-live-print
Collaborating in bounties
Have you ever wondered if collaborating on bounties is right when you are a beginner? If yes then there's a good article by zseano. He interviewed 4 hackers from his BugBountyHunt3r platform that started collaborating together. They were able to find 25 vulnerabilities in 1 month which to me seems like a great achievement.
The article is quite long so I extracted key takeaways for you.
Background of hackers
JTCSec - a member of cybersecurity team doing things like incident response, monitoring threat intelligence etc. started doing bounties a year ago
0xblackbird - only 16 years old with 1,5 years of experience in bounties
HolyBugx - 8 months of experience in hacking
YouGina have been doing bounties occasionally for a few years now and found a valid critical, ten mediums and many LOWs during that time
So on average, each of them has about 1 year of bug bounty experience.
Choosing a program
They chose 3 programs with a very wide scope. The goal is to focus on them for a year and really get to know them. Even though there are 3 programs, at one time they only focus on one of them.
This approach yields results - many of their bugs came from a website that was discovered only because of creating a wordlist tailored for the target. The endpoint name was not present in any predefined list, but they created it based on their previous experience with the target, information disclosure bugs and the naming conventions. Really getting to know the target allows finding assets overlooked by others.
Generally, this strategy of choosing the program for a whole year is inspired by the zseano's talk PUTTING YOUR MIND TO IT: BUG BOUNTIES FOR 12 MONTHS. I liked that one I think I will rewatch it again and make a summary for you here in the newsletter.
Collaboration
All of our hackers were friends before. They wanted to work together on bounties.
How do they share tasks between them? Seems like there's no formal split but naturally, some of them prefer doing recon, while others would rather dig deep into manual testing. This way, thanks to their different previous experiences, they complement each other skills.
Importantly, they seem to just enjoy working together and everyone is happy with what they do. YouGina even explicitly mentioned focusing on things that you enjoy doing the most because it's the only way to keep the motivation.
As mentioned before, this collaboration led them to find +25 bugs in a month which is a great result, considering their experience. Maybe it's a good idea for you to ask a friend about the collaboration? 😏
If you want to read the full article, here's the source:
https://zseano.medium.com/bugbountyhunter-chats-getting-to-know-0xblackbird-yougina-jtcsec-and-holybugx-8e28259bf5e
The book of secret knowledge
This GitHub repo contains a mass of links and resources from the security world. Everything in one place. For us, the most interesting chapter is of course Hacking/Penetration Testing and specifically:
Pentesters arsenal tools - you will definitely find here some tools you didn't know
Pentests bookmarks collection - here you will find some checklists, links to other cheatsheets and many knowledge bases
Web Training Apps and Labs (ethical hacking platforms/trainings/CTFs) - there are many more places where you can test your skills than you know!
Check out the full repo:
https://github.com/trimstray/the-book-of-secret-knowledge#hackingpenetration-testing-toc
Examples of dangerous code in Java, .NET, PHP and Ruby
If you are doing a white-box test then it's good to know what functions in what language can be dangerous. Inon Shkedy has shared a few links to the best website with documentation in the world - StackOverflow.
There are instructions on how to immediately spot vulnerable code in:
Source: https://twitter.com/InonShkedy/status/1413129905420840961
How to identify an unknown secret?
pywhat is a python script that can identify what string you gave him. It's useful when you find some secret in JS or in a mobile application and you don't know did you find. Of course, it won't help with completely random secrets but it will be useful for ones with a specified format like Stripe API key that starts with sk_live_ etc..
You install the tool using
pip install pywhat
It can also identify youtube videos. If you wonder what is the ID on the screenshot, it's the ID of my last video - $20,000 RCE in GitLab via 0day in exiftool metadata processing library CVE-2021-22204. Make sure you watch it if you haven't already because it's a really cool bug.
Repo with pywhat: https://github.com/bee-san/pyWhat
Why you should fail more?
Mark Rober, a Youtuber with a slightly bigger audience than me (19 million subs, only 19 million more than me) made an experiment. He gave his audience the simple coding challenge to lead the car from the start to the finish using code blocks.
This doesn't matter much though. What matters is that people randomly got one of two different versions of the game. The difference was the slightest it could be - when failing, half of them were getting this message: "That didn't work. Please try again".
And the other half this message, telling them they lost 5 points from the initial 200.
Points from this game are completely irrelevant, not visible anywhere and there were no rewards nor leaderboard.
How do you think - what was the difference between success rates in those 2 groups? Think about it for a while. What's your guess? 0%? 5%? 10%?
Nope.
Fucking 16 percentage points difference only because of this small tweak!
Do you know what was the real reason for that? It was the number of attempts - the first group only tried 5 times on average while the second averaged 12 times.
Let me put it another way. The group with penalties typically failed 4 times. The one with no penalty, the more successful one, failed 11 times on average.
The takeaway - the more you try the more you fail but also the more you succeed. This is also backed up by Woody Allen who says:
"80% of success is showing up"
How can we use it in our work? When you are doing a pentest or a bounty, probably no one will ask you "how many times did you not find a bug?" when you share your finding. You mustn't be afraid to fail because then it will lead to you trying less and less which will really make you find fewer bugs.
You need to be aware that if you spend more time on something, you will fail more but you will succeed more as well and that's much more important.
I highly encourage you to watch the whole TED talk by Mark about this effect which he calls "The Super Mario Effect": https://www.youtube.com/watch?v=9vJRopau0g0&ab_channel=TEDxTalks
I hope you find this newsletter helpful. If you did, choose one friend who may also like it and please recommend my newsletter to them. We'll meet here in the newsletter in 2 weeks.
Best,
Grzegorz Niedziela
Bug Bounty Reports Explained
PS. You can reply to this email with feedback on what you think of this newsletter.
|