Hacker TL;DR

• Ep.53 - Blind XSS techniques: NahamSec shares valuable insights on Blind XSS, including his custom infrastructure setup, which features an XSS Hunter JavaScript payload and a PHP payload parser. He also delves into a .htaccess configuration that captures all the necessary information for hunting XSS vulnerabilities. Additionally, he outlines his methodology for identifying Blind XSS, providing a bunch of useful, actionable tips along the way. Writeups below.

• Ep. 59 Useful Gadgets When Hunting: In this episode, the team highlights 13 essential gadgets they rely on during bug hunting. They explain how these gadgets work individually and how they can be effectively chained together for maximum impact. Check out the writeups below.

• Ep.65 - Secondary Context Bugs: Modern applications often need to integrate with APIs of the same origin. Instead of sending requests directly from the client, they use routes such as https://example.com/api to communicate with backend APIs. Issues arise when unexpected user input is passed through these routes to interact with the API. This episode unpacks the vulnerabilities that can emerge from these scenarios; check out the full write-up for a detailed explanation.

• Ep. 69 - Browser Behaviour Gadget: The onhashchange event can be triggered cross-origin if you know the full path of the target page. By using window.open with the full path and a modified hash, such as window.open("<https://site.com/full/path#wecanchangethis>", "targetWindow"), attackers can manipulate behaviour. This episode explores how this technique can be applied effectively.

• Ep. 81 - DevTools and Testing Tips: Leveraging breakpoints in DevTools can greatly improve your understanding of JavaScript behaviour on a target application. This episode is packed with practical tips and techniques for using DevTools to enhance your testing and debugging workflows.

• Ep. 86 - X-Correlation Injection: Correlation headers like X-Request-ID or X-Correlation-ID are more than just debugging aids. They can introduce vulnerabilities by interacting with various contexts in an application, such as CI pipelines or internal logging systems. This episode sheds light on how these headers can expand the attack surface and become valuable targets for exploitation.

• Ep. 91 - Bug Classes and Approaching a Target: Approaching a target and deciding which bug classes to focus on can be challenging. This episode provides actionable tips on selecting bug classes, generating attack vector ideas, and developing an effective strategy for tackling a target. For more details, check out the full write-up.

• Ep. 93 - Peripheral scopes: Jonathan shares his approach to expanding his attack surface by targeting peripheral scopes, particularly mobile applications. This episode provides tips on leveraging these additional scopes effectively while minimizing workflow friction. This one was a banger.

• Ep. 99 - A different kind of episode: In this unique episode, Justin and Roni discuss how they would earn their first $100K within a year if they had to start over without any prior hacking knowledge. If you’re newer to hunting, this one will be one to check out.

We’ve got a bit of a different drop for ya’ll to summarise (and celebrate) some of our best moments of 2024! We’ve tried to summarise the juicy bits from each episode but as always, make sure to check out the full writeups.

Enjoy!

Best Moments of 2024

Ep.53 - Blind XSS techniques: NahamSec shares some nuggets of wisdom ranging from his own custom infrastructure setup, involving a XSS Hunter JS payload and PHP payload parser. Alongside this, he covers a .htaccess configuration which allows him to catch all required information needed to hunt down the XSS. Not only that, his methodology he uses when hunting BXSS is also covered. Dive into the expertise he shares to up your blind XSS game. Here is a snip of how he covers tracking blind XSS payloads:

• Tracking Blind XSS execution:

  • Ben uses a customized version of XSSHunter tailored to his workflow:

    • Operates on a dedicated domain specifically for blind XSS.

    • Hosts XSSHunter's JavaScript payload but without the XSSHunter backend.

    • Integrates a custom PHP backend (developed with the help of ChatGPT) to handle tracking of the payload.

• Payload infrastructure:

  • A .htaccess file is configured to redirect all paths to the PHP file, ensuring callbacks are triggered automatically.

  • This system allows Ben to include contextual details in the callback paths for easy identification of input sources.

    • Example: Using https://domain.com/TARGET-UpdateProfile-FirstName as the src of a script tag in his payload to notate where the input originated.

Ep. 59 Useful Gadgets When Hunting: The guys detailed 13 gadgets they keep note of when hunting and how they chain them together. Some of the more notable ones below:

• LocalStorage Poisoning: Let’s say we have a gadget that takes input and stores it in local storage, then does some other action with it. If you have control of the entire input, it’s possible to open a window on that page. You can then poison the local storage cache for the page, and then race condition to close the tab or redirect the tab away with the value you have in the local storage cell remaining persistent. These types of gadgets can also prove useful in scenarios when you want to hit a specific piece of client-side logic.

• Auth gadgets: Finding places in the application where you can perform a subset of authenticated operations can prove useful in exploit scenarios, as you can take privileges required from low to none, or high to low, etc. Say you can subscribe or self-sign up in an area of an application, this would be a case of being able to modify the privileges required, and therefore the CVSS vector.

• Cookie injection: Cookie injection gadgets can be found on both the server and client side. As a gadget, this can prove to be versatile as cookies are sent with every request (depending on the cookie configuration), can often be reflected in the web application and even be a sink as well as a source.

• Context breaks: The idea here is that you can break out of a scenario or context you are meant to be in? Context breaks are quite a broadly defined gadget and require lots of additional context but check out this thread here covering some examples such as Cookie Injection, CSS Context Escaping, JavaScript String Escape and so on.

• Cookie refresh gadget: If you find a gadget that allows you to refresh the cookie, you can reset the timer on the same site lax configuration on modern browsers.

• CRLF Injection: CRLF injection, in the right context, can allow you to overwrite existing headers, and introduce new headers - It's essentially full HTTP response control in the right context. A good use case in some contexts is to overwrite secure HTTP header directives.

Ep.65 - Secondary Context Bugs: The TL;DR is modern applications usually need to integrate with other APIs but need that integration to happen on the same origin. Instead of sending requests all from the client they instead use a route (or directory) https://example.com/api to communicate with an API. Problems arise when unexpected user input is sent via the route to hit the backend API - full writeup below.

Tips for finding secondary context bugs:

• Lots of times secondary context is blind, meaning you can’t see the full HTTP response from the request

• Building out a map and understanding of how control characters modify the response. Ie a & does this behaviour and a # result in this behaviour helps identify where your input is being placed in a request

• Using special characters to cause stack traces can reveal verbose information about the underlying request, or even cause backend API keys to leak

• A good wordlist to brute force paths in a blind secondary context scenario is the Serverside variable names list in burp

• When looking at directory structure think about the following: Are they using camelcase? Any separators between words? Any unique naming conventions I can use to try and enumerate more paths?

• Try normal path traversals to determine any differences in behaviour or responses

  • Do different endpoints return different sets of headers or different content types?

• Iterate through the hex range %00 - %ff when fuzzing to uncover any characters which may not be handled properly

• Unicode characters can be used to bypass filters

• A good tool to help generate fuzz lists to use for traversals: https://github.com/0xacb/recollapse

Ep. 69 - Browser Behaviour Gadget: The onhashchange event can be triggered cross-origin if you know the full path of the target page by using a window.open with the full path set and a modified hash, ie window.open("<https://site.com/full/path#wecanchangethis>", "targetWindow")

• When looking for some CSP bypasses in a hyper-restrictive environment you want to look at things like:

  • Hijacking selectors: Often applications will bind functionality to the action of adding elements with specific classes, elements, IDs, or data attributes to the DOM. These can be leveraged as gadgets to build an exploit for your target.

  • Framework: Researching and knowing what your application is written in and the nuances of its framework (like Johan did with the Turbo) can give you more flexibility and allow you to bypass or escape the context you’re currently in.

  • Script gadgets and custom listeners: When working with frameworks sometimes the framework doesn’t offer the full functionality needed, meaning devs spin up something quickly in the background. Custom events and listeners can sometimes be used against the app as a gadget, just like the custom onhashchange event listener in GitHub above.

Ep. 81 - DevTools and Testing Tips: Using breakpoints to understand JS on a target can massively assist when building context. There are numerous types of breakpoints including:

• Regular blue breakpoint: A standard breakpoint that allows you to pause execution on a line, view the call stack etc.

• Event listener & Global listener breakpoints: Work exactly like your standard breakpoint, but can be applied on a per-event basis

• Orange conditional breakpoint: Allows you to put a statement or piece of code in the breakpoint when you edit it.

• Log points: Allows you to use code which parses code like a list of args to console.log - if you put a string and comma and a variable it, it will log the string and the variable

• XHR and fetch breakpoints: Helpful when trying to figure out what JS code originated a request - an alternative way this can be done is within the initiators

Ep. 86 - X-Correlation Injection: Correlation headers like X-Request-ID or X-Correlation-ID are more than just debugging tools. They can expand the attack surface of a target by potentially interacting with various contexts within the application, from CI pipelines to internal logging, making them prime targets for exploitation.

• Identifying potential targets

  • Look at access-control-* headers for any sign of an ID header.

  • Check all response headers from the app itself for any id or id related headers.

    • Check for a reflection of the header value from your request in the response. If it reflects, it could be a high signal lead.

• Fuzzing headers

  • Fuzz by trigger errors: Fuzzing with a range of characters which will probably break a context if the header value is being used as input somewhere. Adding random ASCII characters for example x-request-id: ' " % & > [ $ would cause problems in most contexts.

    • With these fuzz characters added to the header, perform regular testing on the site and keep a lookout for weird app behaviours and errors.

  • Fuzz blind: With blind fuzzing, we need an out-of-band trigger to know if a payload successfully detonated or not. Some ideas for out-of-band-based triggers:

    • X-request-id: blind XSS

    • X-request-id: OOB/RCE /BLIND RCE

    • X-request-id: SQL Inj with DNS

    • X-request-id: log4shell

Ep. 91 - Bug Classes and Approaching a Target: I dive into this in a lot more depth below, but a high-level overview of some approaches that can be used across targets:

• Focus on Specific Bug Classes: If you’re new to hunting and don’t have a massive base of technical knowledge across classes to tap into, hone in on one vulnerability type across a target to build expertise and increase success rates.

• Adopt Threat Modeling: Map all functionalities in their entirety and brainstorm every possible attack vector. Work through this list, add to the list and document all your gadgets and quirks to gain context on the target and perform in-depth hunting. My full approach is detailed below.

• Applied Learning: Instead of finishing 10’s of labs and taking notes just for them to sit and gather dust, combine lab practice with real-world testing on targets to reinforce concepts and gain practical experience. Have a list of targets ready that you’d like to hunt on and put the knowledge to use.

Ep. 93 - Peripheral scopes: one thing Jonathan does that effectively expands his attack surface is by leveraging peripheral scopes, particularly mobile applications. Here are a few tips on how he does it, along with tips on how to reduce friction when doing so in your workflow:

• Modify Mobile Apps for HTTPS Inspection

  • Use apk-mitm for Android Apps: Jonathan utilizes apk-mitm, a CLI tool that automatically modifies Android APK files to disable certificate pinning. This allows the interception of HTTPS traffic using Burp Suite.

  • Set Up a Jailbroken iOS Device: For iOS apps, he uses a jailbroken iPad with the checkra1n jailbreak (note: the correct spelling is "checkra1n") to bypass security restrictions and inspect app traffic.

• Prepare a Robust Testing Environment

  • Have Multiple Devices: Jonathan recommends having two jailbroken devices for each platform (iOS and Android). This ensures continuity if one device becomes unstable or bricks;a common risk when jailbreaking.

  • Maintain Cross-Platform Systems: Having both iOS and Android systems allows you to choose the easier platform to work with for a particular target, maximizing your testing efficiency. Equally, there are cases where different APIs are used for different platforms, potentially opening up additional attack surfaces.

Ep. 99 - A different kind of episode: Justin and Roni talked about how they’d make their first $100K again in one year if they had to start over without any hacking knowledge.

• The Hacker Mentality: Hacking demands continuous learning, and curiosity is important for anyone who’s getting started in hacking. Beginners and experts go through the same learning process every time they encounter something new, the only difference is that the expert has more reps going through the learning process, while the beginner will have a lot more ground to study.

• Knowledge = Creativity?: Limited technical knowledge holds beginners back. Deep understanding of technologies helps with the hacker’s creativity even when applications seem simple on the surface. The deeper we dig into each component of an application, the more likely we are to find/create ways to break it. Do not neglect the simple stuff - that’s what most people would do, and that’s where the more experienced hackers find their craziest bugs.

• Threat Modelling: This is a skill that helps prioritise and generate new attack vectors, as different businesses value risks differently. What’s critical for one company may be low-priority for another. People who are good at identifying what a company values the most have a better time hacking because they can hack with a purpose, something they want to actually achieve instead of aimlessly trying to “find a vuln”.

That’s it for this special episode! Thank you so much for being a part of this community.

And as always, keep hacking!