MonkeHacks #15

I arrived safely in The Hague, and the weather was really nice this week. I spent quite a lot of time in cafes, doing bug bounty. On Saturday I attended Hacker Hideout, a small meetup of some European hackers in Utrecht. I met some cool hackers like PinkDraconian and Floerer. All in all, a very chill day. We hacked on some Intigriti targets, had pizza, and went for drinks afterwards. The weather was pretty nice - sunny but not too hot.

I went bouldering with a friend. I’d recommend bouldering as a hobby, it’s good exercise and the various climbing routes have different difficulty grades, so it’s pretty addictive.

This week’s issue is a bit short, as I’ve been stuck for time. I’ll do my best to make next week’s issue extra useful. I have a growing stockpile of interesting vulnerabilities that I can’t write about yet, so I’ll see what gets fixed in the coming week.

100-Hour Challenge Updates

Here are this week’s statistics:

No update in this regard, sadly. I was very busy with various things, having just returned from Japan, so I didn’t really have time to hack on this target this week. In June I’ll pick this back up.

It was, nonetheless, an active week of hacking. I reported two vulnerabilities with doomerhunter, and one vulnerability on Intigriti as part of Hacker Hideout.

Weekly Ideas / Notes 

• Caido v0.37.0 - this version adds some awesome features.

  • A dedicated plugin system!

  • Automate Preprocessors: You can now apply transformations such as base64 encoding to Automate payloads. Automate is like Burp Intruder if you’ve forgotten. This is really cool—if you need to fuzz a parameter that’s base64 encoded, you can use preprocessors to encode it before fuzzing.

  • New convert workflows for JSON minification, prettifying, trims, and joins.

• James Kettle and Orange Tsai have some very promising talks coming up this August at Def Con and Blackhat. Orange Tsai is presenting research on the Apache HTTP Server, and James Kettle is presenting his work on practical web timing attacks. Both of these talks are going to be mind-blowing.

• Burpsuite is starting to innovate again after seeing the very real threat from Caido. They’ve hinted at implementing a selective forwarding feature. This is a feature that Caido implemented first as a competitive differentiator.

• As a more general idea, I wonder if you can use caching behaviour as a cross-site leak to fingerprint information on sites you can’t access directly from another origin? For example, if you get similar responses/data via XS-leaks for /abc and /abc.json, that’s indicative of a Ruby on Rails site.

• On this note, I bet there are a ton of unique cross-site leak techniques that are target-specific - for example, particular uses of features like postMessage may disclose information between origins, but this may be so target-specific that there’s no existing research on this idea.

Resources 

• Modern WAF Bypass Techniques on Large Attack Surfaces - a talk by Shubs, as part of Nahamcon. He presents some excellent ideas and techniques here. A must-watch.