shubs
2,201 posts
shubs
@infosec_au
Co-founder, security researcher. Building an attack surface management platform, @assetnote
- 1/10 - I've been doing offensive security source code review for a long time now, and along the way I've learnt a lot of lessons that can make you more effective. Some of them include:
- Good wordlists are so important when discovering content on an asset. At @assetnote, we've built a wordlists site that updates itself on a monthly basis. For added value, we've included some of our best wordlists that we've manually collected too.
- You can bypass Akamai WAF's XXE filters by HTML encoding the SYSTEM entity within a payload like this: <!DOCTYPE foo [<!ENTITY % a "<! ... omitted ... neat trick! used this today.
- I've just added an API routes wordlist containing 953011 possible API paths from the HTTPArchive dataset. Download it at wordlists.assetnote.io - all paths which start with "/api/", "/v1/", "/v2", or "/rest/". Good luck hacking! Thanks for requesting this, hope it helps.
- I just published a blog post for the people that want to get into bug bounties. I hope it helps people that are thinking about doing bug bounties, but haven't started yet. It explains what to expect and how to deal with common problems / situations:
- Why I love hacking IIS servers: - Case insensitive, amazing for content discovery - IIS Shortname - VIEWSTATE deserialization RCE gadget - Web.config upload tricks - Debug mode w/ detailed stack traces and full path - Debugging scripts often deployed (ELMAH, Trace) - Telerik RCE
- IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue:
- I will be releasing a number of videos that go through my bug bounty reports in a redacted manner. I believe in transparency, and the videos are going to shine an honest light into what I have reported. It’s mostly aimed at beginners, but the reports get complex over time.
- The security research team at @assetnote discovered a pre-authentication RCE vulnerability through a cryptographic flaw in Citrix ShareFile. It's been assigned CVE-2023-24489. You can read the technical blog post here: blog.assetnote.io/2023/07/04/cit…
- Our security researcher @hash_kitten found one of the most critical exploit chains in the history of @assetnote. Affecting 40k+ instances of ServiceNow, we could execute arbitrary code, access all data without authentication. You can read our blog here: assetnote.io/resources/rese…
- Damn. This is really cool. Achieving RCE via LFI using Nginx as a way to upload a temporary file, even when PHP is hardened so other techniques will fail - bierbaumer.net/security/php-l…
