Bug bounty Tips

Guys happy to share today that my blog is back again https://Book.cipherops.xyz you guys can check and let me know your thoughts and don't forget give the comments

[ XZ backdoor - CVE-2024-3094 ] ! Backdoor in upstream xz/liblzma leading to SSH server compromise ! Check:

xz --version

5.6.0 & 5.6.1 — v u l n e r a b l e Update:

sudo apt update && sudo apt install --only-upgrade liblzma5

Summary: https://boehs.org/node/everything-i-know-about-the-xz-backdoor How it all started (email): https://www.openwall.com/lists/oss-security/2024/03/29/4 GitHub Thread: https://web.archive.org/web/20240329223553/https://github.com/tukaani-project/xz/issues/92 Message from Kali Linux team: https://twitter.com/kalilinux/status/1773786266074513523 The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today. Note that (almost) all Linux distros could be affected! For example, Fedora — Red Hat warned users to immediately stop using systems running Fedora development and experimental versions: https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros News: https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor And from CISA: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 So... JiaT75 made 750 commits in 2 years and finally backdoored XZ...

Today, we'll talk a bit about JavaScript recon in web applications. I've based my methodology on My Javascript Recon Process - BugBounty. Collecting links to JS files can be done using gau:

gau example.com | grep -iE '\.js' | grep -ivE '\.json' | sort -u >> exampleJS.txt

Alternatively, you can use waymore, which seems to be better:

python3 waymore.py -i example.com -ko "\.js(\?|$)"

We can also try fuzzing to find hidden JS files:

ffuf -u https://www.example.com/js/ -w jsWordlist.txt -t 200

The wordlist for fuzzing can be found here: https://wordlists.assetnote.io/ After that, ping the JS links as some of them may be outdated.

httpx -l exampleJS.txt -mc 200

Now, let's look for secrets in these files using SecretFinder, a tool for detecting sensitive data such as apikeys, accesstokens, authorizations, jwt, etc. in a JS file:

cat exampleJS.txt | xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 SecretFinder.py -i @ -o cli' >> exampleJsSecrets.txt

Next, using availableForPurchase.py, we can check if the domains referenced in the JS files are available for purchase. This tool, combined with linkfinder and collector, is really powerful. Sometimes developers make mistakes when writing a domain, possibly the domain imports an external JavaScript file, etc.

cat exampleJS.txt | xargs -I @ bash -c 'python3 linkfinder.py -i @ -o cli' | python3 collector.py output
cat output/urls.txt | python3 availableForPurchase.py
[NO] www.googleapis.com
[YES] www.gooogleapis.com

After executing the above command, a list of potential endpoints that were discovered in the JS becomes available for review:

cat output/paths.txt

We can also immediately check for subdomain takeover using subzy

cat output/urls.txt |grep "https\{0,1\}://[^/]*\.example\.com/[^ ]*" >> subdomainExample.txt; subzy run --targets subdomainExample.txt

Also, excellent extensions for Burp: JS Miner and JS Link Finder which perform similar tasks but in real-time, for greater coverage it's better to use both script scanning and plugins

Disable-TamperProtection A POC to disable TamperProtection and other Defender / MDE components It is possible to abuse SYSTEM / TrustedInstaller privileges to tamper or delete WdFilter settings (ALTITUDE regkey) and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE), blinding MDE of telemetry and activity performed on a target. An example, to use the POC is as follows:

   1 — Unload WdFilter
   2 — Disable Tamper Protection
   3 — Disable Defender / MDE components
   4 — Reinstate / restore the WdFilter

Blog: Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components POC Demo: https://youtu.be/MI6aVDHRix8 This vulnerability, during testing was found to affect the following versions of Windows:

   • Windows Server 2022 until BuildLabEx Version: 20348.1.amd64fre.fe_release.210507-1500 (April 2024 update)
   • Windows Server 2019
   • Windows 10 until BuildLabEx Version: 19041.1.amd64fre.vb_release.191206-1406 (April 2024 update)
   • Windows 11 until BuildLabEx Version: 22621.1.amd64fre.ni_release.220506-1250 (Sep 2023 update).

#tools #hardening pgdsat - PostgreSQL Database Security Assessment Tool https://github.com/HexaCluster/pgdsat

In this Picture you will learn What is 𝙁𝙞𝙧𝙚𝙬𝙖𝙡𝙡