A personal mini blog about infosec and life
Recently, I encountered a blog that inspired me to create a more personal mini blog as part of The Security Wind. I plan to post on a weekly or biweekly basis, and it will probably include more personal stuff and thoughts, combined with other things related to information security - likely interesting things I've learned, plans, tips and whatever else comes to my mind :)
I will probably know better later on.
A while ago, I had some kind of emotional buying urge (is there such a thing? Probably). It started with the revelation (🙄) that I am not where I want to be professionally regarding application security. More specifically, I wanted to get better with browser internals, beyond the basics. I wanted to buy a physical book because I often read a lot on my computer and was looking for a different option (as well as the fact that I enjoy reading from physical book and they're easier for me to read while commuting).
I did some research and found two books that met my needs: The Browser Hacker's Handbook (2014) and The Tangled Web (2011). They are a bit old but a lot of the content is still relevant.
So it started with the idea of buying one book and I found myself ending up with seven.
My reasoning behind buying each book:
The Browser Hacker's Handbook (2014), The Tangled Web (2011) - They teach about browser internals. I wasn't entirely sure if one book offered more information on certain subject so I bought both to have both perspectives.
Attacking and Exploiting Modern Web Applications (2023) - Some modern attacks, technologies and perspectives that I would like to read about.
Web Security for Developers (2020) - To better understand security from the development point of view.
Real-World Bug Hunting (2019) - To learn tricks that I'm not aware of.
Bug Bounty Bootcamp (2021), JavaScript for hackers (2022) - Don't ask. Aside from my buying urge, these books were recommended and they probably offer more tips and tricks.
Weekly Thoughts
A few weeks ago I started reading 'The Browser Hacker's Handbook' but because of an issue, I temporarily stopped and switched to 'Real-World Bug Hunting'. I began creating some kind of checklist of things I want to test in penetration tests. Some of them are specific (for example methods I use to cause detailed error messages) and others are more general. I use this book to add ideas and attack types to this checklist.
I've finished about half of the book so far, and it's well written. It explains several attack types, provides examples of interesting bug bounty reports that have been disclosed, and a takeaway for each example. Although I'm already familiar with a major part of this book, there are some techniques that are new to me or perspectives that I find beneficial. One bug bounty report mentioned in the book is this one: https://hackerone.com/reports/127703/ In scenarios where the CSRF token is correctly implemented, we might find the CSRF token in certain JS files. Since loading JavaScript files from another origin does not violate the Same Origin Policy, when the victim enters the attacker's website, it can load the script which contains the victim's CSRF token and send a request with the CSRF token included. For some reason it reminded me of the Same Origin Method Execution (SOME) attack: It probably reminded me of this attack because both methods rely on loading a script to bypass the SOP restrictions and perform an attack. This made me more aware of the possibility of abusing this behavior in loading scripts when needed.
I've started creating a tool for bypassing WAFs or CDNs by trying to find the actual server's IP address hidden behind the CDN IP address, using three different methods. I hope to have updates next week.
I created a new page in my Notion account for new tools or things I want to do before or during future tests. Some of them are:
Comparing directory brute-forcing methods and tools. I've already started doing this, and I thought that maybe the tools are less important than the lists that are used. For the tool, I usually use Burp Suite Intruder since it allows me to easily filter, sort by content-length, HTTP status codes, can view the HTTP responses and rendering right away, and probably more. The disadvantage is that it's probably very slowly compared to dedicated tools. So for now I'll probably compare lists and not tools. Which tools and lists do you usually use? Feel free to comment or letting me know.
I want to familiarize myself with all the different settings of browsers DevTools. Recently I learned about the 'Application > Frames' and 'Application > Service workers' and I'm sure there are more valuable features there.