Epic Wordlists for Bug Bounty content discovery and API bugs!

STÖK

26 Nov 202006:23

Summary

TLDRIn this episode, the host discusses the importance of wordlists for pen testers and bounty hunters, highlighting Assetnote's curated wordlists and their monthly updated Wordless site. John Barber's script for cleaning up wordlists is praised for its efficiency. Low View High's script for finding security anomalies through header and path testing is introduced, along with Project Discovery's Nuclei scanning tool's update to version 2.2, which includes new features like unsafe attributes and HTTP fuzzing support. The episode ends with an announcement of an upcoming live performance by rapper Whitey Cracker.

Takeaways

🎥 Today's episode is sponsored by Pentester Lab, promoting their platform for learning penetration testing skills.
🔍 Wordlists are crucial for content discovery and enumerating subdomains in cybersecurity.
📈 Assetnote has released a curated selection of wordlists, including an API routes wordlist with approximately 953,000 entries.
🛠 John Barber has created a script to clean up wordlists, removing unnecessary lines and noise to improve efficiency.
🚫 The script by John Barber removes lines with over 100 characters, consecutive digits, and specific file formats to refine wordlists.
🔄 Low View High's script helps identify security anomalies by testing various headers and path bypasses.
📝 The nuclei scanning tool has been updated to version 2.2, introducing new features like unsafe attributes and raw HTTP library support.
🏎️ The update to nuclei allows for more control over malformed requests, opening up possibilities for detecting race conditions.
🤝 Nuclei's update also includes support for Burp Collaborator polling, enhancing the tool's capabilities in security testing.
🎤 Integrity will host a live session with rapper Whitey Cracker on their YouTube channel, promoting the artist and engaging the audience.

Q & A

What is the main topic of the video script?
-The main topic of the video script is about various updates and tools in the field of cybersecurity, specifically focusing on pen testing and bounty hunting tools and techniques.
Who sponsors the episode mentioned in the script?
-The episode is sponsored by the team at Pentester Lab.
What is the purpose of Wordlist in cybersecurity?
-Wordlists are used for content discovery, enumerating subdomains, and other enumeration tasks in cybersecurity.
What did Assetnote release that excited the speaker?
-Assetnote released a curated selection of wordlists they have created over the year, which includes an API routes wordlist containing approximately 953,000 possible API paths from the HTTP Archive dataset.
What did John the Ripper do with the wordlist released by Assetnote?
-John the Ripper cleaned up the wordlist by removing noisy characters and lines that are not needed, such as those with over 100 characters, consecutive digits, or ending with image and music file formats.
What is the benefit of using John the Ripper's script on wordlists?
-Using John the Ripper's script helps to remove unnecessary noise from wordlists, making them more efficient and relevant for use in pen testing, thus reducing unnecessary requests and potential false positives.
What is the purpose of the script created by Low View High?
-The script created by Low View High is designed to find anomalies in security measures that the security team or app developers might have overlooked. It tries different headers and path bypasses to identify vulnerabilities.
What is the significance of the update to the Nuclei scanning tool?
-The update to Nuclei version 2.2 introduces a raw HTTP library with an unsafe attribute, allowing for the sending of any kind of malformed request to detect interesting behavior and providing unlimited control over the send requests.
What new features does the updated Nuclei tool offer?
-The updated Nuclei tool offers new features such as HTTP flooding, fuzzing support, and the ability to add support for Burp Collaborative polling.
What event is Integrity hosting with Whitey Cracker?
-Integrity is hosting a live session with the rapper Whitey Cracker for the 1337 UP Live Session.
Where can viewers find the live performance by Whitey Cracker?
-Viewers can find the live performance by Whitey Cracker on Integrity's YouTube channel.