Bug Bytes #14 – Better Exfiltration via HTML Injection by @donutptr, Dell KACE K1000 RCE by @MrTuxracer & BurpFeed

By Intigriti

April 16, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 05 to 12 of April.

Our favorite 5 hacking items

1. Article of the week

Better Exfiltration via HTML Injection, tl;dr by @fransrosen & sic (Sequential Import Chaining tool)

This is  great example of how far collaboration can go for bug hunters, how to do research and invent a new attack.
André Baptista and Cache-Money found an HTML injection with clickjacking as the worst-case scenario.
The bug wasn’t an XSS because the target used DomPurify. But since DomPurify allows style tags by default, @donutptr started looked for a way to exfiltrate sensitive data using just a style tag.
It’s similar to a CSS injection but the new attack has less prerequisites and works even though the target limits the payload’s size.
The whole writeup is excellent to learn about CSS injection, and the kind of creativity/perseverence that makes you go from HTML injection to a 5 digit bounty despite many technical obstacles.

2. Writeup of the week

Dell KACE K1000 Remote Code Execution – the Story of Bug K1-18652

This is a writeup of the bug that made @MrTuxracer winner of HackerOne’s H1-3120 event.
It’s an RCE on an in-scope Dropbox vendor. I find his process fascinating:

  • During recon, he found a Dell Kace interface

  • The same software is now distribted by “Quest Software Inc”

  • The version detected is old. Free trials are only available for the last version of the app

  • He tried to social engineer Quest to get a free trial of the same old version of the app that he found

  • He still played with the latest version even though it was completely different from what he saw on the server

  • He analyzed the app’s source code and found a comment referencing a path traversal

  • His code analysis showed that there was also an arbitrary command injection

  • The bugs are fixed in the app’s last version but they worked when he tried them on his target which wasn’t up-to-date

Social engineering to get a demo app and taking the time to install an app locally and review its source code… remind me of this advice by @gwendallecoguic:

You just need to do what other people don’t, because they didn’t think about it or because they were lazy, success guarantee.

3. Tool of the week

BurpFeed

I haven’t had the opportunity to test this tool, but I will definitely do it ASAP. It’s a Python script for mass feeding URLs to Burp suite’s sitemap/target tab.
This can be handy to transition from automated recon (and enumeration of live domains) to manual testing with Burp.

4. Tutorial of the week

Linting For Bugs & Vulnerabilities

This is a nice introduction to static analysis of JavaScript code using ESLint with custom rules. It can help detect issues like DOM XSS.
You can also add rules to detect other vulnerabilities, and play with the OWASP Juice Shop to test them. I’d also combine such linting tools with manual anlysis because many bugs won’t be found with automation.

5. Video of the week

How did Masato find the Google Search XSS?

This is a follow-up video to last week’s explanation of the mutation XSS found by @kinugawamasato on Google.
This time @LiveOverflow provides insight into how Masato found that XSS, and the kind of research he was involved in that allowed him to find it.
It’s really interesting for anyone who wants to get into Web security research, or understand what make hackers like @albinowax, @sirdarckcat, @garethheyes or Mario Heiderich so good at research.

6. Intigriti News

6.1 EU FOSSA Bonuses

EU Commission is introducing EU FOSSA Bonuses for Keepass, glibc and Apache Tomcat. Up to a 50% bonus!

#EUFOSSA news: The European Commission raises bounty awards to challenge developers. Learn more at https://t.co/cK3sOvUGFr pic.twitter.com/Py4srNSYJq

— intigriti (@intigriti) 10 april 2019

6.2 Shop Apotheke

Shop Apotheke has introduced new In-scope domains due to a major relaunch based on new architecture and a new underlying infrastructure. The new pages mentioned in the In-scope section are delivered by a brand new frontend. This is based on a brand new backend, which is also part of the scope and also mentioned in the In-scope section. These new software solutions have been implemented using new technologies and are hosted in a brand new infrastructure, completely independent of the existing e-commerce platform. Note: this is a registered only program!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Http-prompt: An interactive command-line HTTP client featuring autocomplete & syntax highlighting, built on HTTPie & prompt_toolkit

  • Git-Pwned: Wrapper around subfinder & git-dumper

  • Denumerator: Finds servers responding on port 80/HTTP

  • LFI-Enum: Scripts to exploit LFI & extract information from Linux servers

  • Dirble: Directory scanning & scraping tool in Rust, based on Dirb but faster

  • Domain-to-webapp: Web application Enumerator

  • EmailGen: Email Generation from Bing using LinkedIn Dorks

  • Adconnectdump: Dump Azure AD Connect credentials for Azure AD & Active Directory

  • PEPE (Post Exploitation Pastebin Emails) & Introduction: Collect information about email addresses from Pastebin for advanced credential stuffing

  • SharpExec & Introduction: Offensive security C# tool designed to aid with lateral movement

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty news

Vulnerabilities

Breaches

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.

Curated by Pentester Land & Sponsored by Intigriti

You may also like