Bug Bytes #65 – Hacking webcams, internal servicedesks & parsers

bugbytes-65

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 27 of March to 03 of April.

Our favorite 5 hacking items

1. Slides of the week

Attacking Secondary Contexts in Web Applications

@samwcyo’s Kernelcon talk explores attacking various secondary contexts (APIs, reverse proxies, middleware) in Web applications. He shows how to detect application routing (in black box), and examples of vulnerabilities that can result from interactions between different servers.

This is excellent research and an interesting area to explore further. The talk video is not available yet, but will be released soon hopefully.

Also good to know, you can reproduce the last trick (Authy 2FA bypass) in @PentesterLab‘s “Idor to Shell”.

2. Writeups of the week

iPhone Camera Hack ($75,000)

Hundreds of internal servicedesks exposed due to COVID-19 (>$10,000)

How to hack a company by circumventing its WAF through the abuse of a different security appliance and win bug bounties

It was impossible to feature only one writeups as these 3 are all awesome! The iPhone Camera Hack is a deep dive into several bugs found in Safari. They allowed Ryan Pickren to gain zero-click unauthorized camera access on iOS and macOS, and earned him an impressive $75,000 bounty.

The second article sums up @securinti’s findings after scanning 10.000 popular domain names for misconfigured Atlassian instances. He noticed a 12% increase of exposed instances since last summer, maybe because of remote work due to COVID-19.

The third writeup reads like an investigation. @redtimmysec identified middleware in use (a WAF and a Bluecoat proxy), and was able to bypass the WAF to exfiltrate sensitive data with SSRF. This is an excellent example of a “secondary contexts” bug.

3. Article of the week

How to exploit parser differentials

Gitlab’s transparency is amazing. This is a writeup for a file upload vulnerability found internally. It illustrates the concept of parser differentials which is similar to @samwcyo’s “secondary contexts” attacks, but applied to file uploads.

This is a unique opportunity to learn about a critical bug with details, from the company itself, about the source code and how file uploads are handled.

4. Video of the week

@Codingo_ Talks About Pentesting, Escalating Bugs, OSCP, Working at Bugcrowd, Burp Suite and More!

The interview with @codingo_ is A-M-A-Z-I-N-G! He shares so many ideas and good insights. For instance his philosophy around XSS proofs of concept got him a much bigger bounty for a duplicate XSS than its first reporter! He has a unique background, and a strong opinion on which programming languages to learn.

Also a big shout-out to @NahamSec for being a great interviewer and asking all the questions I had in mind.

5. Tool of the week

Crithit

Crithit allows you to do directory and file brute forcing at large scale. It takes each entry from a wordlist and tests it against all targets before moving on to the next entry.

If this reminds you of something, it is probably of Inception which is similar. The difference is that Inception takes a configuration file with specific endpoints to test for as input (e.g. .env, .git, etc), while Crithit can be used with any wordlist. So, Crithit is more practical when you want to test bigger or existing wordlists. It also support filtering outputs using HTTP response codes and signatures to look for in responses.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Zoom

Breaches & Attacks

Malicious apps/sites

Other news

Coronavirus

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/27/2020 to 04/03/2020.

Curated by Pentester Land & Sponsored by Intigriti