Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 27 of March to 03 of April.
Our favorite 5 hacking items
1. Slides of the week
Attacking Secondary Contexts in Web Applications
@samwcyo’s Kernelcon talk explores attacking various secondary contexts (APIs, reverse proxies, middleware) in Web applications. He shows how to detect application routing (in black box), and examples of vulnerabilities that can result from interactions between different servers.
This is excellent research and an interesting area to explore further. The talk video is not available yet, but will be released soon hopefully.
Also good to know, you can reproduce the last trick (Authy 2FA bypass) in @PentesterLab‘s “Idor to Shell”.
2. Writeups of the week
iPhone Camera Hack ($75,000)
–Hundreds of internal servicedesks exposed due to COVID-19 (>$10,000)
How to hack a company by circumventing its WAF through the abuse of a different security appliance and win bug bounties
It was impossible to feature only one writeups as these 3 are all awesome! The iPhone Camera Hack is a deep dive into several bugs found in Safari. They allowed Ryan Pickren to gain zero-click unauthorized camera access on iOS and macOS, and earned him an impressive $75,000 bounty.
The second article sums up @securinti’s findings after scanning 10.000 popular domain names for misconfigured Atlassian instances. He noticed a 12% increase of exposed instances since last summer, maybe because of remote work due to COVID-19.
The third writeup reads like an investigation. @redtimmysec identified middleware in use (a WAF and a Bluecoat proxy), and was able to bypass the WAF to exfiltrate sensitive data with SSRF. This is an excellent example of a “secondary contexts” bug.
3. Article of the week
How to exploit parser differentials
Gitlab’s transparency is amazing. This is a writeup for a file upload vulnerability found internally. It illustrates the concept of parser differentials which is similar to @samwcyo’s “secondary contexts” attacks, but applied to file uploads.
This is a unique opportunity to learn about a critical bug with details, from the company itself, about the source code and how file uploads are handled.
4. Video of the week
@Codingo_ Talks About Pentesting, Escalating Bugs, OSCP, Working at Bugcrowd, Burp Suite and More!
The interview with @codingo_ is A-M-A-Z-I-N-G! He shares so many ideas and good insights. For instance his philosophy around XSS proofs of concept got him a much bigger bounty for a duplicate XSS than its first reporter! He has a unique background, and a strong opinion on which programming languages to learn.
Also a big shout-out to @NahamSec for being a great interviewer and asking all the questions I had in mind.
5. Tool of the week
Crithit allows you to do directory and file brute forcing at large scale. It takes each entry from a wordlist and tests it against all targets before moving on to the next entry.
If this reminds you of something, it is probably of Inception which is similar. The difference is that Inception takes a configuration file with specific endpoints to test for as input (e.g. .env, .git, etc), while Crithit can be used with any wordlist. So, Crithit is more practical when you want to test bigger or existing wordlists. It also support filtering outputs using HTTP response codes and signatures to look for in responses.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study (Bitdefender, $5,000)
- Limited freemarker ssti to arbitrary liql query and manage lithium cms
- Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps
- Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO (Shopify, $15,000)
- [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation (Shopify, $15,000)
- Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation (Shopify, $7,500)
- Periscope iOS app CSRF in follow action due to deeplink (Twitter, $2,940)
- Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation (Slack, $750)
- H1514 CSRF in Domain transfer allows adding your domain to other user’s account (Shopify, $500)
- An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss (SEMrush, $2,111)
See more writeups on The list of bug bounty writeups.
If you don’t have time
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/27/2020 to 04/03/2020.