Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 10 to 17 of April.
Another public bug bounty program launched on Intigriti. Pays bounties up to €10.000!💰 Check it out here: https://go.intigriti.com/napoleongames
Our favorite 5 hacking items
1. Paper of the week
Uninitialized Memory Disclosures in Web Applications
This is an excellent paper on memory disclosure vulnerabilities in Web apps. The author focuses on bugs caused by image parsing errors, such as ImageTragick, but shows how to extrapolate the attacks to libraries other than ImageMagick.
If you want to take a deep dive into this kind of bugs, this is a great opportunity. A lot of resources are provided from tools for automated detection, to a test environment, writeups, and external links on memory leaks.
2. Writeup of the week
Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts
What a great read! @samwcyo chained HTTP cache poisoning with an open redirect that leaks the victim’s OAuth token. He explains each bug separately, how to combine them for maximum impact, what he tried that didn’t work, and also how he approaches hacking video games as a Web app tester without mastering reverse engineering.
3. Videos of the week
– Creating Wordlists for Pentesting & Bug Bounty Hunting Using Seclists, Bigquery, and More!
– @Ngalongc Talks About Hacking Uber, Airbnb and Shopify, SAML/OAuth Vulnerabilities, Recon, and More!
4. Tutorial & tool of the week
– Subdomain Enumeration: Filter Wildcard Domains
Detecting and filtering out wildcard subdomains is important during subdomain enumeration, to avoid wasting time on subdomains that don’t exist. @0xpatrik published a cool post on exactly that.
Gwdomains automates this process. But I’m not sure how it works exactly. It would be interesting to figure it out by reading the source code, and to compare it with @0xpatrik’s detection heuristic and all the cases he mentioned.
5. Resource of the week
Public Release of HTML5 attack and Defence course
This is a nice introductory course on HTML5 attacks. It’s a bit outdated but still a good resource to discover HTML5 technologies (CORS, DOM, Local Storage, Webworkers, Websockets, Iframe sandboxing…) and some of their common security issues.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Proxying HTTP2 Through Burp Suite
- Docker Image Generator & Introduction: Customized docker images generation toolkit for infosec
- Burp Extension Generator: Generate Burp Suite Extension projects the easy way
- DalFox (Finder Of XSS): Parameter Analysis and XSS Scanning tool based on golang
- OpenRedireX: A python Fuzzer for OpenRedirect issues
- Pown LAU: A library and Pownjs tool for enlisting target web application URLs using several public databases (inspired by getallurls)
- 2tearsinabucket: Go script to enumerate s3 buckets for a specific target
- TitleXtractor: Go script for extracting \ tag from HTML pages
- Linkedin Scraper: A fully configurable Python tool to scrape anything within linkedin
- ReverseIP.sh: Simple bash script for Reverse IP Lookup, using whoisxmlapi.com
- Lazyhunter: A framework that provides a web UI to commonly used Bug Hunting/Pentesting tools
- Socks Over RDP & Slides: A tool that creates a virtual channel over an RDP connection and spins up a SOCKS5 proxy that is tunnelled over the remote host, just like SSH’s –D switch
- eLdap & Presentation: A Python tool that helps users searching and filtering queries in Ldap environment
- PCredz & Introduction: Python script that extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/17/2020 to 04/24/2020.