Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 24 of April to 01 of May.
Our favorite 5 hacking items
1. Tools of the week
postMessage-tracker is a Chrome extension presented by @fransrosen in his “Attacking Modern Web Technologies” talk. It monitors postMessage listeners in all subframes of the window and logs everything, helping find postMessage issues such as XSS and data extraction bugs.
2. Writeup of the week
This is a very well-written and informative writeup on SSRF. @d0nutptr shares what he looks for when testing SSRF, and 5 interesting bugs he found that earned hime more than $4,800 in total. My main takeaway is to start signing up to apps using Burp Collaborator emails like firstname.lastname@example.org.
If you receive an HTTP request in addition to the expected SMTP message (email), there is potential for SSRF.
3. Videos of the week
Hackers are sharing so much good stuff these days! In this week’s must-see videos:
@securinti solves Intigriti’s latest XSS challenge. He based it on a bug found in a live hacking event, and shares so many cool tips on using Chrome DevTools.
@zseano hacks a Web app live and thinks out loud, sharing his mindset and approach.Mayonaise talks about his recon workflow and hacking approach, automation, learning process…
@stokfredrik shares advice on how to learn new skills, and dealing with duplicates. Personal development applied to hacking!
4. Non technical items of the week
These are two interesting reads that can help get into a successful bug hunting mindset. @zseano is interviewed about his unique approach and experience, and @sharathsanketh shares some of his realizations as a beginner bug hunter trying to up his game.
5. Resources of the week
Daily-commonspeak2 is an unofficial repo for Commonspeak2 wordlists generated daily. Useful for subdomains recon!
The mobile testing checklist covers both iOS and Android. I like its simple format that helps remember everything to test for, with references and the tools needed.
Other amazing things we stumbled upon this week
- Darknet Diaries EP 64: The Athens Shadow Games
- How I approach a bug bounty program with this #bugbounty methodology & Transcript
- Security Now 764 – RPKI
- Risky Business #581 — Chinese telcos under fire in USA, spy firms pitch COVID-19 surveillance
- Hacked Off? 059. – Mike Jones: Anonymous, Suits, and Building Better Security
- Security Weekly News #28 – 0 Day Extravaganza, Zoom Can’t Win, & Starbleed – Wrap Up
- Security Weekly News #29 – Shade Ransomware, FBI Warnings, & SCADA Attacks
- Application Security Weekly #105 – Nintendo Breach, NSA Advisory, & Security of IoMT
- Paul’s Security Weekly #648 – iOS Mail Hijack, Hacking Satellites, & 0-Days for Days
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Arbitrary file read via the UploadsRewriter when moving and issue (GitLab, $20,000)
- Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams (Microsoft)
- Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg (Uber, $4,000)
- Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin (Trello, $3,600)
- Researching Polymorphic Images for XSS on Google Scholar (Google, $9,401.1)
- Bitrix WAF bypass (Mail.ru, $300)
- [Bug Bounty Writeups] Exploiting SQL Injection Vulnerability ($2,000)
- Indirect UXSS issue on a private Android target app ($1,000)
- Account taken over in style !!!
See more writeups on The list of bug bounty writeups.
If you don’t have time
- github-secrets.py: Python script to do a regexp search on GitHub search results
- SonarSearch & Introduction: A MongoDB importer and API for Project Sonars DNS datasets
- VHosts Sieve: Searching for virtual hosts among non-resolvable domains
- Enemies Of Symfony (EOS): Debug mode Symfony looter
- @apps3c’s ysoserial fork: Used to generate payloads for @Burp_Suite Java Deserialization Scanner. It adds time, DNS, OS-specific exec and reverse shell (@nickstadb) attack vectors, output transformation, xstream (Isaac Sears)
- download-networks.sh: Download all the Shodan data for a list of networks in a text file
More tools, if you have time
- Chrome Galvanizer & Introduction: A tool to generate Chrome enterprise policies to help users boost Chrome extension security
- Trishul: Burp Extension to hunt for common vulnerabilities including XSS, SQL injection & SSTI
- APKEnum & Introduction: A Python Utility For APK Enumeration
- WebIDL: New fuzzer to help identify security vulnerabilities in the implementation of WebAPIs in Firefox
- Nozaki: Security oriented HTTP fuzzer engine
- DevToolReader & Introduction: Python script that parses Indexeddb files – used to extract Firefox DevTools console history
- pwncat: Netcat on steroids with Firewall and IPS evasion, bind and reverse shell, local and remote port-forward
- SitRep: Extensible, configurable host triage
- jbosswidlyfly_to_hashcat.py: Python 3 script to convert JBoss/Wildfly user properties list to hashcat mode 20
- AzureADLateralMovement & Introduction: Bloodhound for Azure AD
- Pivotnacci: A tool to make socks connections through HTTP agents
- Wifipumpkin3: Powerful framework for rogue access point attack
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/24/2020 to 05/01/2020.
Curated by Pentester Land & Sponsored by Intigriti