By Intigriti
May 20, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 08 to 15 of May.
If you ever want to send HTTP requests for a quick test without firing up Burp/ZAP, this is the tool for you. It is an interactive CLI tool for HTTP inspection. It allows you to send HTTP requests from the terminal, while controlling everything from the headers to the request’s type and data.
$20000 Facebook DOM XSS (Facebook, $20,000)
DOM XSS through postMessage is trendy and lucrative. @vinodsparrow found one in Facebook’s login button, and shares all the details in this cool writeup. The nice thing is, he not only shares the code to exploit it, but also explains what led him to believe that there was an issue in the first place.
@nnwakelam is one of the current bug hunter millionaires, and is particularly known for his recon skills. It is awesome to have this almost 2-hour interview where he chats with @nahamsec about his specialty, extending the attack surface, plus many other things like bug examples, Burp, vulnerability indicators… Also, just in case, here is his TL;DR.
LevelUp is also a rendez-vous I never miss. Topics range from automotive testing to security code review, writing résumés, choosing targets, and making better decisions as bug hunters.
These are two good pieces that point out important questions every struggling bug hunter should ask themselves. The idea is to find out what is hindering you. So, even if these exact questions don’t apply to you, try to extrapolate to find your own missing pieces.
How To Scan AWS’s Entire IP Range to Recon SSL Certificates
This article expands on an idea mentioned in Naffy’s interview, that is scanning AWS’s entire IP range and identifying certificates belonging to your target. This is done by chaining existing open source tools, and could be applied to other Cloud providers like Azure.
FUZZING FOR BEGINNERS (KUGG teaches STÖK American fuzzy lop)
Mental Health For Hackers Among COVID-19: Introduction to CBT
BOUNTY THURSDAYS – Bugcrowd Levelup0x06 RECAP, amass update, Intigriti May XSS challenge, Nuclei
HackerOne Hacker Interviews: Douglas (@the_arch_angel), HackerOne Hacker Interviews: André (@0xacb), Aspen (@urazeebo) & Douglas (@the_arch_angel)
$3,000 CodeQL query for finding LDAP Injection – Github Security Lab – Hackerone
Bug bounty tips for broken access control on BurpSuite Part 1
SharpHose Password Spraying and Azure App Services For Offensive Operations
Naked Security Podcast S2 Ep 39: Thunderspy, government encryption, and reply all mistakes
Risky Business #583 — COVID-19 collection intensifies, tensions mount
ASW #107 – Samsung RCE 0-Click, Whispers, & Compromising Pluton
PSW #651 MITRE ATT&CK & Security Visibility: Looking Beyond Endpoint Data – Mike Nichols
PSW #651 – Ramsay Malware, Top 10 CVE’s, & Reverse RDP Attacks
PSW #650 – Vulnerability Madness, IoT Botnets, & Breach Chaos
Online Training Sneak Peek: PowerShell for Offense and Defense
SANS @Mic Talk – Cloud Native Payloads: A Matryoshka Doll of Exploits
Finding secrets by decompiling Python bytecode in public repositories
Attacking Azure Container Registries with Compromised Credentials
Securely Deploying IPv6 in 2020 Part 1: Internet Facing Perimeter
CVE-2020-11108: How I Stumbled into a Pi-hole RCE+LPE #Web #RCE
Grandstream PBX Hacking #PBX #Web
Reverse RDP – The Path Not Taken #MacOS #RDP
Another Zoho ManageEngine Story #CodeReview #Java
Two vulnerabilities in Oracle’s iPlanet Web Server (CVE-2020-9315 and CVE-2020-9314)
Magic of the Back Slash ($2,100)
$3000 Bug Bounty Award from Mozilla ($3,000)
I Found XSS Security Flaws in Rails – Here’s What Happened. (Ruby on Rails, $500)
Customer private program can disclose email any users through invited via username (Hackerone, $7,500)
No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im (Gitlab, $1,000)
See more writeups on The list of bug bounty writeups.
Authentication Token Obtain and Replace (ATOR) & Introduction: Burp extension for handling complex login sequences
rulesfinder & Rulesfinder, automatically create good password cracking rulesets: Machine-learn password mangling rules
Stormspotter: Azure Red Team tool for graphing Azure and Azure Active Directory objects
Cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report
SSRFIRE: An automated SSRF finder. Just give the domain name and your server and chill! 😉 Also has options to find XSS and open redirects
Wfuxx: Web based fuzzer – Wrapper around ffuf & gobuster
ApkUrlGrep: Extract endpoints from APK files
Open-sesame: A python tool to display random publicly disclosed Hackerone reports when bored. Automatically opens the report in browser
Project Eagle: Yet another vulnerability scanner
rate-limit-checker: Check whether the domain has a rate limit or not
Ultra Recon: A tool for running recon tools with Docker
grafana-ssrf: Authenticated SSRF in Grafana
Words Scraper: Selenium based web scraper to generate passwords list
Thns: Telegram HTTP notification script, created for a phishing red team operation
Clipboardme: Grab and Inject clipboard content by opening a link
Screenshooter: The Beacon Screenshot Savior: A C# tool to screenshot user’s desktop(s) complete with multiple checks. Will work with Cobalt Strike’s Execute-Assembly
Minimalistic SMB login bruteforcer: A simple SMB login attack and password spraying tool
Workshop: Finding security vulnerabilities in Java with CodeQL
Chaos: A DNS dataset API, collected actively, meant to enhance and analyse internet wide changes
gwen001/sslsub.sh: Oneliner to retrieve altnames from ssl certificates
Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format & Macrome: Excel Macro Document Reader/Writer for Red Teamers & Analysts
Faxing Your Way to SYSTEM — Part Two & faxhell (“Fax Shell”): A Bind Shell Using the Fax Service and a DLL Hijack
WS-Management COM: Another Approach for WinRM Lateral Movement
Why Electron apps can’t store your secrets confidentially: — inspectoption
No more JuicyPotato? Old story, welcome RoguePotato! & RoguePotato
CISSP Qualification Given Status Equivalent to Master’s Degree Level
Breaching the Cloud Perimeter w/ Beau Bullock: 4-hour free online training course on May 28
DEF CON 2020: ‘Safe Mode’ virtual event will be free to attend, organizers confirm
Hacker Days: Kubernetes from a Attacker’s Perspective: May 28
New Thunderbolt security flaws affect systems shipped before 2019
900 Million iPhones Affected By Updated Apple iOS Warning (MailDemon)
Obscure, decade-old vulnerability finally unearthed in GLPI asset management app
HackerOne co-founder unearths information leakage bug in Rails package
Android app promised to serve news updates, served ESET with a DDoS attack instead
New Ramsay malware can steal sensitive documents from air-gapped networks
Hackers target the air-gapped networks of the Taiwanese and Philippine military
Digital Ocean says it exposed customer data after it left an internal document online
New COMpfun malware variant gets commands from HTTP error codes
Scammers steal $10 million from Norway’s state investment fund
Cloud security: Attacking Azure AD to expose sensitive accounts and assets
The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet
Clearview AI won’t sell vast faceprint collection to private companies
This new cybersecurity school will teach kids to crack codes from home
Microsoft: Here’s how we’re killing a class of memory security bugs in Windows 10
The best way to protect the US electrical grid is with open source
Ohio Has Stopped Kicking Workers Off Unemployment After A Hacker Targeted Its Website
US warns of Chinese hackers targeting COVID-19 research orgs
COVID-19 blamed for 238% surge in cyberattacks against banks
DDoS surge driven by attacks on education, government, and coronavirus information sites
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/08/2020 to 05/15/2020.
Curated by Pentester Land & Sponsored by Intigriti