Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 15 to 22 of May.
Our favorite 5 hacking items
1. Tool of the week
Project Axiom is a set of utilities for deploying and managing your own dynamic infrastructure on Digital Ocean. It includes different commands that you can use to work with VPS instances from the command line. Examples of actions available are launching a VPS instance, backing it up, connecting to it with SSH, deploying a VPN, etc.
An awesome, convenient project for bug hunters, red teamers and pentester!
2. Writeup of the week
RCE in Google Cloud Deployment Manager (Google, $31,337.00)
@epereiralopez found an SSRF that led to RCE on Google. Even though this finding required having a really good understanding of Google Cloud Manager, he does an awesome job of explaining everything in this pretty well written and descriptive writeup.
A very recommended read whether you want to learn about SSRF/RCE, getting max bounties on Google, testing Google Cloud Manager, or how to write great writeups!
3. Article of the week
Smuggling HTTP headers through reverse proxies
@RobinVerton shares a very interesting HTTP header smuggling technique. It exploits differences in how reverse proxies and WSGI frameworks (e.g. Django & Flask) handle header names.
If you’re wondering how this relates to existing HTTP request smuggling research… @albinowax’s techniques involved poisoning Web caches and desynchronizing systems. This new attack focuses on smuggling HTTP headers with the goal of bypassing authentication or account takeovers. It is relatively easier, provided that you know/guess header names.
I’d also recommend checking out this article by The Daily Swig for a high-level summary.
4. Videos of the week
– @Agarri_Fr Talks About Burp Suite, SSRF, Security Research and Learning Web Application Hacking
– Filedescriptor solves Intigriti’s XSS challenge | Exploiting an RPO attack on Firefox
These are two cool videos for anyone interested in Web app hacking and research. @NahamSec interviews @Agarri_FR who specializes in Web app hacking and fuzzing. Even though he does less bug hunting now, he is still well-known for his past research on SSRF and XML fuzzing that is still very relevant and referenced today, and for his unique Burp advanced training. So, it’s nice to get to know him, his learning process, how we manages to find bugs without focusing on recon, how he picks research topics, etc.
In the video writeup, @filedescriptor solves Intigriti’s May XSS challenge. He shows ho to trigger XSS by chaining Relative Path Overwrite (RPO) and Open redirect. A nice opportunity to learn about RPOs and less obvious XSS!
5. Tutorials of the week
– How to examine iOS network traffic over an iOS cable.
– Penetration Tester’s Guide to Evaluating OAuth 2.0 — Authorization Code Grants
The usual method for proxying iOS traffic through Burp opens a Burp proxy listener that is exposed to the local network. But what if you’re on a public network and do not want to expose it? @heald_ben shows how to do that by using a Jailbroken iOS device, an Apple cable, iproxy, and SSH tunneling.
The second tutorial is an introduction to OAuth security. It includes a summary of how OAuth 2.0 works (specifically the Authorization Code Grant), and how to test for some common security issues. I love how everything is structured. It provides a good basis to expand upon each time a new attack is discovered.
Other amazing things we stumbled upon this week
- Security Now 767 – WiFi 6
- Risky Business #584 — Nation-backed attackers own easyJet, jump airgaps, hack ports
- A Day in the Life of an Ethical Hacker Podcast Series: Interview with Nik Srivastava, Synack Red Team Member
- Cyberpunks Episode 9 – Penetration testing with Abartan Dhakal & 10 – Attack Surfaces with Abartan Dhakal
- Cyber Work Podcast – What’s new in Ethical Hacking: Latest careers, skills and certifications
- 7MS #415: Cyber News
- SWN #35 – DEFCON Safe Mode, Ransomware Gangs, & SpaceX to ISS
- SWN #36 – Danny Trejo, Animal Crossing, Contact Tracing, & SaltStack – Wrap Up
- PSW #652 – Stuxnet, RCE’s Everywhere, & Breach Chaos
- Naked Security Podcast S2 Ep 40: Demonic printers, a sleazy stalker and 10 reasons to patch
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
More tools, if you have time
- WeirdAAL & Update info: AWS Attack Library
- CustomWordlistgenerator & Introduction: Python tool that takes a CMS repo/folder as input and generates a custom word-list based on its contents
- Safecopy: Burp Extension for copying requests safely when reporting vulnerabilities. It redacts headers like Cookie, Authorization & X-CSRF-Token
- H1 Report Finder: A burpsuite extension that helps security researchers find public security reports published on h1 based on the selected host
- localdataHog: String-based secret-searching tool (high entropy and regexes) based on truffleHog
- git-wild-hunt: A tool to hunt for credentials in github wild AKA git*hunt
- Decompiler: A decompiler extension for VS Code, that leverages Ghidra, IDA Pro & JadX/JD-CLI/dex2jar
- phpunit-brute: Tool to try multiple paths for PHPunit RCE CVE-2017-9841
- Powerob: An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.
- Scout: A .NET assembly for performing recon against hosts on a network
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/15/2020 to 05/22/2020.
Curated by Pentester Land & Sponsored by Intigriti