Bug Bytes #72 – RCE in Google Cloud, Smuggling HTTP Headers & @filedescriptor’s RPO Challenge

bugbytes-72

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 15 to 22 of May.

Our favorite 5 hacking items

1. Tool of the week

Axiom

Project Axiom is a set of utilities for deploying and managing your own dynamic infrastructure on Digital Ocean. It includes different commands that you can use to work with VPS instances from the command line. Examples of actions available are launching a VPS instance, backing it up, connecting to it with SSH, deploying a VPN, etc.

An awesome, convenient project for bug hunters, red teamers and pentester!

2. Writeup of the week

RCE in Google Cloud Deployment Manager (Google, $31,337.00)

@epereiralopez found an SSRF that led to RCE on Google. Even though this finding required having a really good understanding of Google Cloud Manager, he does an awesome job of explaining everything in this pretty well written and descriptive writeup.

A very recommended read whether you want to learn about SSRF/RCE, getting max bounties on Google, testing Google Cloud Manager, or how to write great writeups!

3. Article of the week

Smuggling HTTP headers through reverse proxies

@RobinVerton shares a very interesting HTTP header smuggling technique. It exploits differences in how reverse proxies and WSGI frameworks (e.g. Django & Flask) handle header names.

If you’re wondering how this relates to existing HTTP request smuggling research… @albinowax’s techniques involved poisoning Web caches and desynchronizing systems. This new attack focuses on smuggling HTTP headers with the goal of bypassing authentication or account takeovers. It is relatively easier, provided that you know/guess header names.

I’d also recommend checking out this article by The Daily Swig for a high-level summary.

4. Videos of the week

@Agarri_Fr Talks About Burp Suite, SSRF, Security Research and Learning Web Application Hacking

Filedescriptor solves Intigriti’s XSS challenge | Exploiting an RPO attack on Firefox

These are two cool videos for anyone interested in Web app hacking and research. @NahamSec interviews @Agarri_FR who specializes in Web app hacking and fuzzing. Even though he does less bug hunting now, he is still well-known for his past research on SSRF and XML fuzzing that is still very relevant and referenced today, and for his unique Burp advanced training. So, it’s nice to get to know him, his learning process, how we manages to find bugs without focusing on recon, how he picks research topics, etc.

In the video writeup, @filedescriptor solves Intigriti’s May XSS challenge. He shows ho to trigger XSS by chaining Relative Path Overwrite (RPO) and Open redirect. A nice opportunity to learn about RPOs and less obvious XSS!

5. Tutorials of the week

How to examine iOS network traffic over an iOS cable.

Penetration Tester’s Guide to Evaluating OAuth 2.0 — Authorization Code Grants

The usual method for proxying iOS traffic through Burp opens a Burp proxy listener that is exposed to the local network. But what if you’re on a public network and do not want to expose it? @heald_ben shows how to do that by using a Jailbroken iOS device, an Apple cable, iproxy, and SSH tunneling.

The second tutorial is an introduction to OAuth security. It includes a summary of how OAuth 2.0 works (specifically the Authorization Code Grant), and how to test for some common security issues. I love how everything is structured. It provides a good basis to expand upon each time a new attack is discovered.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • WeirdAAL & Update info: AWS Attack Library
  • CustomWordlistgenerator & Introduction: Python tool that takes a CMS repo/folder as input and generates a custom word-list based on its contents
  • Safecopy: Burp Extension for copying requests safely when reporting vulnerabilities. It redacts headers like Cookie, Authorization & X-CSRF-Token
  • H1 Report Finder: A burpsuite extension that helps security researchers find public security reports published on h1 based on the selected host
  • localdataHog: String-based secret-searching tool (high entropy and regexes) based on truffleHog
  • git-wild-hunt: A tool to hunt for credentials in github wild AKA git*hunt
  • Decompiler: A decompiler extension for VS Code, that leverages Ghidra, IDA Pro & JadX/JD-CLI/dex2jar
  • phpunit-brute: Tool to try multiple paths for PHPunit RCE CVE-2017-9841
  • Powerob: An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.
  • Scout: A .NET assembly for performing recon against hosts on a network

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Coronavirus

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/15/2020 to 05/22/2020.

Curated by Pentester Land & Sponsored by Intigriti