Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 19 to 26 of June.
Our favorite 5 hacking items
1. Tip of the week
JS frameworks which simulate events and can turn an XSS that requires user-interaction into an XSS that doesn’t 🙂 & Demo
This technique also works for hidden inputs. Time to revisit any old unexploitable XSS!
2. Writeups of the week
Exploiting Bitdefender Antivirus: RCE from any website
Simple story of some complicated XSS on Facebook
The first writeup by @WPalant is a cool combination of antivirus exploitation and remote Web vulnerabilities. The gist is that Bitdefender handles HTTPS certificate errors itself (instead of delegating it to the browser), and leaks some sensitive tokens. Any website can read them and use them to start a session with the Safepay browser. RCE is then obtained by opening URLs like
data:text/html,nada --utility-cmd-prefix=\"cmd.exe /k whoami & echo\".
The second writeup is about two reflected XSS bugs found on Facebook. It reads like a fascinating investigation. @win3zz identified that MicroStrategy Web SDK was used, downloaded its source code, analyzed it, and transformed the bugs found into working exploits.
3. Tool of the week
Pencode is a command line tool for creating complex encoding chains (e.g.
urlencode(b64encode(hexencode(string)))). It can be used as a standalone tool or as a Go library. Handy for handling complex encoding in scripts!
@joohoi is also planning to add integration with ffuf.
4. Resources of the week
Golang HandleFunc wordlisr by @d0nutptr
@NahamSec & @_StaticFlow_’s 1stleveldomainsbycount
PWDB – New generation of Password Mass-Analysis
Crafting a custom wordlist for python-flask webservers
This week’s been all about wordlists!
@d0nutptr shared the most used HTTP endpoints, found by analyzing 500 popular Golang repositories. This inspired @r0bre to build a similar wordlist for python-flask webservers by analyzing Github repositories. He shares both the resulting wordlist and details of the whole process.
@NahamSec & @_StaticFlow_ shared a list of subdomains built by scanning ~200 million IPs from bug bounty targets.
And @ahakcil collected 100 million leaked credentials and published stats on what he found, as well as wordlists of the most common passwords.
5. Tutorial of the week
Exploiting SSTI in Thymeleaf
This is a nice tutorial to bookmark. If you come across Thymeleaf, a Java template engine, you’ll know exactly how to test for SSTI, from detection payloads to real-world exploitation.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Getrelationship.py: Python script to get domain relationships using BuiltWith
- Shaggy-rogers: Clojure lambda to scan blob files for sensitive content
- Travis Grabber: Grabs all logs for all builds for any given Organisation from Travis CI. Similar to CILeek, but in Go
- BugPoC: Burp Suite Extension to send raw HTTP Requests to the BugPoC HTTP PoC Generator (BugPoC.com)
- ChopChop: Go tool for dynamic application security testing on web applications
- disas-apk: All-in-one tool for automating Android app reverse engineering
- Subvenkon: Subdomain enumerator which gathers information from Venkon
- Physmem2profit: Create a minidump of a target hosts LSASS process by analysing physical memory remotely
- seeker: Accurately locate smartphones using social engineering
- Securing Active Directory: Performing an Active Directory Security Review
- Max & Intro: Scripts for maximizing BloodHound with a simple suite of tools
- Talon & Intro: A tool designed to perform automated password guessing attacks while remaining undetected
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/19/2020 to 06/26/2020.