Bug Bytes #77 – Exploiting unexploitable XSS, Wordlists galore & RCE from any website with Bitdefender

bugbytes-77

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 19 to 26 of June.

Our favorite 5 hacking items

1. Tip of the week

JS frameworks which simulate events and can turn an XSS that requires user-interaction into an XSS that doesn’t 🙂 & Demo

This is crazy. @freddyb had the idea to leverage events simulation in JavaScript frameworks, to bypass the user interaction required to exploit some XSS vulnerabilities. In other words, the XSS is triggered by simulating user actions instead of waiting for victims to actually perform the corresponding actions themselves.

This technique also works for hidden inputs. Time to revisit any old unexploitable XSS!

2. Writeups of the week

Exploiting Bitdefender Antivirus: RCE from any website

Simple story of some complicated XSS on Facebook

The first writeup by @WPalant is a cool combination of antivirus exploitation and remote Web vulnerabilities. The gist is that Bitdefender handles HTTPS certificate errors itself (instead of delegating it to the browser), and leaks some sensitive tokens. Any website can read them and use them to start a session with the Safepay browser. RCE is then obtained by opening URLs like ​data:text/html,nada --utility-cmd-prefix=\"cmd.exe /k whoami & echo\".

The second writeup is about two reflected XSS bugs found on Facebook. It reads like a fascinating investigation. @win3zz identified that MicroStrategy Web SDK was used, downloaded its source code, analyzed it, and transformed the bugs found into working exploits.

3. Tool of the week

Pencode

Pencode is a command line tool for creating complex encoding chains (e.g. urlencode(b64encode(hexencode(string)))). It can be used as a standalone tool or as a Go library. Handy for handling complex encoding in scripts!

@joohoi is also planning to add integration with ffuf.

4. Resources of the week

Golang HandleFunc wordlisr by @d0nutptr

@NahamSec & @_StaticFlow_’s 1stleveldomainsbycount

PWDB – New generation of Password Mass-Analysis

Crafting a custom wordlist for python-flask webservers

This week’s been all about wordlists!

@d0nutptr shared the most used HTTP endpoints, found by analyzing 500 popular Golang repositories. This inspired @r0bre to build a similar wordlist for python-flask webservers by analyzing Github repositories. He shares both the resulting wordlist and details of the whole process.

@NahamSec & @_StaticFlow_ shared a list of subdomains built by scanning ~200 million IPs from bug bounty targets.

And @ahakcil collected 100 million leaked credentials and published stats on what he found, as well as wordlists of the most common passwords.

5. Tutorial of the week

Exploiting SSTI in Thymeleaf

This is a nice tutorial to bookmark. If you come across Thymeleaf, a Java template engine, you’ll know exactly how to test for SSTI, from detection payloads to real-world exploitation.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Getrelationship.py: Python script to get domain relationships using BuiltWith
  • Shaggy-rogers: Clojure lambda to scan blob files for sensitive content
  • Travis Grabber: Grabs all logs for all builds for any given Organisation from Travis CI. Similar to CILeek, but in Go
  • BugPoC: Burp Suite Extension to send raw HTTP Requests to the BugPoC HTTP PoC Generator (BugPoC.com)
  • ChopChop: Go tool for dynamic application security testing on web applications
  • disas-apk: All-in-one tool for automating Android app reverse engineering
  • Subvenkon: Subdomain enumerator which gathers information from Venkon
  • Physmem2profit: Create a minidump of a target hosts LSASS process by analysing physical memory remotely
  • seeker: Accurately locate smartphones using social engineering
  • Securing Active Directory: Performing an Active Directory Security Review
  • Max & Intro: Scripts for maximizing BloodHound with a simple suite of tools
  • Talon & Intro: A tool designed to perform automated password guessing attacks while remaining undetected

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/19/2020 to 06/26/2020.