Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 03 to 10 of July.
Our favorite 5 hacking items
1. Videos of the week
Ask me anything, with Burp Suite creator Dafydd Stuttard
URL validation bypass | Filedescriptor solves Intigriti’s XSS challenge
The first video is a fun one for Burp lovers. @DafyddStuttard answers questions we’ve all been wondering about: Why “Burp” and “PortSwigger”? Who is “Peter Wiener”? Why Java?…
The second video is a very informative walkthrough of our June XSS challenge. @filedescriptor goes through different solutions including how to bypass a loose regex used for URL validation, with IPv6.
2. Writeup of the week
Art of bug bounty: a way from JS file analysis to XSS (Verizon Media & Tumblr, $1,000)
This is a well-written writeup on XSS via postMessage. @zoczus comments on portions of code to explains what led him to the bug. Highly recommended if you’re interested in DOM XSS!
3. Article of the week
Six files that are also a valid PHP
This is a cool resource on creating files that have two formats (e.g. GIF + PHP, or PHP + PDF). It might be helpful for bypassing file upload restrictions.
4. Tools of the week
@_StaticFlow_ has added 3 new interesting tools to his collection:
Gofingerprint helps with Web server fingerprinting. This can be used to quickly identify specific types of servers in your historic data and test them for new vulnerabilities.
LORC (Low Orbit RECON Cannon) is a recon tool that distributes the work using a client/server architecture.
5. Tutorial of the week
An offensive guide to the Authorization Code grant
Yes, another article on OAuth 2.0 attacks! But I really like how this one is organized: For each parameter used in OAuth grant flows (e.g. state, code, redirect_uri…), it tells you what to look for. It’s like a high-level organized cheat sheet.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- IOXY (IoT + Proxy) & Intro: An MQTT intercepting proxy written in Golang. It supports MQTT, MQTTS and MQTT over WebSockets and has both a CLI and a GUI
- Introducing Chaos Bug bounty recon data API
- PAN-OS GlobalProtect Portal Scanner: Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface
- Foam: A personal knowledge management and sharing system inspired by Roam Research, built on Visual Studio Code and GitHub
- Urlgrab: A golang utility to spider through a website searching for additional links
- Pipx: Install and Run Python Applications in Isolated Environments & How id differs from pyenv/pipenv
- Fermion: An electron wrapper for Frida & Monaco
- aaaguirrep/pentest & Video tutorial: Docker image for pentest/bug bounty
- Slicer: A tool to automate the boring process of APK recon
- graftcp: A flexible tool for redirecting a given program’s TCP traffic to SOCKS5 or HTTP proxy
- Webgrep: Python tool for grepping Web pages
- DomainExtractor: Extract domains/subdomains/FQDNs from files and URLs, with a log of new domains found
- favihash: Subdomains enumeration via favicon.ico hashing
- SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner:
- GoGhost: High Performance, lightweight, portable Open Source tool for mass SMBGhost Scan
- Cloudtopolis: A tool that facilitates the installation and provisioning of Hashtopolis on the Google Cloud Shell platform, quickly and completely unattended
- LeakDB: Python tool that let’s Red Teams build their own plaintext version of “Have I Been Pwned”
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/03/2020 to 07/10/2020.