Bug Bytes #79 – Burp’s story, postMessage XSS on Tumblr & Go tools for faster recon

bugbytes-79

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 03 to 10 of July.

Our favorite 5 hacking items

1. Videos of the week

Ask me anything, with Burp Suite creator Dafydd Stuttard

URL validation bypass | Filedescriptor solves Intigriti’s XSS challenge

The first video is a fun one for Burp lovers. @DafyddStuttard answers questions we’ve all been wondering about: Why “Burp” and “PortSwigger”? Who is “Peter Wiener”? Why Java?…

The second video is a very informative walkthrough of our June XSS challenge. @filedescriptor goes through different solutions including how to bypass a loose regex used for URL validation, with IPv6.

2. Writeup of the week

Art of bug bounty: a way from JS file analysis to XSS (Verizon Media & Tumblr, $1,000)

This is a well-written writeup on XSS via postMessage. @zoczus comments on portions of code to explains what led him to the bug. Highly recommended if you’re interested in DOM XSS!

3. Article of the week

Six files that are also a valid PHP

This is a cool resource on creating files that have two formats (e.g. GIF + PHP, or PHP + PDF). It might be helpful for bypassing file upload restrictions.

4. Tools of the week

LORC

ParameterMiner

gofingerprint

@_StaticFlow_ has added 3 new interesting tools to his collection:

ParameterMiner takes a JavaScript file URL as input and returns all variable names found in the JS file.

Gofingerprint helps with Web server fingerprinting. This can be used to quickly identify specific types of servers in your historic data and test them for new vulnerabilities.

LORC (Low Orbit RECON Cannon) is a recon tool that distributes the work using a client/server architecture.

5. Tutorial of the week

An offensive guide to the Authorization Code grant

Yes, another article on OAuth 2.0 attacks! But I really like how this one is organized: For each parameter used in OAuth grant flows (e.g. state, code, redirect_uri…), it tells you what to look for. It’s like a high-level organized cheat sheet.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • IOXY (IoT + Proxy) & Intro: An MQTT intercepting proxy written in Golang. It supports MQTT, MQTTS and MQTT over WebSockets and has both a CLI and a GUI
  • JSMon & Intro: A javascript change monitoring tool for bug bounties
  • Introducing Chaos Bug bounty recon data API
  • PAN-OS GlobalProtect Portal Scanner: Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface
  • Foam: A personal knowledge management and sharing system inspired by Roam Research, built on Visual Studio Code and GitHub
  • Urlgrab: A golang utility to spider through a website searching for additional links

More tools, if you have time

  • Pipx: Install and Run Python Applications in Isolated Environments & How id differs from pyenv/pipenv
  • Fermion: An electron wrapper for Frida & Monaco
  • aaaguirrep/pentest & Video tutorial: Docker image for pentest/bug bounty
  • Slicer: A tool to automate the boring process of APK recon
  • CodeArgos: Detect and watch for changes to Javascript files and scriptblocks of a target web app
  • graftcp: A flexible tool for redirecting a given program’s TCP traffic to SOCKS5 or HTTP proxy
  • Webgrep: Python tool for grepping Web pages
  • DomainExtractor: Extract domains/subdomains/FQDNs from files and URLs, with a log of new domains found
  • favihash: Subdomains enumeration via favicon.ico hashing
  • SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner:
  • GoGhost: High Performance, lightweight, portable Open Source tool for mass SMBGhost Scan
  • Cloudtopolis: A tool that facilitates the installation and provisioning of Hashtopolis on the Google Cloud Shell platform, quickly and completely unattended
  • LeakDB: Python tool that let’s Red Teams build their own plaintext version of “Have I Been Pwned”

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/03/2020 to 07/10/2020.