Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 10 to 17 of July.
Our favorite 5 hacking items
1. Videos of the week
Improve Your Hacking Skills Using Devtools | Bug Bounty Tips
HUNTing with OptionalValue and hakluke
The last video is an excellent introduction to the new HUNT Burp extension. A must watch if you want to learn what it is for and how to quickly start using it.
2. Writeup of the week
Write-up for a Path Traversal on Gravitee.io
Which impact level do you have in mind when you hear about HTML injection in emails?
If you’re thinking low or medium impact, check out this creative writeup. @Fisjkars injected an image tag with a path traversal payload as the URL. Since the HTML code injected was rendered server-side, it became a path traversal bug with access to sensitive files. In other words, HTML injection + email = Path traversal.
3. Articles of the week
Abusing GitLab Runners
Shaking secrets out of CircleCI builds – insecure configuration and the threat of malicious pull requests & circleci-logs
Both articles are about exploiting CI/DC tools for recon.
The first one shows how to use GitLab runner registration tokens you find to access the data of private Gitlab instances (even if you only have the token without context).
The second article extends past research on Travis-CI to CircleCI. It comes with a mini-CTF. Will you be able to find the flag before reading about the new technique?
4. Tool of the week
HeapProfiler Snapshot relative URL extractor
In the DevTools video mentioned above, @filedescriptor talked about using the Memory tab to extract API paths from heap snapshots. @smiegles took this idea and made it into a headless Node.js script that automates the process.
5. Resources of the week
OAuth 2.0 Playground & OAuth 2.0 Flow Simulator
If you find OAuth flows complicated to apprehend, these resources will be helpful. They are like demos that help see how different types of OAuth 2.0 and OpenID Connect flows work in practice.
The added value compared to just analyzing OAuth requests/responses on a bug bounty target, is that you’ll find explanations on back channel (backend) requests that aren’t visible in browsers.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Mitmdump script to dump incoming HTTP requests to Slack
- PwnMachine & Intro: A self hosting solution based on docker aiming to provide an easy to use pwning station for bughunters
- Urlgrab: A golang utility to spider through a website searching for additional links
- fdnssearch: Swiftly search FDNS datasets from Rapid7 Open Data
- Lazy: An example that shows how to create an axiom box that includes existing tools & resources
- Pscan: A parallel scanner that utilises axiom to spin up servers and parallel scan using masscan
- postMessageFinder: A tool that checks if a set of urls contains one or more postMessage functions or eventhandlers
- magiskfrida: Run frida-server on boot with Magisk
- reNgine: A python automated recon framework (with GUI)
- Bopscrk: Wordlists generation tool
- Convert Text to SQL Char
- SierraTwo: Simple reverse shell over Slack
- SuperTruder: An intruder custom that gave me bounties
- Netenum: A tool to passively discover active hosts on a network
- SqlClient & Intro: POC for .NET mssql client for accessing database data through beacon
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/10/2020 to 07/17/2020.