Bug Bytes #80 – CI/DC kung fu, Path traversal via email & Pro DevTool tips

bugbytes-80

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 10 to 17 of July.

Our favorite 5 hacking items

1. Videos of the week

Improve Your Hacking Skills Using Devtools | Bug Bounty Tips

Filedescriptor Talks About Learning Javascript for Hacking, Reconless, Hacking Twitter and More!

HUNTing with OptionalValue and hakluke

If you’re short on time and want to learn something really useful, watch the first video. In literally 5 minutes, @filedescriptor shares amazing Devtools tips for bug hunters. And if you can’t get enough of him, watch the @NahamSec interview (second video) where they discuss topics like recon, bug hunting methodology, learning JavaScript, etc.

The last video is an excellent introduction to the new HUNT Burp extension. A must watch if you want to learn what it is for and how to quickly start using it.

2. Writeup of the week

Write-up for a Path Traversal on Gravitee.io

Which impact level do you have in mind when you hear about HTML injection in emails?

If you’re thinking low or medium impact, check out this creative writeup. @Fisjkars injected an image tag with a path traversal payload as the URL. Since the HTML code injected was rendered server-side, it became a path traversal bug with access to sensitive files. In other words, HTML injection + email = Path traversal.

3. Articles of the week

Abusing GitLab Runners

Shaking secrets out of CircleCI builds – insecure configuration and the threat of malicious pull requests & circleci-logs

Both articles are about exploiting CI/DC tools for recon.

The first one shows how to use GitLab runner registration tokens you find to access the data of private Gitlab instances (even if you only have the token without context).

The second article extends past research on Travis-CI to CircleCI. It comes with a mini-CTF. Will you be able to find the flag before reading about the new technique?

4. Tool of the week

HeapProfiler Snapshot relative URL extractor

In the DevTools video mentioned above, @filedescriptor talked about using the Memory tab to extract API paths from heap snapshots. @smiegles took this idea and made it into a headless Node.js script that automates the process.

5. Resources of the week

OAuth 2.0 Playground & OAuth 2.0 Flow Simulator

If you find OAuth flows complicated to apprehend, these resources will be helpful. They are like demos that help see how different types of OAuth 2.0 and OpenID Connect flows work in practice.

The added value compared to just analyzing OAuth requests/responses on a bug bounty target, is that you’ll find explanations on back channel (backend) requests that aren’t visible in browsers.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Mitmdump script to dump incoming HTTP requests to Slack
  • PwnMachine & Intro: A self hosting solution based on docker aiming to provide an easy to use pwning station for bughunters
  • getjswords.py: Simple Python tool for find a unique words in javascript files, help the bughunters to create a wordlist for the company (e.g for brute force the hidden params,..etc)
  • Urlgrab: A golang utility to spider through a website searching for additional links
  • fdnssearch: Swiftly search FDNS datasets from Rapid7 Open Data

More tools, if you have time

  • Lazy: An example that shows how to create an axiom box that includes existing tools & resources
  • Pscan: A parallel scanner that utilises axiom to spin up servers and parallel scan using masscan
  • CodeArgos: Detect and watch for changes to Javascript files and scriptblocks of a target web app
  • postMessageFinder: A tool that checks if a set of urls contains one or more postMessage functions or eventhandlers
  • magiskfrida: Run frida-server on boot with Magisk
  • reNgine: A python automated recon framework (with GUI)
  • Bopscrk: Wordlists generation tool
  • Convert Text to SQL Char
  • SierraTwo: Simple reverse shell over Slack
  • SuperTruder: An intruder custom that gave me bounties
  • Netenum: A tool to passively discover active hosts on a network
  • SqlClient & Intro: POC for .NET mssql client for accessing database data through beacon

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/10/2020 to 07/17/2020.