By Anna Hammond
August 5, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 24 to 31 of July.
How to start & 10 Tips For Crushing Bug Bounties in the First 12 Months
YES! @hakluke started a Youtube channel, and already released five videos including these two about getting started (and crushing it) in bug bounty. He offers actionable advice in a very direct but nice tone.
CVE-2020-13379 – Unauthenticated Full-Read SSRF in Grafana
h@cktivitycon – Pizza Time (Web 750 )
Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code
Three excellent writeups from three awesome bug hunters: @Rhynorater tells the story of a 0-day unauthenticated SSRF in Grafana. He found it by analyzing Grafana’s source code, then applied his research to bug bounty programs.
@buerhaus wrote an impressive writeup of the “Pizza Time” challenge from the HacktivityCon CTF. It involves a blind SQL injection via chat bot, blind XSS via file upload, some JS and API magic, SSRF, and path traversal!
@zseano shared a sweet information disclosure. I generally love his writeups because they show how creative thinking and a straightforward methodology enable him to find unique bugs that most hunters miss. This writeup is no exception!
XSS Exploitation in Django Applications
Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections & h2time.py
The first article is about XSS in the context of Django apps. It goes over specifics of the Django templating engine, the XSS protections it offers, and why it does not prevents all XSS attacks with different examples. @anthonypjshaw also shows a fuzzer he wrote to automate the detection of stored and reflective XSS in Django apps.
The second paper is about a new timing attack technique based on HTTP/2 multiplexing. It targets HTTP/2 webservers, Tor onion services, and Wi-Fi (EAP-pwd authentication). With Burp now supporting HTTP/2, this seems like a really interesting area to explore for bug hunters. There is also a Python implementation that helps test for this new attack.
A Pentesters Guide – Part 5 (Unmasking WAFs and Finding the Source)
This is an excellent piece on bypassing WAFs like CloudFlare by finding your target’s Origin IP. It sums up not only several known techniques, but also others I’ve never heard about like Crobat reverse lookups, or inducing the server to make a request to Burp Collaborator (revealing its real IP).
This is a node.js tool by @dee__see for monitoring GraphQL APIs. It takes as input URLs that return GraphQL schema files or APIs that support introspection. If the URL contents change, it does a comparison with git diff and sends the results to your pre-configured Discord webhook. Handy!
HOURS & HOURS OF FREE CYBER SECURITY TRAINING??? (im loosing it)
Nmap – Firewall Evasion (Decoys, MTU & Fragmentation) & Nmap – Scan Timing And Performance
XSS Testing methodology demonstrated & 5 ways to test for IDOR demonstrated
Security Now – rwxrwxrwx – Garmin Outage, Twitter Hack Update, GnuTLS
The InfoSec & OSINT Show E18 – Simon Bennetts & Headless Automated Scanning with ZAP
Tribe of Hackers Podcast @_sn0ww – Social Engineer RedTeamer
Encryption Under ‘Full-Frontal Nuclear Assault’ By U.S. Bills
SANS webinars
Wayback Machine — A way forward in finding bugs (plus waywayback & waywayback-ffuf scripts)
Almost everything about Browser Security for beginners- Part2
The Regular Expression Denial of Service (ReDoS) cheat-sheet
Sometimes they come back: exfiltration through MySQL and CVE-2020-11579 #Web
Hacking Node.js with buffer overflows #JavaScript
Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin #Web
Local privilege escalation & Information disclosure in Origin #PrivEsc #Windows
Missing signature validation of JWT when alg=none (in dp3t-sdk-backend) #Web
IZI IZI, PWN2OWN ICS MIAMI #ICS #RCE
Hacker, 22, seeks LTR with your data: vulnerabilities found on popular OkCupid dating app #Mobile #Web
Windows Server Containers Are Open, and Here’s How You Can Break Out #Windows
Stealing your Paytm information using XSS (Paymt, $1,261))
Authorization bypass in Google’s ticketing system (Google-GUTS) (Google)
StillDNS Attack – Abusing of DNS interaction via CNAMEs loop – CloudFlare/Quad9 and PayPal DoS PoC (video writeup)
Exploiting popular macOS apps with a single “.terminal” file.
An unreproducable bug due to the load balancer, an unusual Open Redirect bug
Zoom Security Exploit – Cracking private meeting passwords (Zoom)
One Click to Compromise — Fun With ClickOnce Deployment Manifests (Microsoft)
Exposed Docker Registry (U.S. Dept Of Defense)
Bypass the CSP when popup with “javascript:” (Chromium, $500)
See more writeups on The list of bug bounty writeups.
puredns: Wrapper around massdns, for accurately handling wildcard subdomains and DNS poisoning, and using clean public resolvers
pentesterland-writeups-cli: Querying Pentester Land’s curated collection of bug bounty writeups from command line
Winstrument & Intro: An Instrumentation Framework for Windows Application Assessments
Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage
Urinteresting: Go script that takes URLs as input & returns a list of interesting ones
IsCloudflare: Go script to check if an IP is owned by Cloudflare
fastr3porter: Auto report generator for bug bounty hunters
wzrd: A repository of scripts designed to ease the execution of common tools with optimized commands while only requiring the basic input parameters
revp: Reverse HTTP proxy that works on Linux, Windows, and macOS
Invoke-WordThief: A Powershell tool that extracts text from opened Microsoft Word and sends it over TCP to remote Python listener
Chalumeau: An automated,extendable and customizable credential dumping tool based on powershell and python
Mailpl0it: A small utility that hunts the homepage of exploit-db looking for user supplied quer(y/ies) and notifies the user via email if an exploit is found for the supplied query
Depthcharge & Intro: A U-Boot hacking toolkit for security researchers and tinkerers
RatCTF2020: September 5
Pentesting User Interfaces: How To Phish Any Chrome, Outlook, or Thunderbird User
Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
Levelup0x07 Hack Another Day: August 22
Hacker Jeopardy: Register before August 5/6
New Web Security Academy topic: Information disclosure vulnerabilities
End of the EU-FOSSA 2 Bug Bounty Program for Open Source Software
Google: Eleven zero-days detected in the wild in the first half of 2020
Today’s ‘mega’ data breaches now cost companies $392 million to recover from
Researchers exploit HTTP/2, WPA3 protocols to stage highly efficient ‘timeless timing’ attacks
BootHole (CVE-2020-10713)
Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns
New VPN flaws highlight proven pathway for hackers into industrial organizations & Remote Code Execution Risks in Secomea, Moxa, and HMS eWon ICS VPN Vulnerabilities: What You Need to Know
WordPress plugin vulnerability exposes 80,000 sites to remote takeover
Theoretical technique to abuse EMV cards detected used in the real world
Sneaky Doki Linux malware infiltrates Docker cloud instances
Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev
UK and US warn QNAP owners to upgrade firmware to block malware
Kaspersky: North Korean hackers are behind the VHD ransomware
US defense and aerospace sectors targeted in new wave of North Korean attacks
Garmin Pays Up to Evil Corp After Ransomware Attack — Reports
Three people have been charged for Twitter’s huge hack, and a Florida teen is in jail
Cerberus banking Trojan team breaks up, source code goes to auction
Secure by design: ClassNK updates maritime cybersecurity guidelines
Security professionals lose ‘central watering hole’ with demise of Peerlyst
FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins
EU sanctions Russian espionage unit, Chinese and North Korean firms
3 Things to be aware of to design the best Bug Bounty program
Zero Trust Model: What’s a Zero Trust Network in Cyber Security?
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/24/2020 to 07/31/2020.