Bug Bytes #82 – Timeless timing attacks, Grafana SSRF, Pizza & Youtube delicacies

By Anna Hammond

August 5, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 24 to 31 of July.

Our favorite 5 hacking items

1. Videos of the week

How to start & 10 Tips For Crushing Bug Bounties in the First 12 Months

YES! @hakluke started a Youtube channel, and already released five videos including these two about getting started (and crushing it) in bug bounty. He offers actionable advice in a very direct but nice tone.

2. Writeups of the week

CVE-2020-13379 – Unauthenticated Full-Read SSRF in Grafana

h@cktivitycon – Pizza Time (Web 750 )

Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code

Three excellent writeups from three awesome bug hunters: @Rhynorater tells the story of a 0-day unauthenticated SSRF in Grafana. He found it by analyzing Grafana’s source code, then applied his research to bug bounty programs.

@buerhaus wrote an impressive writeup of the “Pizza Time” challenge from the HacktivityCon CTF. It involves a blind SQL injection via chat bot, blind XSS via file upload, some JS and API magic, SSRF, and path traversal!

@zseano shared a sweet information disclosure. I generally love his writeups because they show how creative thinking and a straightforward methodology enable him to find unique bugs that most hunters miss. This writeup is no exception!

3. Articles of the week

XSS Exploitation in Django Applications

Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections & h2time.py

The first article is about XSS in the context of Django apps. It goes over specifics of the Django templating engine, the XSS protections it offers, and why it does not prevents all XSS attacks with different examples. @anthonypjshaw also shows a fuzzer he wrote to automate the detection of stored and reflective XSS in Django apps.

The second paper is about a new timing attack technique based on HTTP/2 multiplexing. It targets HTTP/2 webservers, Tor onion services, and Wi-Fi (EAP-pwd authentication). With Burp now supporting HTTP/2, this seems like a really interesting area to explore for bug hunters. There is also a Python implementation that helps test for this new attack.

4. Tutorial of the week

A Pentesters Guide – Part 5 (Unmasking WAFs and Finding the Source)

This is an excellent piece on bypassing WAFs like CloudFlare by finding your target’s Origin IP. It sums up not only several known techniques, but also others I’ve never heard about like Crobat reverse lookups, or inducing the server to make a request to Burp Collaborator (revealing its real IP).

5. Tool of the week

GraphQL API Monitor

This is a node.js tool by @dee__see for monitoring GraphQL APIs. It takes as input URLs that return GraphQL schema files or APIs that support introspection. If the URL contents change, it does a comparison with git diff and sends the results to your pre-configured Discord webhook. Handy!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • puredns: Wrapper around massdns, for accurately handling wildcard subdomains and DNS poisoning, and using clean public resolvers

  • pentesterland-writeups-cli: Querying Pentester Land’s curated collection of bug bounty writeups from command line

More tools, if you have time

  • Winstrument & Intro: An Instrumentation Framework for Windows Application Assessments

  • Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage

  • Urinteresting: Go script that takes URLs as input & returns a list of interesting ones

  • IsCloudflare: Go script to check if an IP is owned by Cloudflare

  • fastr3porter: Auto report generator for bug bounty hunters

  • wzrd: A repository of scripts designed to ease the execution of common tools with optimized commands while only requiring the basic input parameters

  • revp: Reverse HTTP proxy that works on Linux, Windows, and macOS

  • Invoke-WordThief: A Powershell tool that extracts text from opened Microsoft Word and sends it over TCP to remote Python listener

  • Chalumeau: An automated,extendable and customizable credential dumping tool based on powershell and python

  • Mailpl0it: A small utility that hunts the homepage of exploit-db looking for user supplied quer(y/ies) and notifies the user via email if an exploit is found for the supplied query

  • Depthcharge & Intro: A U-Boot hacking toolkit for security researchers and tinkerers

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/24/2020 to 07/31/2020.

You may also like