Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 24 to 31 of July.
How to start & 10 Tips For Crushing Bug Bounties in the First 12 Months
YES! @hakluke started a Youtube channel, and already released five videos including these two about getting started (and crushing it) in bug bounty. He offers actionable advice in a very direct but nice tone.
CVE-2020-13379 – Unauthenticated Full-Read SSRF in Grafana
h@cktivitycon – Pizza Time (Web 750 )
Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code
Three excellent writeups from three awesome bug hunters: @Rhynorater tells the story of a 0-day unauthenticated SSRF in Grafana. He found it by analyzing Grafana’s source code, then applied his research to bug bounty programs.
@buerhaus wrote an impressive writeup of the “Pizza Time” challenge from the HacktivityCon CTF. It involves a blind SQL injection via chat bot, blind XSS via file upload, some JS and API magic, SSRF, and path traversal!
@zseano shared a sweet information disclosure. I generally love his writeups because they show how creative thinking and a straightforward methodology enable him to find unique bugs that most hunters miss. This writeup is no exception!
XSS Exploitation in Django Applications
Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections & h2time.py
The first article is about XSS in the context of Django apps. It goes over specifics of the Django templating engine, the XSS protections it offers, and why it does not prevents all XSS attacks with different examples. @anthonypjshaw also shows a fuzzer he wrote to automate the detection of stored and reflective XSS in Django apps.
The second paper is about a new timing attack technique based on HTTP/2 multiplexing. It targets HTTP/2 webservers, Tor onion services, and Wi-Fi (EAP-pwd authentication). With Burp now supporting HTTP/2, this seems like a really interesting area to explore for bug hunters. There is also a Python implementation that helps test for this new attack.
A Pentesters Guide – Part 5 (Unmasking WAFs and Finding the Source)
This is an excellent piece on bypassing WAFs like CloudFlare by finding your target’s Origin IP. It sums up not only several known techniques, but also others I’ve never heard about like Crobat reverse lookups, or inducing the server to make a request to Burp Collaborator (revealing its real IP).
GraphQL API Monitor
This is a node.js tool by @dee__see for monitoring GraphQL APIs. It takes as input URLs that return GraphQL schema files or APIs that support introspection. If the URL contents change, it does a comparison with git diff and sends the results to your pre-configured Discord webhook. Handy!
See more writeups on The list of bug bounty writeups.
puredns: Wrapper around massdns, for accurately handling wildcard subdomains and DNS poisoning, and using clean public resolvers
pentesterland-writeups-cli: Querying Pentester Land’s curated collection of bug bounty writeups from command line
Winstrument & Intro: An Instrumentation Framework for Windows Application Assessments
Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage
Urinteresting: Go script that takes URLs as input & returns a list of interesting ones
IsCloudflare: Go script to check if an IP is owned by Cloudflare
fastr3porter: Auto report generator for bug bounty hunters
wzrd: A repository of scripts designed to ease the execution of common tools with optimized commands while only requiring the basic input parameters
revp: Reverse HTTP proxy that works on Linux, Windows, and macOS
Invoke-WordThief: A Powershell tool that extracts text from opened Microsoft Word and sends it over TCP to remote Python listener
Chalumeau: An automated,extendable and customizable credential dumping tool based on powershell and python
Mailpl0it: A small utility that hunts the homepage of exploit-db looking for user supplied quer(y/ies) and notifies the user via email if an exploit is found for the supplied query
Depthcharge & Intro: A U-Boot hacking toolkit for security researchers and tinkerers
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/24/2020 to 07/31/2020.
