Bug Bytes #83 – Web cache entanglement, SSRF via TLS, AST injection & New swag shop

bugbytes-83

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 31 of July to 07 of August.

Our favorite 5 hacking items

1. Conferences of the week

h@cktivitycon 2020

DEF CON Safe Mode, DEF CON 28Media server & Villages: AppSec Village, Red Team Village, Recon Village & Voting Village

Between these two conferences, there is enough videos and new research to keep anyone busy for weeks. There are so many valuable talks that I’m not sure where to start!

Just to give you an idea: @albinowax published his new research we’re probably continue to hear about for months to come. @securinti presented an updated and longer version of his talk on pwning email systems. @jhaddix did a long version of his Bug Hunter Methodology workshop. @NahamSec and @_StaticFlow_ dropped some mindblowing knowledge on identifying assets in the cloud (although the video hasn’t been shared yet). @heald_ben shared some cool findings on the Parse mobile app backend. @stokfredrik gave the ultime answer to “How to get started in bug bounties”. @NotDeGhost and @ginkoid dived into WAF bypass techniques. @sajjadium and Seyed Ali demonstrated new Web Cache Deception techniques.

And this is just the tip of the iceberg!

2. Tool of the week

TLS Poison

SSRF is the golden goose of vulnerability classes. Just when you think everything has been said about it, someone comes up with a novel technique!

At the occasion of Black Hat and DEF CON, @joshmdx presented a new way to exploit SSRF via TLS (as well as CSRF via image tags). The method is similar to SNI injection but relies on behaviors inherent to TLS instead of bugs in a particular implementation.

To help exploit this new type of SSRF, @joshmdx released TLS Poison. This is definitely worth diving into and testing for!

3. Article of the week

Web Cache Entanglement: Novel Pathways to Poisoning, How to use Param Miner to detect fat GET cache poisoning & New “Web cache poisoning” topic on Web Security Academy

@albinowax dropped his new research, Web cache entanglement, that builds on his previous work on Web cache poisoning. It takes advantages of esoteric cache behaviors, and turns them into high impact exploit chains. Examples of attacks demonstrated include persistently poisoning every page of an online newspaper, and disabling Firefox updates by changing a single character in a legitimate request.

There is a lot to digest to understand Web cache entanglement (an article, a whitepaper, a talk, a Web Security Academy topics and labs, and a tool, param miner, updated to support testing for it)! But my gut tells me this will be the focus of a lot of bug hunters, just as Web cache poisoning has been the past year.

4. Writeup of the week

Vulnerabilities in the Openfire Admin Console

@shvetsovalex007 found an unauthenticated internal SSRF in Openfire. It is time to check your bug bounty notes for open ports 9090/http and 9091/https, to test for this!

5. Video of the week

Script Gadgets! Google Docs XSS Vulnerability Walkthrough

@LiveOverflow breaks down a very interesting XSS in Google spreadsheets. It is a complex finding that involves a chain of script gadgets and postMessage. An excellent example of a bug that is easily missed by automated tools.

Apart from technical details on the XSS, Google’s security team provided some explanations on why the bug existed. And Nickolay, who found the bug, chimed in to answer questions on his background and why he specializes in a specific type of bugs and apps.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Mole: A framework for identifying and exploiting out-of-band application vulnerabilities
  • Link Lock: Distributed application to password-protect URLs using AES in the browser
  • quoted-printable Parser: A Burp Suite extension to parse Content-Transfer-Encoding: quoted-printable emails received in Burpcollaborator’s SMTP
  • reNgine & Intro: An automated reconnaissance framework
  • FestIn: S3 Bucket Weakness Discovery

More tools, if you have time

  • Taser: Python3 resource library for creating security related tooling
  • AutomatedHunter: Google Chrome Extension that automates testing fundamental Web Problems via Chrome
  • Bucky: An automatic S3 bucket discovery tool
  • Bug Bounty Recon (bbrecon) & Python library and CLI: Free Recon-as-a-Service API
  • CWFF: Create your Custom Wordlist For Fuzzing
  • rejig: An ansible+terraform suite to spawn and provision a virtual machine for attack purposes
  • sshchecker: A ast dedicated SSH brute-forcing tool in Go, to check ssh login on a given list of IPs
  • routopsy & Intro: A toolkit built to attack often overlooked networking protocols, like Dynamic Routing Protocols (DRP) & First-Hop Redundancy Protocols (FHRP)
  • Smogcloud: Find AWS cloud assets that no one wants exposed
  • PersistentJXA & Intro: Collection of macOS persistence methods and miscellaneous tools in JXA
  • Aria Cloud & Intro: A Docker Container for remote pentesting over SSH or RDP, with a primary emphasis on cloud security tools and secondary on Active Directory tools
  • ATTPwn: A Python tool designed to emulate adversaries conducting malware campaigns

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/31/2020 to 08/07/2020.