Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 31 of July to 07 of August.
Our favorite 5 hacking items
1. Conferences of the week
DEF CON Safe Mode, DEF CON 28Media server & Villages: AppSec Village, Red Team Village, Recon Village & Voting Village
Between these two conferences, there is enough videos and new research to keep anyone busy for weeks. There are so many valuable talks that I’m not sure where to start!
Just to give you an idea: @albinowax published his new research we’re probably continue to hear about for months to come. @securinti presented an updated and longer version of his talk on pwning email systems. @jhaddix did a long version of his Bug Hunter Methodology workshop. @NahamSec and @_StaticFlow_ dropped some mindblowing knowledge on identifying assets in the cloud (although the video hasn’t been shared yet). @heald_ben shared some cool findings on the Parse mobile app backend. @stokfredrik gave the ultime answer to “How to get started in bug bounties”. @NotDeGhost and @ginkoid dived into WAF bypass techniques. @sajjadium and Seyed Ali demonstrated new Web Cache Deception techniques.
And this is just the tip of the iceberg!
2. Tool of the week
SSRF is the golden goose of vulnerability classes. Just when you think everything has been said about it, someone comes up with a novel technique!
At the occasion of Black Hat and DEF CON, @joshmdx presented a new way to exploit SSRF via TLS (as well as CSRF via image tags). The method is similar to SNI injection but relies on behaviors inherent to TLS instead of bugs in a particular implementation.
To help exploit this new type of SSRF, @joshmdx released TLS Poison. This is definitely worth diving into and testing for!
3. Article of the week
Web Cache Entanglement: Novel Pathways to Poisoning, How to use Param Miner to detect fat GET cache poisoning & New “Web cache poisoning” topic on Web Security Academy
@albinowax dropped his new research, Web cache entanglement, that builds on his previous work on Web cache poisoning. It takes advantages of esoteric cache behaviors, and turns them into high impact exploit chains. Examples of attacks demonstrated include persistently poisoning every page of an online newspaper, and disabling Firefox updates by changing a single character in a legitimate request.
There is a lot to digest to understand Web cache entanglement (an article, a whitepaper, a talk, a Web Security Academy topics and labs, and a tool, param miner, updated to support testing for it)! But my gut tells me this will be the focus of a lot of bug hunters, just as Web cache poisoning has been the past year.
4. Writeup of the week
Vulnerabilities in the Openfire Admin Console
@shvetsovalex007 found an unauthenticated internal SSRF in Openfire. It is time to check your bug bounty notes for open ports 9090/http and 9091/https, to test for this!
5. Video of the week
Script Gadgets! Google Docs XSS Vulnerability Walkthrough
@LiveOverflow breaks down a very interesting XSS in Google spreadsheets. It is a complex finding that involves a chain of script gadgets and postMessage. An excellent example of a bug that is easily missed by automated tools.
Apart from technical details on the XSS, Google’s security team provided some explanations on why the bug existed. And Nickolay, who found the bug, chimed in to answer questions on his background and why he specializes in a specific type of bugs and apps.
Other amazing things we stumbled upon this week
- BOUNTY THURSDAYS (CVE-2020-13379, Hackers Summercamp, Hackthebox, Bughunters Methodology 4, Nucleai)
- STÖK Chats! Bug bounties, hacking, content creation, fear, motivation, veganism, love and life
- What to do when you feel directionless
- @thedawgyg AMA
- HACKING OAuth 2.0 FOR BEGINNERS!
- Account Takeover: From zero to System Admin using basic skills
- Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation: Blackhat/Defcon 2020
- Pentest Story Time: My Favorite Hacks
- Windows and Linux Privilege Escalation – OSCP 2020
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Vulnerability in new TouchID feature put iCloud accounts at risk of being breached (Apple)
- The feature works as intended, but what’s in the source?
- Refocusing in bug hunting, Bonus: An interestingly simple to test CSRF bypass
- CSRF PoC mistake that broke crucial functions for the end user/victim
- Apache Example Servlet leads to $$$$
- Blind SQL Injection at fasteditor.hema.com (HEMA)
- Reflected XSS at fotoservice.hema.nl (HEMA)
- Availing Zomato gold by using a random third-party
wallet_id (Zomato, $2,000)
- Account takeover in cups.mail.ru (Mail.ru, $1,500)
- Private list members disclosure via GraphQL (Twitter, $2,940)
- Improper use of “path” parameter can be used to trick testers into leaking their Front-End PoC (BugPoC, $1,000)
- Full Read SSRF on Gitlab’s Internal Grafana (GitLab, $12,000)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Mole: A framework for identifying and exploiting out-of-band application vulnerabilities
- Link Lock: Distributed application to password-protect URLs using AES in the browser
- quoted-printable Parser: A Burp Suite extension to parse Content-Transfer-Encoding: quoted-printable emails received in Burpcollaborator’s SMTP
- reNgine & Intro: An automated reconnaissance framework
- FestIn: S3 Bucket Weakness Discovery
- Taser: Python3 resource library for creating security related tooling
- AutomatedHunter: Google Chrome Extension that automates testing fundamental Web Problems via Chrome
- Bucky: An automatic S3 bucket discovery tool
- Bug Bounty Recon (bbrecon) & Python library and CLI: Free Recon-as-a-Service API
- CWFF: Create your Custom Wordlist For Fuzzing
- rejig: An ansible+terraform suite to spawn and provision a virtual machine for attack purposes
- sshchecker: A ast dedicated SSH brute-forcing tool in Go, to check ssh login on a given list of IPs
- routopsy & Intro: A toolkit built to attack often overlooked networking protocols, like Dynamic Routing Protocols (DRP) & First-Hop Redundancy Protocols (FHRP)
- Smogcloud: Find AWS cloud assets that no one wants exposed
- PersistentJXA & Intro: Collection of macOS persistence methods and miscellaneous tools in JXA
- Aria Cloud & Intro: A Docker Container for remote pentesting over SSH or RDP, with a primary emphasis on cloud security tools and secondary on Active Directory tools
- ATTPwn: A Python tool designed to emulate adversaries conducting malware campaigns
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/31/2020 to 08/07/2020.