Bug Bytes #85 – Google Firebase keys worth $30K, How to find a mentor & Abusing Content-Type for WAF bypass & other shenanigans

bugbytes-85

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 14 to 21 of August.

Our favorite 5 hacking items

1. Tutorials of the week

Multiple Android User Profiles

Hakluke’s Guide to Amass — How to Use Amass More Effectively for Bug Bounties

Did you know you could use multiple user profiles in Android, each with a different set of installed apps? It’s not something new but I’m just discovering this and see at least two applications for Android app testing.
As detailed in the tutorial, it helps with authorization tests since you can authenticate to the app you’re testing with different credentials. It also helps separate your normal phone apps for everyday usage from your testing environment.

The second tutorial goes over some undervalued Amass options. An interesting because bug hunting is not just about the tools you use, but mostly how you use them.

2. Writeups of the week

Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties

How to contact Google SRE: Dropping a shell in cloud SQL

These are fantastic findings and really well-written writeups.

@absshax found many hardcoded Firebase keys in multiple Android apps including ones from Google. He went on an investigation to figure out which keys would give him access to sensitive information or actions. One of them could be exploited to send push notifications to a billion users, facilitating phishing campaigns.
The whole writeup is worth reading with great attention if you want to do research and learn how to go from “Hey, I found a hardcoded key but I’m not sure what it does”, to real compromise with a $30K bounty.

The second writeup is a cool RCE on Google Cloud SQL. @wtm_offensi and @epereiralopez were able to abuse it and escalate their limited MySQL privileges to a root shell. It is interesting to see what a complex bug chain leading to RCE on Google looks like!

3. Resource of the week

Content-Type Research

@Black2Fan shared some tricks found by researching the Content-Type header. Browsers process it differently and mistakes in parsing can be used for CSRF and XSS. WAFs and Content-Type checks can be bypassed by specifying multiple types (e.g. “Content-Type: text/plain; application/json”).

4. Conference of the week

LevelUp0x07 – Hack Another Day

I don’t know about you, but I haven’t finished watching hacker Summer Camp conferences, and here’s another one!
LevelUp 0x07 brings us new interesting talks like @InsiderPhd’s intro to AI for bug hunters or @hakluke’s talk on crushing bounties in your first 12 months. Other topics include reverse engineering obfuscated Android apps, recon, reviewing Chrome extensions, etc.

5. Non technical item of the week

How to Initiate Contact With a Mentor

If you’re wondering where to find a mentor, this blog post is just for you. @DanielMiessler gives clear actionable advice on what you need to do to ask for help or get mentorship.
The examples will also give you an idea of the fine line between positive messages for potential mentors and the ones that’d probably be ignored.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • gwen001/ejs.sh: Onliner to extract endpoints from JS files of a given host
  • crystal-subs & Writing a Subdomain Discovery Tool in Crystal: Simple subdomain discovery tool that uses the Shodan API to grab domain information
  • hunterio.sh: Script to gather emails from Hunter.io API
  • SuperSu Patcher & Creating a Custom Root by Patching SuperSU: A utility that patches the SuperSu binaries to evade common root detection techniques
  • CRLFuzz: A fast tool to scan CRLF vulnerability written in Go
  • Grex: A command-line tool and library for generating regular expressions from user-provided test cases
  • Digit: Extract endpoints from specific Git repository for fuzzing
  • Leecher: Python script that takes a list of URLs and builds a wordlist for content discovery based on the paths extracted
  • PaGoDo (Passive Google Dork): Automate Google Hacking Database scraping and searching
  • cisagov/crossfeed: External monitoring for organization assets
  • Checkov: Static code analysis tool for infrastructure-as-code
  • SharpEDRChecker: Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV’s, EDR’s and logging tools
  • Powershell Webserver: A Powershell script that starts a webserver (without IIS). Powershell command execution, script execution, upload, download and other functions are implemented

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/14/2020 to 08/21/2020.