Bug Bytes #86 – Stealing local files with Safari, Prototype pollution vs HTML sanitizers & A hacker’s mom learning bug bounty

By Anna Hammond

September 2, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 21 to 28 of August.

Our favorite 5 hacking items

1. Resource of the week

GitLab’s Red Team Tech Notes

GitLab’s red team are sharing tech notes in this repo. It currently contains technical papers, talks, tools and red team exercises. The notes on testing Kubernetes and Google Cloud Platform are excellent resources.

They are also planning to share even more of their day to day work, so it is worth keeping an eye on this.

2. Writeup of the week

Stealing local files using Safari Web Share API

This is a writeup of a browser bug found in Safari. It leverages the Web Share API that allows for sharing links from the browser using other apps (e.g. mail and messaging apps in both iOS and Mac OS).

The bug works by publishing a malicious page containing a “Share with friends” button. When someone visits the page and shares it with someone, it automatically adds to the email or message local files mentioned in the malicious page’s source code. @h0wlu shows proofs on concept for leaking /etc/passwd and Safari’s browsing history.

This is not a critical bug. It requires user interaction and is similar to clickjacking. But I find interesting that it exploits the new Web Share API and allows for stealing local files from any malicious website.

3. Article of the week

Prototype pollution – and bypassing client-side HTML sanitizers & Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

@SecurityMB shares his new research on prototype pollution. Most existing examples of exploitation focus on getting RCE in NodeJS. He wanted to find out the client-side impact instead.

The answer, in a nutshell, is that prototype pollution allows you to bypass HTML sanitizers. This is why “if you ever find a prototype pollution in Google Search, then you have XSS in the search field!”.

4. Tool of the week

mapCIDR

mapCIDR is a Go library and CLI tool for performing operations on subnet/CIDR ranges. Given a subnet, it can return the list of IP addresses it contains, or slice it into multiple subnets.

This is helpful if you want to do distributed scanning of large networks. Another handy tool by @pdiscoveryio!

5. Webinar of the week

Webcast: Pretty Little Python Secrets – Episode 1 – Installing Python Tools and Libraries the Right Way

This webinar is a gift to any hacker wondering about the best way to install Python, how to manage different versions and avoid a dependency hell, and how to create Python app portables (the equivalent of JARs files in Python).

And if you’re thinking “Why don’t you just use Docker?”, there is an argument for other tools mentioned. @byt3bl33d3r does a great job of answering all these questions.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • gdb_2_root: Python script that adds some useful commands to stripped vmlinux image

  • jf: A wrapper around jq, to help you parse jq output

  • bbr: An open source tool to aid in command line driven generation of bug bounty reports based on user provided templates

  • Wappylyzer: Implementation of Wappalyzer in Python

More tools, if you have time

  • Monsoon & AMA: A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time

  • ADBSploit: A python wrapper around ADB for exploiting and managing Android devices

  • AWS Recon: Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata

  • Google Account Finder: Website to look for info on Google accounts

  • ReconSpider: Advanced OSINT Framework for scanning IP Address, Emails, Websites & Organizations. Also combines the capabilities of Wave, Photon & Recon Dog to do a comprehensive enumeration of attack surface

  • slackcat: A simple way of sending messages from the CLI output to your Slack with webhook

  • Bheem: A simple collection of small bash-scripts which runs iteratively to carry out day-to-day recon process and store output in an organized way

  • Subrake: A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters

  • Phirautee: A proof of concept PowerShell ransomware to use during internal infrastructure penetration testing or during the red team exercise to validate Blue Team/SOC response to ransom attacks

  • Ansible-Red-EC2, Red-Route53-Interactive & Intro: Ansible roles for automating red team infrastructure

  • PurpleSharp: C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/21/2020 to 08/28/2020.

You may also like