Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 21 to 28 of August.
Our favorite 5 hacking items
1. Resource of the week
GitLab’s Red Team Tech Notes
GitLab’s red team are sharing tech notes in this repo. It currently contains technical papers, talks, tools and red team exercises. The notes on testing Kubernetes and Google Cloud Platform are excellent resources.
They are also planning to share even more of their day to day work, so it is worth keeping an eye on this.
2. Writeup of the week
Stealing local files using Safari Web Share API
This is a writeup of a browser bug found in Safari. It leverages the Web Share API that allows for sharing links from the browser using other apps (e.g. mail and messaging apps in both iOS and Mac OS).
The bug works by publishing a malicious page containing a “Share with friends” button. When someone visits the page and shares it with someone, it automatically adds to the email or message local files mentioned in the malicious page’s source code. @h0wlu shows proofs on concept for leaking /etc/passwd and Safari’s browsing history.
This is not a critical bug. It requires user interaction and is similar to clickjacking. But I find interesting that it exploits the new Web Share API and allows for stealing local files from any malicious website.
3. Article of the week
@SecurityMB shares his new research on prototype pollution. Most existing examples of exploitation focus on getting RCE in NodeJS. He wanted to find out the client-side impact instead.
The answer, in a nutshell, is that prototype pollution allows you to bypass HTML sanitizers. This is why “if you ever find a prototype pollution in Google Search, then you have XSS in the search field!”.
4. Tool of the week
mapCIDR is a Go library and CLI tool for performing operations on subnet/CIDR ranges. Given a subnet, it can return the list of IP addresses it contains, or slice it into multiple subnets.
This is helpful if you want to do distributed scanning of large networks. Another handy tool by @pdiscoveryio!
5. Webinar of the week
Webcast: Pretty Little Python Secrets – Episode 1 – Installing Python Tools and Libraries the Right Way
This webinar is a gift to any hacker wondering about the best way to install Python, how to manage different versions and avoid a dependency hell, and how to create Python app portables (the equivalent of JARs files in Python).
And if you’re thinking “Why don’t you just use Docker?”, there is an argument for other tools mentioned. @byt3bl33d3r does a great job of answering all these questions.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Auth bypass: Leaking Google Cloud service accounts and projects
- My Hacking Adventures With Safari Reader Mode (Apple)
- Issue 795595: Security: chrome.devtools.inspectedWindow.eval executes within privileged pages (Google, $2,000)
- The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer (Google)
- From Copy&Paste XSS To Full Account Takeover!
- Remote Code Execution in Slack desktop apps + bonus (Slack, $1,750)
- Privilege escalation from any user (including external) to gitlab admin when admin impersonates you (GitLab, $10,000)
- An attacker can run pipeline jobs as arbitrary user (GitLab, $12,000)
- Ability to publish a paid theme without purchasing it. (Shopify, $2,000)
See more writeups on The list of bug bounty writeups.
If you don’t have time
- gdb_2_root: Python script that adds some useful commands to stripped vmlinux image
- jf: A wrapper around jq, to help you parse jq output
- bbr: An open source tool to aid in command line driven generation of bug bounty reports based on user provided templates
- Wappylyzer: Implementation of Wappalyzer in Python
- Monsoon & AMA: A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time
- ADBSploit: A python wrapper around ADB for exploiting and managing Android devices
- AWS Recon: Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata
- Google Account Finder: Website to look for info on Google accounts
- ReconSpider: Advanced OSINT Framework for scanning IP Address, Emails, Websites & Organizations. Also combines the capabilities of Wave, Photon & Recon Dog to do a comprehensive enumeration of attack surface
- slackcat: A simple way of sending messages from the CLI output to your Slack with webhook
- Bheem: A simple collection of small bash-scripts which runs iteratively to carry out day-to-day recon process and store output in an organized way
- Subrake: A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters
- Phirautee: A proof of concept PowerShell ransomware to use during internal infrastructure penetration testing or during the red team exercise to validate Blue Team/SOC response to ransom attacks
- Ansible-Red-EC2, Red-Route53-Interactive & Intro: Ansible roles for automating red team infrastructure
- PurpleSharp: C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/21/2020 to 08/28/2020.