By Anna Hammond
September 30, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 18 to 25 of September.
Redefining Impossible: XSS without arbitrary JavaScript
This is a guest article by Luan Herrera (@lbherrera_) who solved one of PortSwigger’s impossible XSS labs. He used several techniques including an obscure method to prevent a page from loading and a side-channel attack. A pretty advanced and informative XSS attack!
Universal XSS in Android WebView (CVE-2020-6506) (Google, Microsoft, Twitter…, $15,560+)
Chains on Chains: Chaining multiple low-level vulns into a Critical.
Exploiting Tiny Tiny RSS
I couldn’t choose only one writeup this week, as these are all excellent and focus on different topics.
The universal XSS is a great read if you want to learn about XSS in Android.
The second writeup is a beautiful chain of low/medium impact bugs that ended up becoming a “critical”. It involves blind XSS, CSP bypass, an exposed JWT generation page, lack of rate-limiting and sensitive information disclosure.
The Tiny Tiny RSS writeup is also a mix of vulnerabilities (XSS, SSRF & LFI) that led to RCE. It is really well written with everything explained, from source code review to mass exploitation.
Web Cache Deception For Beginners!
Todayisnew Talks About Bug Bounty, Meditation, Automation, Tooling and Making $1M in Bounties!
This is a great introduction to Web Cache Deception if you want to learn about it and find the topic too complex. Farah Hawa (@farah_hawa01) explains the gist of it in a very approachable way, with resources to go further.
Also, finally an interview with todayisnew (@codecancare)! He is known as a bug bounty millionaire, and for his kindness. It’s fantastic to see what he has to say about bug hunting, recon, tooling, meditation, burnout, etc.
Because of the coronapocalypse, Nicolas Grégoire (@Agarri_FR) moved his Burp Pro training online. He also started this new Twitter account, @MasteringBurp, to share all kinds of Burp tips.
For example, did you know that if the left part of a Collaborator hostname is “spoofed”, it is resolved to 127.0.0.1?
HunterSuite Assets was just publicly launched. It’s a free online database of subdomains of programs from all major bug bounty platforms. A fantastic resource but I wouldn’t use it as an only source of subdomain enumeration, rather as a comparison tool to find out where I stand in terms of recon results.
Burp head-up is an extension to toggle Burp proxy and get its status with a global keyboard shortcut. It was created for i3 but could be adapted to other windows manager.
This is so handy! Could someone port it to Mac OS, pretty please 🥺?
Hacking The U.S. Air Force and Verizon Media to Make $500,000 in Bounties!
Forever Free Push Notifications are Here | App – Notify-Me | Push Notifications For your Recon & Notify-Me app source code
The InfoSec & OSINT Show 26 – James Kettle and Becoming a Security Researcher
Security Now – Formal Verification – iOS 14 & Android 11 Security Features, DuckDuckGo Gets Big
BSides Singapore 2020 & Beware of the Shadowbunny – Using virtual machines to persist and evade detections
How to enhance BurpSuite (or any other Java app) font rendering
h1Beacon Object File ADVENTURES: Some Zerologon, SMBGhost, and Situational Awareness
I Like to Move It: Windows Lateral Movement Part 1 – WMI Event Subscription & Part 2 – DCOM
Pandora FMS 742: Critical Code Vulnerabilities Explained #Web #CodeReview
Abusing Group Policy Caching #Windows #PrivEsc
cPanel UI & Permission bug leads to source code dump of millions of sites #Web
Security: Bitwarden Desktop app grants RCE to Bitwarden developers #Desktop #RCE
Backdoors and other vulnerabilities in HiSilicon based hardware video encoders #RCE #IoT
No buffers harmed: Rooting Sierra Wireless AirLink devices through logic bugs #RCE #LUA
Escaping the Dark Forest #SmartContract
The Return of Raining SYSTEM Shells with Citrix Workspace app #PrivEsc
CVE-2020-9964 – An iOS infoleak (Apple)
Taking down the SSO, Account Takeover in the Websites of Kolesa due to Insecure JSONP Call
Dangling DNS: AWS EC2 ($2,900)
Hacking the Medium partner program (Medium)
Reflected XSS on www.hackerone.com via Wistia embed code (HackerOne, $500)
[steam client] Opening a specific steam:// url overwrites files at an arbitrary location (Valve, $750)
CVE-2020-3187 – Unauthenticated Arbitrary File Deletion (U.S. Dept Of Defense)
See more writeups on The list of bug bounty writeups.
Hetty: HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community
Duplicut: C tool that remove duplicates from MASSIVE wordlist (e.g. a billion entries and 10GB), without sorting it (for dictionnary-based password cracking)
PostMessage POC Builder: @honoki’s tool to build POCs for cross-domain postMessage vulnerabilities
Offensive Terraform Modules: Automated multi step offensive attack modules with Infrastructure as Code(IAC)
gitjacker: Go tool for extracting content from sites that have an exposed .git directory
Cloudleaks & Intro: Search engine that indexes S3 buckets and their content
Whalescan: Vulnerability scanner for Windows containers, which performs several benchmark checks & checks for CVEs/vulnerable packages on the container
ReconNote: Python automated recon framework with a GUI
go-stare: A fast & light web screenshot without headless browser but Chrome DevTools Protocol!
httpimg: Headless screenshot tool for web servers (uses wkhtmltoimage)
AutoDirbuster & Intro: Automatically Run and Save DirBuster Scans for Multiple IPs
Wappy: A CLI tool to discover technologies in web applications. It uses the wap library, that is a python implementation of the Wappalyzer browser extension
Wafalyzer: Web Application Firewall (WAF) Detector
Critical Information Disclosure on WP Courses plugin exposes private course videos and materials
New Snort, ClamAV coverage strikes back against Cobalt Strike
Gamers fragged by surge in credential stuffing attacks during lockdown
Microsoft report shows increasing sophistication of cyber threats
CISA alert: Federal Agency Compromised by Malicious Cyber Actor
Windows XP source code leaked online, on 4chan, out of all places
Microsoft says it detected active attacks leveraging Zerologon vulnerability &As you’re scrambling to patch the scary ZeroLogon hole in Windows Server, don’t forget Samba – it’s also affected
Airbnb may be exposing private host inbox messages, bookings and earnings data
This Hacker Creates Fake Cheats That Make Cheaters Jump Off Buildings In-Game
Students Are Pushing Back Against Proctoring Surveillance Apps
Nist Overhauls “security And Privacy Controls” Publication – Here’s What You Need To Know
Tribune Publishing apologizes for fake bonus offer in phishing-simulation email
Spain’s highway agency is monitoring speeding hotspots using bulk phone location data
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/18/2020 to 09/25/2020.