Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 25 of September to 04 of October.
Our favorite 5 hacking items
1. Video of the week
What’s the shortest domain? & Unicode Mapping on Domain names
In this video, @filedescriptor tackles the question of short domains. He goes over why they are interesting, how to buy short domains that do not cost thousands of dollars, and how you can use IDN and Unicode tricks to bypass SSRF/URL validation checks.
2. Writeups of the week
Story of a weird vulnerability I found on Facebook (Facebook)
Forcing Firefox to Execute XSS Payloads during 302 Redirects
The Powerful HTTP Request Smuggling 💪 ($17,050)
Here are three things these writeups taught me:
- 403 permission denied errors can be bypassed just by sending multiple simultaneous requests. This is how @amineaboud obtained authentication bypass and sensitive information disclosure on Facebook!
- If you find an XSS but cannot execute it because the payload is reflected in the HTTP response Location header, it’s not useless. @QKaiser shows how browsers can be forced to not follow a 302 redirect, and execute the XSS payload!
- Always try to escalate impact. @ricardo_iramar found HTTP request smuggling and escalated its impact from “Universal Redirect” worth $2,000 to full compromise of the target’s MDM and a $17,050 bounty.
3. Tool of the week
Rusolver is a lightweight DNS resolver in Rust by Eduard Tolosa (@edu4rdshl), the creator of Findomain. By default, it can resolve 1226 hosts in average per second. So, speed is obviously a strength but it would be interesting to test its accuracy compared to other tools such as massdns.
4. Article of the week
Stealing secrets from GitHub Actions & Intentionally vulnerable repo
This is excellent new research on Github Actions by Rojan Rijal (@uraniumhacker). He looked at Github action workflows and found out that some misconfigured implementations can be exploited to exfiltrate secret tokens. Since this is caused by a misconfiuguration and not a flaw inherent to Github, it is worth knowing and testing for on bug bounty and pentest targets.
5. Tutorial of the week
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- feroxbuster: Forced browsing tool in Rust, similar to ffuf with a few notable differences
- XSScope & Intro: Advanced XSS payload generator to use for increasing impact
- RmiTaste: Allows security professionals to detect, enumerate, interact and attack RMI services by calling remote methods with gadgets from ysoserial
- Gitdorker & Intro: A Python program to scrape secrets from GitHub through usage of a large repository of dorks
- Nuggets: Burp Suite Extension to easily create Wordlists based off URI, URI Parameters and Single Words (Minus the Domain)
- FHC: Fast HTTP Checker in Rust
- Massprint: A Rust tool to do basic fingerprinting across a large number of hosts
- CertAlert: Online service that will alert you to a TLS/SSL Certificate that is due to expire
- HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser
- GHunt: OSINT tool to extract information from any Google Account using an email
- Salesforce Policy Deviation Checker
- Sharp Wifi Password Grabber: C# toolto retrieve clear-text Wi-Fi passwords saved in a workstation
- SMB AutoRelay: Bash script that automates the SMB/NTLM Relay technique for pentesting and red teaming exercises in active directory environments
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/25/2020 to 10/04/2020.