Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 04 to 11 of October.
Our favorite 5 hacking items
1. Videos of the week
Unicode vulnerabilities that could byͥte you (Part of NorthSec 2020)
Masonhck3571 Talks About Being Disciplined, His Learning Process, and Full Time Bug Hunting!
These are two very informational videos. One is on Unicode vulnerabilities including the latest research such as HostSplit and HostBond attacks. The other is an interview with @Masonhck3571 on transitionning from a non IT job to full-time bug hunting, how he chooses targets, his learning process, etc.
2. Writeups of the week
We Hacked Apple for 3 Months: Here’s What We Found
What an incredible writeup! A crew of five bug hunters (@samwcyo, @bbuerhaus, @nahamsec, @erbbysam and @StaticFlow) hacked on Apple for 3 months and found 55 vulnerabilities. They shared how it went, the list of vulnerabilities detected, with detailed writeups on 12 of them. It’s so impressive when you know that some of them have full-time job and not all the bugs were disclosed (maybe including some new research).
As @hakluke says, an apple doesn’t taste as good now, it just tastes like vulnerabilities.
3. Tools of the week
bbrf-client & Intro
jwt-heartbreaker & Intro
BBRF is Pieter Hiele’s (@honoki) tool for storing bug bounty data. It is in Python, uses CouchDB and has a client-server architecture. It is meant to be combined with other recon tools to store/read the data collected on a program (subdomains, domains, IPs…). A very handy and well-documented tool!
JWT is a Burp extension to passively scan for JWT tokens signed with a weak secret. I haven’t tried it yet but it looks interesting, especially if customized to even more JWT secrets to test.
4. Article of the week
Evading defences using VueJS script gadgets
This is an excellent article on XSS in VuesJS. It is packed with information on identifying and exploiting XSS created from VueJS script gadgets. A must if you’re into XSS or plan on testing VueJS sites!
5. Tutorial of the week
Salesforce Lightning – An in-depth look at exploitation vectors for the everyday community
Aaron Costello (@ConspiracyProof) published this in-depth tutorial on hacking Salesforce Lightning by exploiting common misconfigurations of the CRM. This offensive approach hasn’t been documented before, so it is very interesting for bug hunters and pentesters.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- Research: The mass CSRFing of .google.com/ products. (Google, $30,000)
- Watch your requests! Open redirect to a complete account takeover
- 6k$ Worth Account Takeover via IDOR in Starbucks Singapore (Starbucks, $6,000)
- JS is l0ve ❤️. ($5,000)
- SVE-2020-18025: Unauthorised access to Samsung secure folder files (Samsung, $3,750)
- Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program (Microsoft, $160,000)
- Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure (Microsoft)
- Transferring a public group to a private group doesn’t remove code from the Elastichsearch API search result (GitLab, $3,000)
- Windows only: arbitrary file read vulnerability in openssl s_server (OpenSSL)
See more writeups on The list of bug bounty writeups.
- GitLab Watchman & GitHub Watchman : Monitoring GitLab & GitHub for sensitive data shared publicly
- GLORP: A CLI-based HTTP intercept and replay proxy
- reesolve (ree): Tool to do dual-stack IPv4/IPv6 lookups for A & AAAA DNS records
- Asnap: Go tool that aims to render recon phase easier by providing regularly updated data about which companies owns which ipv4 or ipv6 addresses and allows the user to automate initial port and service scanning
- tojson.py: Python tool to convert simple string (find in js file) to JSON body – for brute force api endpoint with many json parameters
- Trident: Automated password spraying tool
- A CrowdSec Primer: A Modern Replacement for Fail2Ban #BlueTeam
- rpc2socks: Post-exploitation client-server solution that allows to drop and remotely run a custom RPC + SOCKS-through-SMB server application on a #Windows target, from a Unix or Windows host
- SwiftBelt: A macOS enumeration tool inspired by harmjoy’s Windows-based Seatbelt enumeration tool
- Vulmap: Online Local Vulnerability Scanners Project for Windows & Linux
- WMIHACKER: A Bypass Anti-virus Software Lateral Movement Command Execution Tool
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/04/2020 to 10/11/2020.