Bug Bounty & Agile Pentesting Platform

Bug Bytes #92 – Pwning Apple for three months, XSS in VueJS, Hacking Salesforce Lightning & Unicode byͥtes

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 04 to 11 of October.

Intigriti News

Our new weekly digest of notable InfoSec news
NEW HOODIES: Embrace the hacker stereotype, but do it with style!

Our favorite 5 hacking items

1. Videos of the week

Unicode vulnerabilities that could byͥte you (Part of NorthSec 2020)
Masonhck3571 Talks About Being Disciplined, His Learning Process, and Full Time Bug Hunting!

These are two very informational videos. One is on Unicode vulnerabilities including the latest research such as HostSplit and HostBond attacks. The other is an interview with @Masonhck3571 on transitionning from a non IT job to full-time bug hunting, how he chooses targets, his learning process, etc.

2. Writeups of the week

We Hacked Apple for 3 Months: Here’s What We Found

What an incredible writeup! A crew of five bug hunters (@samwcyo, @bbuerhaus, @nahamsec, @erbbysam and @StaticFlow) hacked on Apple for 3 months and found 55 vulnerabilities. They shared how it went, the list of vulnerabilities detected, with detailed writeups on 12 of them. It’s so impressive when you know that some of them have full-time job and not all the bugs were disclosed (maybe including some new research).

As @hakluke says, an apple doesn’t taste as good now, it just tastes like vulnerabilities.

3. Tools of the week

bbrf-client & Intro
jwt-heartbreaker & Intro

BBRF is Pieter Hiele’s (@honoki) tool for storing bug bounty data. It is in Python, uses CouchDB and has a client-server architecture. It is meant to be combined with other recon tools to store/read the data collected on a program (subdomains, domains, IPs…). A very handy and well-documented tool!

JWT is a Burp extension to passively scan for JWT tokens signed with a weak secret. I haven’t tried it yet but it looks interesting, especially if customized to even more JWT secrets to test.

4. Article of the week

Evading defences using VueJS script gadgets

This is an excellent article on XSS in VuesJS. It is packed with information on identifying and exploiting XSS created from VueJS script gadgets. A must if you’re into XSS or plan on testing VueJS sites!

5. Tutorial of the week

Salesforce Lightning – An in-depth look at exploitation vectors for the everyday community

Aaron Costello (@ConspiracyProof) published this in-depth tutorial on hacking Salesforce Lightning by exploiting common misconfigurations of the CRM. This offensive approach hasn’t been documented before, so it is very interesting for bug hunters and pentesters.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • GitLab Watchman & GitHub Watchman : Monitoring GitLab & GitHub for sensitive data shared publicly
  • GLORP: A CLI-based HTTP intercept and replay proxy
  • reesolve (ree): Tool to do dual-stack IPv4/IPv6 lookups for A & AAAA DNS records
  • Asnap: Go tool that aims to render recon phase easier by providing regularly updated data about which companies owns which ipv4 or ipv6 addresses and allows the user to automate initial port and service scanning
  • tojson.py: Python tool to convert simple string (find in js file) to JSON body – for brute force api endpoint with many json parameters
  • Trident: Automated password spraying tool
  • A CrowdSec Primer: A Modern Replacement for Fail2Ban #BlueTeam
  • rpc2socks: Post-exploitation client-server solution that allows to drop and remotely run a custom RPC + SOCKS-through-SMB server application on a #Windows target, from a Unix or Windows host
  • SwiftBelt: A macOS enumeration tool inspired by harmjoy’s Windows-based Seatbelt enumeration tool
  • Vulmap: Online Local Vulnerability Scanners Project for Windows & Linux
  • WMIHACKER: A Bypass Anti-virus Software Lateral Movement Command Execution Tool

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/04/2020 to 10/11/2020.

%d bloggers like this:
-->