By Anna Hammond
October 21, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 11 to 18 of October.
Security Snacks #2 – The Godzilla of bugs, The OST debate & The bug bounty of the year
HTML to PDF converters, can I hack them?
Eduardo Muller evaluated a set of libraries that convert HTML code to PDF. He experimented with them to answer a series of questions and determine which ones are vulnerable to XSS, SSRF, Arbitrary file read or Denial of Service. If you’re looking for ways to differentiate yourself as a bug hunter, this type of research is particularly interesting.
Discord Desktop app RCE (Discord, $5,000)
Showcasing the Importance of Secure Defaults with a PyYAML 0day
The firt writeup is a chain of three bugs that led to RCE in Discord: Missing contextIsolation, XSS and Navigation restriction bypass. Great findings and writeup especially for anyone interested in Electron apps security.
The second writeup is an RCE in the PyYAML library. Applications that use this library to process untrusted input are vulnerable if they use load() instead of safe_load(). Ankur Sundara (@ankursundara) shows why secure defaults are important, as he convinces PyYAML to move to safe_load() as the default.
DOMPurify bypass via namespace confusion
This is a setp-by-step walkthrough of Michał Bentkowski’s (@SecurityMB) mutation XSS / DOMPurify bypass. It helps demystify WAF bypasses that look like incomprehensible dark magic. So, highly recommended!
TheCl0n3r is a Python tool for downloading and managing your git repositories. It allows you to download/delete/update repos and keep them organised. This is so handy considering that most open source tools for pentest and bug bounty are hosted on GitHub.
PPScan is a Prototype Pollution scanner. If you install it as a Chrome extension, it will passively detect vulnerable instances. It is interesting to try since Prototype Pollution is so prevalent these days.
Hacking Android Apps with Frida
Mobile Hacking Workshop – Community Day & Material
These webinars are an excellent start to get into practical mobile app hacking. Between the two, you’ll learn about using Frida with bug bounty examples, and a series of vulnerabilities to look for by practicing on the intentionally vulnerable app InjuredAndroid. Excellent work by Richard Tan (@Sambal0x) and Kyle (@B3nac)!
New content discovery tools for FASTER recon (Pentesting webapps)
@Insidephd Talks About Bug Bounties, HackerOne’s Live Hacking Events & Creating Content for Hackers!
Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898) & CVE-2020-16898 – Exploiting “Bad Neighbor” vulnerability
Hacking HTTP CORS from inside out: a theory to practice approach & hacking-cors lab
Recon using a questionable source of information — pastebin.com
Fortinet SIEM vulnerability allows us to get RCE on internet exposed hosts #RCE #Web
Crouching T2, Hidden Danger #Apple
SICK-2020-004 – Hindotech HK1 TV Box – Root Privilege Escalation – Improper Access Control #SmartTV #IoT #EoP
CVE-2020-15157 “ContainerDrip” Write-up #Container
LoRaWAN & MQTT: What to Know When Securing Your IoT Network #IoT
Java deserialization vulnerability in QRadar RemoteJavaScript Servlet #Web
Abusing Predefined Cookies to Account Takeover in FlowCrypt #Web
GitHub – RCE via git option injection (almost) – $20,000 Bounty (GitHub, $20,000)
GitHub Gist – Account takeover via open redirect – $10,000 Bounty (GitHub, $10,000)
[toolbox.teslamotors.com] HTML Injection via Prototype Pollution / Potential XSS
Guest Blog Post: Rollback Attack (Mozilla)
Weaponizing XSS For Fun & Profit ($2,200)
Change the username for any Facebook Page (Facebook, $15,000)
Getting New Invitations without Leaving Programs (HackerOne, $500)
See more writeups on The list of bug bounty writeups.
amass-tools: @ITSecurityguard’s scripts to extend Amass
APICheck: The DevSecOps toolset for HTTP APIs. Environment for integrating existing HTTP APIs tools and create execution chains easily
pdf-grep: Grep through PDF files
host.io: A Comprehensive Domain Data API
Burp Multiplayer: A Multiplayer Plugin for Burp. Sync’s in-scope requests/responses, comments, and highlights in realtime.
Mail-Swipe: Script to create temporary email addresses and receive emails, using the 1secmail API
Driplane: Create an automatic alerting system or start automated tasks triggered by events. It allows you to keep under control a stream source as Twitter, a file, a RSS feed or a website
wordpress-plugin-list: WordPress Plugins List for Bruteforcing
Recipe for a successful phishing campaign (part 1/2) & Part 2/2
Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
How to trick your brain into learning something new, faster & more effectively
The Call for Applied Research on Offensive Security Tool Release
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/11/2020 to 10/18/2020.