Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 11 to 18 of October.
Our favorite 5 hacking items
1. Article of the week
HTML to PDF converters, can I hack them?
Eduardo Muller evaluated a set of libraries that convert HTML code to PDF. He experimented with them to answer a series of questions and determine which ones are vulnerable to XSS, SSRF, Arbitrary file read or Denial of Service. If you’re looking for ways to differentiate yourself as a bug hunter, this type of research is particularly interesting.
2. Writeups of the week
Discord Desktop app RCE (Discord, $5,000)
Showcasing the Importance of Secure Defaults with a PyYAML 0day
The firt writeup is a chain of three bugs that led to RCE in Discord: Missing contextIsolation, XSS and Navigation restriction bypass. Great findings and writeup especially for anyone interested in Electron apps security.
The second writeup is an RCE in the PyYAML library. Applications that use this library to process untrusted input are vulnerable if they use load() instead of safe_load(). Ankur Sundara (@ankursundara) shows why secure defaults are important, as he convinces PyYAML to move to safe_load() as the default.
3. Video of the week
DOMPurify bypass via namespace confusion
This is a setp-by-step walkthrough of Michał Bentkowski’s (@SecurityMB) mutation XSS / DOMPurify bypass. It helps demystify WAF bypasses that look like incomprehensible dark magic. So, highly recommended!
4. Tools of the week
TheCl0n3r is a Python tool for downloading and managing your git repositories. It allows you to download/delete/update repos and keep them organised. This is so handy considering that most open source tools for pentest and bug bounty are hosted on GitHub.
PPScan is a Prototype Pollution scanner. If you install it as a Chrome extension, it will passively detect vulnerable instances. It is interesting to try since Prototype Pollution is so prevalent these days.
5. Webinars of the week
Hacking Android Apps with Frida
Mobile Hacking Workshop – Community Day & Material
These webinars are an excellent start to get into practical mobile app hacking. Between the two, you’ll learn about using Frida with bug bounty examples, and a series of vulnerabilities to look for by practicing on the intentionally vulnerable app InjuredAndroid. Excellent work by Richard Tan (@Sambal0x) and Kyle (@B3nac)!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- GitHub – RCE via git option injection (almost) – $20,000 Bounty (GitHub, $20,000)
- GitHub Gist – Account takeover via open redirect – $10,000 Bounty (GitHub, $10,000)
- Leveraging XSS to Read Internal Files
- I had fun with this XSS
- [toolbox.teslamotors.com] HTML Injection via Prototype Pollution / Potential XSS
- Guest Blog Post: Rollback Attack (Mozilla)
- Weaponizing XSS For Fun & Profit ($2,200)
- Change the username for any Facebook Page (Facebook, $15,000)
- Getting New Invitations without Leaving Programs (HackerOne, $500)
See more writeups on The list of bug bounty writeups.
- amass-tools: @ITSecurityguard’s scripts to extend Amass
- APICheck: The DevSecOps toolset for HTTP APIs. Environment for integrating existing HTTP APIs tools and create execution chains easily
- pdf-grep: Grep through PDF files
- host.io: A Comprehensive Domain Data API
- Burp Multiplayer: A Multiplayer Plugin for Burp. Sync’s in-scope requests/responses, comments, and highlights in realtime.
- Mail-Swipe: Script to create temporary email addresses and receive emails, using the 1secmail API
- Driplane: Create an automatic alerting system or start automated tasks triggered by events. It allows you to keep under control a stream source as Twitter, a file, a RSS feed or a website
Misc. pentest & bug bounty resources
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/11/2020 to 10/18/2020.