Bug Bytes #93 – Discord RCE, Vulnerable HTML to PDF converters & DOMPurify bypass demystified

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 11 to 18 of October.

Intigriti News

Security Snacks #2 – The Godzilla of bugs, The OST debate & The bug bounty of the year

Our favorite 5 hacking items

1. Article of the week

HTML to PDF converters, can I hack them?

Eduardo Muller evaluated a set of libraries that convert HTML code to PDF. He experimented with them to answer a series of questions and determine which ones are vulnerable to XSS, SSRF, Arbitrary file read or Denial of Service. If you’re looking for ways to differentiate yourself as a bug hunter, this type of research is particularly interesting.

2. Writeups of the week

Discord Desktop app RCE (Discord, $5,000)
Showcasing the Importance of Secure Defaults with a PyYAML 0day

The firt writeup is a chain of three bugs that led to RCE in Discord: Missing contextIsolation, XSS and Navigation restriction bypass. Great findings and writeup especially for anyone interested in Electron apps security.

The second writeup is an RCE in the PyYAML library. Applications that use this library to process untrusted input are vulnerable if they use load() instead of safe_load(). Ankur Sundara (@ankursundara) shows why secure defaults are important, as he convinces PyYAML to move to safe_load() as the default.

3. Video of the week

DOMPurify bypass via namespace confusion

This is a setp-by-step walkthrough of Michał Bentkowski’s (@SecurityMB) mutation XSS / DOMPurify bypass. It helps demystify WAF bypasses that look like incomprehensible dark magic. So, highly recommended!

4. Tools of the week

TheCl0n3r
PPScan

TheCl0n3r is a Python tool for downloading and managing your git repositories. It allows you to download/delete/update repos and keep them organised. This is so handy considering that most open source tools for pentest and bug bounty are hosted on GitHub.

PPScan is a Prototype Pollution scanner. If you install it as a Chrome extension, it will passively detect vulnerable instances. It is interesting to try since Prototype Pollution is so prevalent these days.

5. Webinars of the week

Hacking Android Apps with Frida
Mobile Hacking Workshop – Community Day & Material

These webinars are an excellent start to get into practical mobile app hacking. Between the two, you’ll learn about using Frida with bug bounty examples, and a series of vulnerabilities to look for by practicing on the intentionally vulnerable app InjuredAndroid. Excellent work by Richard Tan (@Sambal0x) and Kyle (@B3nac)!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • amass-tools: @ITSecurityguard’s scripts to extend Amass
  • APICheck: The DevSecOps toolset for HTTP APIs. Environment for integrating existing HTTP APIs tools and create execution chains easily
  • pdf-grep: Grep through PDF files
  • host.io: A Comprehensive Domain Data API
  • Burp Multiplayer: A Multiplayer Plugin for Burp. Sync’s in-scope requests/responses, comments, and highlights in realtime.
  • Mail-Swipe: Script to create temporary email addresses and receive emails, using the 1secmail API
  • Driplane: Create an automatic alerting system or start automated tasks triggered by events. It allows you to keep under control a stream source as Twitter, a file, a RSS feed or a website

Misc. pentest & bug bounty resources

Challenges

Articles

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/11/2020 to 10/18/2020.