Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 18 to 25 of October.
Our favorite 5 hacking items
1. Article of the week
Secret Fragments: Remote Code Execution On Symfony Based Websites
This is excellent research by @ambionics on a misconfiguration that leads to RCE on Symfony-based applications. The idea is to guess, bruteforce or bypass the secret used to sign /_fragment requests that allow running arbitrary PHP code. Everything is detailed in this thorough article, from theory on how fragments work to obtaining the secret and exploiting it in practice.
2. Writeups of the week
Samsung S20 – RCE via Samsung Galaxy Store App (Samsung)
GitHub Pages – Multiple RCEs via insecure Kramdown configuration – $25,000 Bounty (Github, $25,000)
These are brilliant writeups on vulnerabilities that led to RCE. F-Secure Labs found a bug chain that allowed attackers to install any application on the Galaxy Store without user consent. They intended to use it for Pwn2Own 2020, but Samsung patched it before the event.
The second writeup by William Bowling (@wcbowling) shows how he found a couple of RCEs on Github Pages. They allowed anyone with permission to create and build a Github Pages site to execute commands on the GitHub Enterprise Server instance. He actually found three bugs recently that got him $61k in total, including an interesting GitHub Gist – Account takeover via open redirect.
3. Tools of the week
GWTMap & Intro
GWTMap is a Python tool for reverse engineering Google Web Toolkit applications. Its introduction article is worth reading as it sums up the state of the art of GWT hacking, existing tools and how this new one can help map the attack surface of GWT apps.
LiveDOM+++ is an online tool by Michał Bentkowski (@SecurityMB) who specializes in browser security and recently published a cool DOMPurify bypass. This tool helps him “compare various HTML parsers in browsers (DOMParser, template.innerHTML and others) and to easily test sanitizers (like DOMPurify)”. A nice playground for anyone interested in XSS or bypassing sanitizers.
4. Tutorial of the week
Android Adb Reverse Tethering MiTM Setup
This is about setting up an Android app testing environment when you’re using a physical device and have to use a corporate VPN. The setup leverages Gnirehtet and proxychains to make the mobile device use the Internet connection of your PC over ADB, while routig traffic to Burp.
5. Video of the week
Why Cyber Security is Hard to Learn (Tips For Success!)
This is a great piece on why Cyber Security is so hard to learn. Beyond the difficulties most of us already know, it offers excellent advice including three different effective learning strategies, and the long-term mindset to be successful on your journey.
Other amazing things we stumbled upon this week
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Orkestra: Android Inspection framework
- tlds_hunt: DNS permutation tool to hunt for TLDs
- Procrustes: A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked
- BountyIt: A fuzzer made in golang for finding issues like xss, lfi, rce, ssti…that detects issues using change in content length and verify it using signatures
- Substr3am: Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
- Taken: Takeover AWS ips and have a working POC for Subdomain Takeover
- PwnDoc: Pentest Report Generator
- PyRDP 1.0: RDP man-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
- wsb-detect: C library to detect if you are running in Windows Sandbox
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/18/2020 to 10/25/2020.