Bug Bytes #94 – Breaking Symfony apps, Why Cyber Security is so hard to learn & how best to approach it

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 18 to 25 of October.

Intigriti News

Security Snacks #3 – 2020 Threat landscape, Top 25 exploited vulnerabilities & The cost of a data breach

Our favorite 5 hacking items

1. Article of the week

Secret Fragments: Remote Code Execution On Symfony Based Websites

This is excellent research by @ambionics on a misconfiguration that leads to RCE on Symfony-based applications. The idea is to guess, bruteforce or bypass the secret used to sign /_fragment requests that allow running arbitrary PHP code. Everything is detailed in this thorough article, from theory on how fragments work to obtaining the secret and exploiting it in practice.

2. Writeups of the week

Samsung S20 – RCE via Samsung Galaxy Store App (Samsung)
GitHub Pages – Multiple RCEs via insecure Kramdown configuration – $25,000 Bounty (Github, $25,000)

These are brilliant writeups on vulnerabilities that led to RCE. F-Secure Labs found a bug chain that allowed attackers to install any application on the Galaxy Store without user consent. They intended to use it for Pwn2Own 2020, but Samsung patched it before the event.

The second writeup by William Bowling (@wcbowling) shows how he found a couple of RCEs on Github Pages. They allowed anyone with permission to create and build a Github Pages site to execute commands on the GitHub Enterprise Server instance. He actually found three bugs recently that got him $61k in total, including an interesting GitHub Gist – Account takeover via open redirect.

3. Tools of the week

GWTMap & Intro
LiveDOM++

GWTMap is a Python tool for reverse engineering Google Web Toolkit applications. Its introduction article is worth reading as it sums up the state of the art of GWT hacking, existing tools and how this new one can help map the attack surface of GWT apps.

LiveDOM+++ is an online tool by Michał Bentkowski (@SecurityMB) who specializes in browser security and recently published a cool DOMPurify bypass. This tool helps him “compare various HTML parsers in browsers (DOMParser, template.innerHTML and others) and to easily test sanitizers (like DOMPurify)”. A nice playground for anyone interested in XSS or bypassing sanitizers.

4. Tutorial of the week

Android Adb Reverse Tethering MiTM Setup

This is about setting up an Android app testing environment when you’re using a physical device and have to use a corporate VPN. The setup leverages Gnirehtet and proxychains to make the mobile device use the Internet connection of your PC over ADB, while routig traffic to Burp.

5. Video of the week

Why Cyber Security is Hard to Learn (Tips For Success!)

This is a great piece on why Cyber Security is so hard to learn. Beyond the difficulties most of us already know, it offers excellent advice including three different effective learning strategies, and the long-term mindset to be successful on your journey.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Orkestra: Android Inspection framework
  • tlds_hunt: DNS permutation tool to hunt for TLDs
  • Procrustes: A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked
  • BountyIt: A fuzzer made in golang for finding issues like xss, lfi, rce, ssti…that detects issues using change in content length and verify it using signatures
  • Substr3am: Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
  • Taken: Takeover AWS ips and have a working POC for Subdomain Takeover
  • PwnDoc: Pentest Report Generator
  • PyRDP 1.0: RDP man-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
  • wsb-detect: C library to detect if you are running in Windows Sandbox

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/18/2020 to 10/25/2020.