Bug Bytes #95 – Spooky NAT Slipstreaming, WebLogic RCE in one GET request & Server-side vulnerabilities demystified

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 25 of October to 01 of November.

Intigriti News

Intigriti’s November XSS Challenge
Security Snacks #4 – Psychotherapy patients blackmail, Trump vs Hackers & How not to use Microsoft 365

Our favorite 5 hacking items

1. Conference of the week

#Eko2020 Workshops | Rajanish Pathak, Rahul Maini & Harsh Jaiswal: Demystifying the Server Side & Slides

This is a great workshop on server-side vulnerabilities. It includes concise introductions to SSRF, XXE, Remote Code Execution and Reverse Proxy attacks. The case studies especially are very interesting.

2. Writeups of the week

Weblogic RCE by only one GET request — CVE-2020–14882 Analysis (in Vietnamese), Exploit, Bypass & AttackerKB analysis
Ability To Backdoor Facebook For Android

CVE-2020-14882 is a pre-authentication Remode Code Execution in Oracle WebLogic. It was patched but a bypass was released a week after. So, now it is being exploited in the wild. For pentesters and bug hunters, it is interesting to add to testing workflows as it has a 9.8/10 CVSSv3 score and takes only one GET request to exploit.

The second writeup is about an insecure development deeplink that could’ve allowed backdooring Facebook for Android. It provides great insight into deeplinks abuse, an excellent read on Android hacking!

3. Article of the week

NAT Slipstreaming

Samy Kamkar (@samykamkar) updated an old attack that tricks firewalls and NAT devices to give access to machines not normally reachable from the Internet. After first reading about this incredible impact, I thought it was some kind of Halloween joke but the attack is real. The lenghty writeup goes into all technical details and prerequisites (Application Level Gateway support and that the victim visits a malicious site). If you just want the gist of it, here is a high-level TL;DR.

4. Tool of the week

Copy Request Response & Intro

Reporting, whether in bug bounty or pentest, can be tedious. This Burp extension will help as it makes copying HTTP requests, responses and response headers quicker and easier. A fantastic ideas since copy/pasting these elements is always needed for reporting vulnerabilities.

5. Video of the week

How I made 1k in a day with IDORs! (10 Tips!)

Katie Paxton-Fear (@InsiderPhD) already has a couple of introductory videos on IDOR. With this new one, she digs deeper into the topic with 10 hunting tips and a recent bug she found. If you understand IDORs but struggle to find them on bug bounty programs, this might just be the video you need.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • NetblockTool & Intro: Python script that finds netblocks owned by a company
  • tld_detection.py: TLD matcher for any domain
  • Scrying: A tool for collecting RDP, web and VNC screenshots all in one place
  • iSH: Linux shell for iOS
  • Grype: A vulnerability scanner for container images and filesystems
  • Serval: A Netcat-style backdoor for pentesting and pentest exercises
  • Hot Manchego & Intro: Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library
  • CQOffensiveSecurity Toolkit: The Extreme Windows Offensive Security Toolkit for advanced Windows Infrastructure Penetration Testing

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/25/2020 to 11/01/2020.