Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 01 to 08 of November.
Our favorite 5 hacking items
1. Tips of the week
2. Writeups of the week
Facebook DOM Based XSS using postMessage (Facebook, $25,000)
Github: Widespread injection vulnerabilities in Actions (Github)
The first post by @samm0uda is about a beautiful bug chain resulting in DOM XSS on Facebook. A must read if you’re interested in XSS, postMessage vulnerabilities or participating in BountyCon.
The second bug report is the reason why GitHub has deprecated “set-env” and “add-path” commands in GitHub Actions. @_fel1x found that they made Actions vulnerable to command injection attacks.
If you just want a high-level view of these complex findings, I recommend The Daily Swig’s coverage of both the Facebook bug and the GitHub Actions bug.
3. Video of the week
Hacking with OpenAI GPT-3 | Hacking Without Humans
@ngalongc and @filedescriptor experiment with OpenAI GPT-3 and share ideas on how to leverage it for bug hunting. So, this is about using AI to write bug reports, spot false positive in tools output and even detect logic flaws. An interesting glimpse into the future of bug hunting.
4. Tool of the week
Notify is @pdiscoveryio’s latest Go tool. Its main purpose is to pull results from Burp Collaborator instances and send notifications to Slack, Discord or the CLI. It also support piping with any other tools to notify you of their output too. A pretty handy utility!
5. Resource of the week
BugBountyHunter, Intro & A look inside BugBountyHunter’s member section
After @zseano brought down his excellent BugBountyNotes site, many of us were waiting for his promised new platform. Here it is finally!
BugBountyHunter.com is a Web security training site. The paid membership gives access to @zseano’s hacking methodology ebook, a private vulnerable Web application and reports triage. The free area includes challenges, guides, and an intentionally vulnerable Web application that sometimes has hidden flags to get free access to the membership area.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- 1000$ for Open redirect via unknown technique [BugBounty writeup] (GitLab, $1,000)
- From a 500 error to Django admin takeover ($3,000)
- Attack of the clones: Git clients remote code execution (Github)
- SMTP interaction theft via MITM (PortSwigger Web Security, $1,000)
- GitLab-Runner on Windows
DOCKER_AUTH_CONFIG container host Command Injection (GitLab, $6,500)
- Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, … (GitLab, $5,000)
See more writeups on The list of bug bounty writeups.
- LemonBooster-v2: Automation and monitoring tool for bug bounty
- Aura: Python source code auditing and static analysis on a large scale
- MNS (monitor-new-subdomain): Python script to monitor new subdomains
- lorsrf: Python tool that bruteforces hidden parameters to find SSRF vulnerability using GET & POST Methods
- rexsser: Burp extensions to extract keywords from response using regexes & test for reflected XSS on the target scope
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/01/2020 to 11/08/2020.