Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 08 to 15 of November.
Our favorite 5 hacking items
1. Videos of the week
The Act of Balancing: Burnout in Cybersecurity with Chloé Messdaghi!
10 GREAT habits for bug bounty hunters (and a productive life)
A lot of us bug hunters and pentesters have to deal with burnout. So, make sure to watch these two videos that are full of ideas to not only avoid it, but also to gain in productivity and general well-being. Fantastic tips by @ChloeMessdaghi and stokfredrik!
2. Writeups of the week
Smuggling an (Un)exploitable XSS
31k$ SSRF in Google Cloud Monitoring led to metadata exposure (Google, $31,337)
From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass
@david_nechuta goes over a blind SSRF in Google that was tricky to exploit. @MrTuxracer shows how he chained an uninteresting request smuggling vulnerability with a hard to exploit header-based XSS to escalate their impact. @bananabr’s writeup details how he used LiveDOM++ to find a new DOMPurify bypass.
These are all great findings and highly recommended to read!
3. Tool of the week
Untrusted Types is a Chrome extension by @filedescriptor that abuses Trusted Types to log DOM XSS sinks. It is handy for tracing sink to source and source to sink when testing for DOMS XSS, and also for finding script gadgets to bypass the CSP.
4. Vulnerability of the week
SAD DNS & SAD DNS Explained
SAD DNS stands for “Side-channel AttackeD DNS” and is not just another vulnerability that get its own name and site. It bypasses mitigations for DNS Cache Poisoning attacks, and makes it possible again to poison DNS resolvers and forwarders using ICMP as a side-channel.
DNS providers are working on fixing it as it effectively breaks DNS. Anyone could exploit it to re-route traffic to their own servers. A fascinating dive into DNS security!
5. Tutorial of the week
Deep Dive into Site Isolation (Part 1)
This blog post explains how Site Isolation works in Chrome and mitigates attacks like Universal XSS and Spectre. Jun Kokatsu (@shhnjk) studied it and found 10+ bugs in the Chrome bug bounty program! An excellent read if you’re into browser security, UXSS, or CORS / CORB testing.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- 4xxbypass: A tool that automates a number of well-known 403/401 bypassing techniques
- Asthook: Python tool for Android static and dynamic analysis
- 3klCon: Automation recon tool which works with large & medium scopes
- anewer: A rust version of TomNomNom’s anew. It appends lines from stdin to a file if they don’t already exist in the file
- xpcspy: Bidirectional XPC message interception and more. Powered by Frida
- Dredd: HTTP API Testing Framework. It’s a language-agnostic command-line tool for validating API description document against backend implementation of the API.
- enum4linux-ng: A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players
- Apollo: A .NET Framework 4.0 Windows Agent
- PYTMIPE & TMIPE: Python library and client for token manipulations and impersonations for privilege escalation on Windows
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2020 to 11/15/2020.