Bug Bytes #97 – Breaking Site Isolation, Untrusted Types, SAD DNS & 31k Google SSRF

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 08 to 15 of November.

Intigriti News

Avalanche of security updates, Zoom snooping & The 2020 business threat landscape

Our favorite 5 hacking items

1. Videos of the week

The Act of Balancing: Burnout in Cybersecurity with Chloé Messdaghi!
10 GREAT habits for bug bounty hunters (and a productive life)

A lot of us bug hunters and pentesters have to deal with burnout. So, make sure to watch these two videos that are full of ideas to not only avoid it, but also to gain in productivity and general well-being. Fantastic tips by @ChloeMessdaghi and stokfredrik!

2. Writeups of the week

Smuggling an (Un)exploitable XSS
31k$ SSRF in Google Cloud Monitoring led to metadata exposure (Google, $31,337)
From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass

@david_nechuta goes over a blind SSRF in Google that was tricky to exploit. @MrTuxracer shows how he chained an uninteresting request smuggling vulnerability with a hard to exploit header-based XSS to escalate their impact. @bananabr’s writeup details how he used LiveDOM++ to find a new DOMPurify bypass.

These are all great findings and highly recommended to read!

3. Tool of the week

Untrusted Types

Untrusted Types is a Chrome extension by @filedescriptor that abuses Trusted Types to log DOM XSS sinks. It is handy for tracing sink to source and source to sink when testing for DOMS XSS, and also for finding script gadgets to bypass the CSP.

4. Vulnerability of the week

SAD DNS & SAD DNS Explained

SAD DNS stands for “Side-channel AttackeD DNS” and is not just another vulnerability that get its own name and site. It bypasses mitigations for DNS Cache Poisoning attacks, and makes it possible again to poison DNS resolvers and forwarders using ICMP as a side-channel.

DNS providers are working on fixing it as it effectively breaks DNS. Anyone could exploit it to re-route traffic to their own servers. A fascinating dive into DNS security!

5. Tutorial of the week

Deep Dive into Site Isolation (Part 1)

This blog post explains how Site Isolation works in Chrome and mitigates attacks like Universal XSS and Spectre. Jun Kokatsu (@shhnjk) studied it and found 10+ bugs in the Chrome bug bounty program! An excellent read if you’re into browser security, UXSS, or CORS / CORB testing.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • 4xxbypass: A tool that automates a number of well-known 403/401 bypassing techniques
  • Asthook: Python tool for Android static and dynamic analysis
  • 3klCon: Automation recon tool which works with large & medium scopes
  • anewer: A rust version of TomNomNom’s anew. It appends lines from stdin to a file if they don’t already exist in the file
  • xpcspy: Bidirectional XPC message interception and more. Powered by Frida
  • Dredd: HTTP API Testing Framework. It’s a language-agnostic command-line tool for validating API description document against backend implementation of the API.
  • enum4linux-ng: A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players
  • Apollo: A .NET Framework 4.0 Windows Agent
  • PYTMIPE & TMIPE: Python library and client for token manipulations and impersonations for privilege escalation on Windows

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2020 to 11/15/2020.