Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 15 to 22 of November.
Our favorite 5 hacking items
1. Videos of the week
Getting Organised: Making a //TODO list
Hacking 1Password | Episode 3 – Decrypting the data without Crypto Knowledge
@InsiderPhD shares the tools and time management techniques that allow her to get so much done as a PhD student, Youtuber and bug bounty hunter. If you’d like more hours in the day (who doesn’t?), you’ll probably find this insightful.
In the second video, @ngalongc continues his series on hacking 1password. It is helpful to see his method for breaking down such a complex topic (decrypting requests and responses of the 1password app).
2. Writeups of the week
ImageMagick – Shell injection via PDF password
Apache Unomi CVE-2020-13942: RCE Vulnerabilities Discovered & CVE-2020-13942 POC
Exploiting dynamic rendering engines to take control of web apps ($5,000)
Firefox: How a website could steal all your cookies & CVE-2020-15647 PoC (Mozilla, $5,000)
The first writeup is about OS command injection in ImageMagick. The payload is injected in the password passed with the “-authenticate” command line parameter to encrypt the PDF.
The second writeup is about two RCEs in Apache Unomi that got the maximum CVSS score of 10! I have a feeling some bug hunters are busy testing for “/context.json”…
The third writeup presents fantastic research on vulnerabilities in Web apps that use dynamic rendering engines. Everything is well explained, from what they are and how to identify them in black box testing to finding vulnerabilities and exploiting them.
The fourth finding is fixed, but it is very interesting for anyone who wants to see a real-life Android app vulnerability involving content providers, intents and the SOP.
3. Articles of the week
Privileged Container Escape – Control Groups release_agent
Real-life OIDC Security
The first article by @ajxchapman is about escaping privileged Docker containers to execute arbitrary commands on the container host. It is based on past work by @_fel1x. Pretty interesting for anyone who is into hacking CI/CD systems and containers!
The second article is the introduction to a 7 posts series on OpenID Connect and Single Sign-On security. It includes analysis of several implementations and attack patterns, and examples of bugs reported to five vendors. Great research by _lauritz_ as part of his master’s thesis.
4. Resource of the week
This is huge! Assetnote launched this collection of wordlist for assets and content discovery (DNS bruteforce, API routes, GET parameters, subdomains…). Some are automatically updated each month using Commonspeak2 and GitHub Actions, while others are curated manually.
The wordlists are cleaned with clean_wordlist.sh, a script suggested by @BonJarber to remove noise. It is worth checking out too if you want to curate your own wordlists.
5. Tools of the week
Webscan is a browser-based internal network scanner by @samykamkar. Just by visiting a Web page, it remotely detects your LAN IPs using WebRTC and any live hosts. Mindblowing and dangerous if combined with other vulnerabilities such as NAT Slipstreaming!
CTFNote is a must for CTF players. It allows you to keep track of CTFs you’re playing and who is available to participate or not, to assign tasks to team members, to shares notes, etc. This makes collaboration easier and would be nice to have for bug bounty too.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Urlhunter: Recon tool that allows searching for URLs exposed via shortener services (using URLTeam data)
- exclude-cdn: Wraps projectdiscovery’s cdncheck library to exclude CDN hosts from input passed over stdin
- 403Bypasser: Burpsuite Extension to bypass 403 restricted directory
- Phonerator: A search engine that allows you to provide a few digits and generate a list of possible valid phone numbers for #OSINT
- Nimplant & Implant Roulette Part 1: Nimplant: A cross-platform implant written in Nim
- Goshs: A SimpleHTTPServer written in Go, enhanced with features and with a nice design
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/15/2020 to 11/22/2020.