By Anna Hammond
December 2, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 22 to 29 of November.
SEO ransomware, Vulnerability lifecycle & Stress blamed for email data breaches
Modern WAF Bypass Scripting Techniques for Autonomous Attacks
This is a talk for developers but hackers looking to bypass bot detection (for bruteforce, Web scraping, etc) will also probably find it insightful. @J0hnnyXm4s goes over several techniques used by WAFs to detect bots and how they can easily be bypassed.
Don’t Fear The Bark, Ts_rewrite To Dodge The Mark
CRLF injection & SSRF in git:// protocal lead to arbitrary code execution (GitLab)
The first writeup is about some obscure PostgreSQL features that helped bypass a WAF (probably BIGIP F5) and fully exploit a SQL injection. It could be of great help if you’re facing similar technologies.
The second writeup is a clever CRLF injection and SSRF in GitLab. They allow for abusing a Redis server and getting RCE.
Finding DOMXSS with DevTools | Untrusted Types Chrome Extension
Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters
Remember @filedescriptor’s Untrusted Types, the Chrome extension for logging DOM sinks? He just released a short demonstration to show how he uses it to detect DOM XSS.
The second video is gold if you’re interested in subdomain takeovers. It is a type of vulnerability that is getting more and more difficult to find in bug bounties because of the competition and automation some use. So, @codingo_’s tricks are eye-opening.
These are three very practical tools for Web application security testing.
Jdam is a Go tool for JSON fuzzing. Contrary to most existing fuzzing tools, it keeps the JSON valid when replacing values with payloads for fuzzing.
Burp JQ is a Burp extension that adds a “JQ” tab to the HTTP message viewer. It allows you to apply JS queries to JSON content directly from Burp.
Burp to Slack is a Burp extension for sending notifications to Slack or a custom server based on responses matching a pre-defined condition. It is helpful when you want to be immediatly notified of a certain condition (e.g. a string found in a response in Intruder/Repeater/Proxy/Scanner) without keeping an eye on Burp.
randomua – Inject random user-agent in pentest CLI tools
Randomua is a Ruby tool that generates random User-Agent strings of different types (desktop browser, mobile, email client, cloud platform…). It is not new but can help bypass WAFs. This tutorial shows how to use it in combination with other CLI tools like ffuf, sqlmap, testssl, nikto, etc.
Bounty Thursdays – Wordlists for content discovery and API bugs!
HackerOne & The Paranoids Present: #h12010 Qualifier Wrap up & Community Day
Kali on Windows WSL for Pentester & Bug Bounty Hunter | Local Recon | Hacking Machine | No VPS / VM
Cicada – Ongoing WordPress Attack, RCS Gets End-to-End Encryption
The Many Hats Club Ep. 77, Breaking and Entering…your network (with TinkerSec)
New Magecart Attacks, GoDaddy DNS Attacks, & Ryan Corey – SWN #85
Common Federated Identity Protocols: OpenID Connect vs OAuth vs SAML 2
Azure Security Basics: Log Analytics, Security Center, and Sentinel #BlueTeam
DirectAccess and Kerberos Resource-based Constrained Delegation
Hindering Threat Hunting, a tale of evasion in a restricted environment
CVE-2020-28360: npm private-ip SSRF Bypass (IP Phone Home) #Web
Detailing Saltstack Salt Command Injection Vulnerabilities #Web #CodeReview
Discovering, exploiting and shutting down a dangerous Windows print spooler vulnerability #Windows #LPE
Issue 2098: Facebook Messenger for Android: SdpUpdate message can cause audio call to connect before callee has answered the call (Facebook, $60,000)
Chaining Multiple Requests to Achieve Rate Limiting Vulnerabilities
XSS on Issue reference numbers (GitLab, $1,500)
Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata (Snapchat, $4,000)
CRLF injection & SSRF in git:// protocal lead to arbitrary code execution (GitLab)
Remote code execution on Basecamp.com (Basecamp, $5,000)
See more writeups on The list of bug bounty writeups.
byp4xx.sh: Simple bash script to bypass “403 Forbidden” messages with well-known methods discussed in #bugbountytips
RESTler, REST API Fuzz Testing (RAFT) & Intro: Find security and reliability bugs through automated fuzzing
IntRudeX & Intro: Burp extension that provides an interface to generate Intruder payload positions based on results from a regex
S3 Objects Check: Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files
JARM & Intro: Easily Identify Malicious Servers on the Internet with JARM
jarm-go: A Go implementation of JARM
stats.rb & Intro: Metasploit plugin to displaying stats about the current workspace such as most popular ports, total hosts/services, etc
Cottontail: Capture all RabbitMQ messages being sent through a broker
NetworkSniffer: Log iOS network traffic without a proxy
Allsafe: Intentionally vulnerable Android application
Sploitus exploit search engine comes under DMCA fire, search engine page removal
SecureAuth Innovation Labs – New Impacket Release Available Today!
Professional / Community 2020.11.2 & Burp Suite Enterprise Edition: six months of new features
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/22/2020 to 11/29/2020.