Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 22 to 29 of November.
Our favorite 5 hacking items
1. Conference of the week
Modern WAF Bypass Scripting Techniques for Autonomous Attacks
This is a talk for developers but hackers looking to bypass bot detection (for bruteforce, Web scraping, etc) will also probably find it insightful. @J0hnnyXm4s goes over several techniques used by WAFs to detect bots and how they can easily be bypassed.
2. Writeups of the week
Don’t Fear The Bark, Ts_rewrite To Dodge The Mark
CRLF injection & SSRF in git:// protocal lead to arbitrary code execution (GitLab)
The first writeup is about some obscure PostgreSQL features that helped bypass a WAF (probably BIGIP F5) and fully exploit a SQL injection. It could be of great help if you’re facing similar technologies.
The second writeup is a clever CRLF injection and SSRF in GitLab. They allow for abusing a Redis server and getting RCE.
3. Videos of the week
Finding DOMXSS with DevTools | Untrusted Types Chrome Extension
Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters
Remember @filedescriptor’s Untrusted Types, the Chrome extension for logging DOM sinks? He just released a short demonstration to show how he uses it to detect DOM XSS.
The second video is gold if you’re interested in subdomain takeovers. It is a type of vulnerability that is getting more and more difficult to find in bug bounties because of the competition and automation some use. So, @codingo_’s tricks are eye-opening.
4. Tools of the week
Burp to Slack
These are three very practical tools for Web application security testing.
Jdam is a Go tool for JSON fuzzing. Contrary to most existing fuzzing tools, it keeps the JSON valid when replacing values with payloads for fuzzing.
Burp JQ is a Burp extension that adds a “JQ” tab to the HTTP message viewer. It allows you to apply JS queries to JSON content directly from Burp.
Burp to Slack is a Burp extension for sending notifications to Slack or a custom server based on responses matching a pre-defined condition. It is helpful when you want to be immediatly notified of a certain condition (e.g. a string found in a response in Intruder/Repeater/Proxy/Scanner) without keeping an eye on Burp.
5. Tutorial of the week
randomua – Inject random user-agent in pentest CLI tools
Randomua is a Ruby tool that generates random User-Agent strings of different types (desktop browser, mobile, email client, cloud platform…). It is not new but can help bypass WAFs. This tutorial shows how to use it in combination with other CLI tools like ffuf, sqlmap, testssl, nikto, etc.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- byp4xx.sh: Simple bash script to bypass “403 Forbidden” messages with well-known methods discussed in #bugbountytips
- RESTler, REST API Fuzz Testing (RAFT) & Intro: Find security and reliability bugs through automated fuzzing
- IntRudeX & Intro: Burp extension that provides an interface to generate Intruder payload positions based on results from a regex
- S3 Objects Check: Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files
- JARM & Intro: Easily Identify Malicious Servers on the Internet with JARM
- jarm-go: A Go implementation of JARM
- stats.rb & Intro: Metasploit plugin to displaying stats about the current workspace such as most popular ports, total hosts/services, etc
- ADLab & Intro: Active Directory Lab Setup Tool
- Cottontail: Capture all RabbitMQ messages being sent through a broker
- NetworkSniffer: Log iOS network traffic without a proxy
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/22/2020 to 11/29/2020.