Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
Before we dive into the meat of this newsletter, we’d like to acknowledge some of our favorite sources of information as a means of celebrating this 100th issue.
This publication would not exist without all you hackers and content creators who share your knowledge and help others improve each in your own different ways. This short list won’t do justice to all, it is just a tiny fraction of the sources on which we keep a close eye for their regularity and excellent quality. Immense gratitude and respect to all:
- PortSwigger for the incredible research, invaluable training academy and daily news (Daily Swig);
- Darknet Diaries for entertaining us with fascinating real-life hacker stories;
- ProjectDiscovery.io for the many sweet well-polished tools;
- NahamSec for allowing us to “meet” so many talented hackers in delicious interviews;
- Daniel Miessler for the bubbly mix of technical topics and thought-provoking essays;
- NCCGroup for the numerous and quality responsible disclosure advisories, tools and research;
- InfoSec Write-Ups for helping us keep up with the latest bug bounty writeups;
- SANS Information Security Webcasts for regularly offering free high-quality webcasts on all kinds of Information Security topics;
- Bishop Fox research labs for the excellent tools, guides, security advisories and fantastic research;
- Rhino Security Labs for your unique tools, challenges, guides and writeups on all things penetration testing, especially cloud security.
Lastly, an honourable mention to Appsecco for insightful presentations, writeups and free trainings on Cloud and Web security.
To everyone else who did not make the list, we also love you and appreciate your work <3
That said, let’s look at what the week (from 29 of November to 06 of December) brought us.
Our favorite 5 hacking items
1. Challenge of the week
Orange Tsai’s HITCON CTF 2020 XSS challenge & Solution
This XSS challenge shows a cool trick for getting XSS in Apache installations. Without spoiling it, here’s a little indication: It affects file upload functionalities when Apache supports content negotiation.
2. Writeups of the week
$10000 Facebook SSRF (Bug Bounty) (Facebook, $10,000)
Don’t Scan My Website I: Exploiting an Old Version of Wappalyzer #Web
How do people still find SSRF on Facebook? @amineaboud did it using a series of common bug hunting techniques (subdomains enumeration, file bruteforcing and JS analysis), yet the magic was in their combination, his thoroughness and perseverance. Hats off for a beautiful finding!
3. Resource of the week
This is a new wiki by Google on Cross-site leaks (XS-Leaks). It’s a great resource for learning about this vulnerability class, common attacks and how to mitigate them. Also good to know, the project is open source and welcomes new contributions.
4. Tools of the week
bbscope is a Go tool for fetching the scope of bug bounty programs from Intigriti, Bugcrowd and Hackerone. It has handy options that allow you to fetch only private programs, those that offer bounties, or to filter results by scope category (URL, CIDR, mobile, code, hardware…). Awesome work by @sw33tLie!
Degoogle is a Python script for querying Google and extracting result URLs. I haven’t dived into the code, so I’m not sure how it does it but somehow it avoids bot detection. No captcha is served even after running it for weeks.
5. Videos of the week
Finding Your Next Bug: GraphQL
Hacking Tips – Finding new Tools and Techniques Using Github
Hacking 1Password | Episode 4 – Two Simple Bugs that Worth $3,300
The sweet videos to watch this week are about a comprehensive introduction to GraphQL for bug hunters, a welcome reminder to leverage Github for discovering new tools and techniques, and (finally!) the overlooked bugs @ngalongc found in 1Password after decrypting it.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- An iOS zero-click radio proximity exploit odyssey
- Site Wide CSRF On Glassdoor (Glassdor, $3,000)
- Exploiting Blind Postgresql Injection And Exfiltrating Data In Psycopg2 ($3,000)
- “Important, Spoofing” – zero-click, wormable, cross-platform remote code execution in Microsoft Teams (Microsoft)
- Leaking Browser URL/Protocol Handlers (Google, Microsoft, Mozilla)
- RCE via LFI Log Poisoning – The Death Potion
- Websites Can Run Arbitrary Code on Machines Running the ‘PlayStation Now’ Application (PlayStation, $15,000)
See more writeups on The list of bug bounty writeups.
- Windows Registry .burp file handler & Intro: Windows Registry file that adds handling of .burp files by allowing double-click to open projects directly. Also adds context menu options to launch with extensions disabled, spider and scanner paused, or both.
- antiburl.py: Python tool inspired by @TomNomNom’s anti-burl, with advanced options
- HackerOne Scripts: Collection of scripts to automate HackerOne things using their GraphQL API
- CastleBravo: @m4ll0k’s BugBounty Automation Tool
- metahttp: A bash script that automates the scanning of a target network for HTTP resources through XXE
- galer: A fast tool to fetch URLs from HTML attributes by crawl-in
- PyOracle2 & Intro: A python-based padding oracle tool
- powersploit_portscan_db_import & Intro: Metasploit db importer for PowerSploit Invoke-Portscan
- IAMFinder & Intro: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
- BackBomb: 💣 Dockerized penetration-testing/bugbounty/app-sec testing environment
- WriteHat & Intro: A pentest reporting tool written in Python. Markdown –> HTML –> PDF
- Carnivore: Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb
- Distillo.io: Tracking website updates, automated and simplified
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/29/2020 to 12/06/2020.