Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 06 to 13 of December.
Our favorite 5 hacking items
1. Article of the week
Portable Data exFiltration: XSS for PDFs & Presentation
This is @garethheyes’s new research presented at Black Hat Europe. He developed a new injection technique based on controlling a single HTTP link in a PDF document. It allows for exfiltrating the PDF file’s contents (like a Blind XSS via PDF) or SSRF. Several PDF libraries were found vulnerable including Acrobat and Chrome’s PDFium.
This is really cool. PDFs files are used all the time, and they can be totally compromised with just one little link!
2. Writeups of the week
Content-Security-Policy Bypass to perform XSS using MIME sniffing
How I hacked Facebook: Part One (Facebook, $7,500)
The YouTube bug that allowed unlisted uploads to any channel (Google, $6,337)
The first one is about two impossible XSS, blocked by CSP, that became exploitable when chained together using MIME sniffing. The second writeup is about an admin account takeover (in a thefacebook.com subdomain) caused by an exposed password change endpoint. The third writeup is about a simple IDOR that would’ve allowed anyone to upload videos to someone’s YouTube channel.
These are all proof that the best findings aren’t necessarily the most complicated!
3. Tutorial of the week
Advanced Testing Of Web Application With Custom Message Signing Using Hackvertor
This tutorial shows how to use the Burp extension Hackvector to bypass replay protection mechanisms like message signing. This isn’t a new problem but it is not extensively documented, so this can be helpful.
4. Conference of the week
Y’all ‘ve been nice this year, so Santa Claus has great talks for you! Topics range from S3 buckets weaknesses tocar hacking, adversary emulation, HID card hacking, red teaming, Kubernetes attacks, Offensive Security Tools and more.
Burp Suite Sequencer users will also be interested in the “Random Facts About Mersenne Twisters” talk on pseudo-random number generators and this thread on how Sequencer works.
5. Tools of the week
Depix & Intro
HTTPSignatures & Intro
Depix is a Python tool that helps recover passwords from pixelized screenshots. It’s worth trying when looking for information disclosure in public documents.
Proxify is a new Web proxy in Go by @pdiscoveryio. It looks interesting either as a standalone tool or chained with Burp/ZAP. It can dump all traffic to a file, replay traffic in Burp, match and replace requests and responses on-the-fly, match/filter traffic…
HTTPSignatures is a Burp extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft. As apps start adopting HTTP Signatures, this extension will help test them seamlessly.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Solarflare & Intro: SolarWinds Orion Account Audit / Password Dumping Utility
- Cloudlist: A Go tool for listing Assets from multiple Cloud Providers
- FlyDNS: Related subdomains finder
- JNDI-Exploit-Kit: A modified version of @welk1n’s JNDI-Injection-Exploit. It can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection
- CornerShot: Amplify network visibility from multiple POV of other hosts
- pstf^2 & Intro: Passive Security Tools Fingerprinting Framework
- SnitchDNS & Intro: Database Driven DNS Server with a Web UI, that makes DNS admin easier for red teams & pentesters
- rga / ripgrep-all: ripgrep wrapper that can also search in PDFs, E-Books, Office documents, zip, tar.gz, etc
- “Wraps ripgrep, the fastest grep-like tool, but enables it to search pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc.”
- rawsec_cli: Rawsec’s Cybersecurity Inventory cli. Search pentesting tools, resources, ctf, os.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/06/2020 to 12/13/2020.