Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 06 to 13 of December.
Our favorite 5 hacking items
1. Article of the week
This is @garethheyes’s new research presented at Black Hat Europe. He developed a new injection technique based on controlling a single HTTP link in a PDF document. It allows for exfiltrating the PDF file’s contents (like a Blind XSS via PDF) or SSRF. Several PDF libraries were found vulnerable including Acrobat and Chrome’s PDFium.
This is really cool. PDFs files are used all the time, and they can be totally compromised with just one little link!
The first one is about two impossible XSS, blocked by CSP, that became exploitable when chained together using MIME sniffing. The second writeup is about an admin account takeover (in a thefacebook.com subdomain) caused by an exposed password change endpoint. The third writeup is about a simple IDOR that would’ve allowed anyone to upload videos to someone’s YouTube channel.
These are all proof that the best findings aren’t necessarily the most complicated!
3. Tutorial of the week
This tutorial shows how to use the Burp extension Hackvector to bypass replay protection mechanisms like message signing. This isn’t a new problem but it is not extensively documented, so this can be helpful.
4. Conference of the week
Y’all ‘ve been nice this year, so Santa Claus has great talks for you! Topics range from S3 buckets weaknesses tocar hacking, adversary emulation, HID card hacking, red teaming, Kubernetes attacks, Offensive Security Tools and more.
Burp Suite Sequencer users will also be interested in the “Random Facts About Mersenne Twisters” talk on pseudo-random number generators and this thread on how Sequencer works.
5. Tools of the week
Depix is a Python tool that helps recover passwords from pixelized screenshots. It’s worth trying when looking for information disclosure in public documents.
Proxify is a new Web proxy in Go by @pdiscoveryio. It looks interesting either as a standalone tool or chained with Burp/ZAP. It can dump all traffic to a file, replay traffic in Burp, match and replace requests and responses on-the-fly, match/filter traffic…
HTTPSignatures is a Burp extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft. As apps start adopting HTTP Signatures, this extension will help test them seamlessly.
Other amazing things we stumbled upon this week
- Better Bug Bounty Tool Results with DNSValidator
- Gynvael Talks About Infosec Certificates, Playing Ctfs, Google’s Ctf, and Getting Into Hacking!
- Bug Bounty (how to make money HACKING!!) // ft. STÖK
- Cybertalk EP8 – Better Bug Bounty Hunting, CTF’s & Reverse Engineering
- “Profiling BurpSuite Spider/Crawler” Part 1
- Understanding Nat Slipstreaming
- How To Prevent IDORs | Security Simplified, Intro to Command Injection | Security Simplified & How to Prevent Command Injections
- My Life in Short/Shirt Stories (December 2020 Project)
- FAILING – motivational speech
- Distributed Recon – Axiom Scan Resolves 6M FQDNs in 10 Minutes
- Security Now: Amazon Sidewalk – Google Play Core Library, iOS Zero-Click Radio Proximity Exploit, Apple M1 Chip
- Risky Business #608 — FireEye discloses breach and tool exfil
- Atheris Python Fuzzer, Bronze Bit Attack, & FireEye Highlights – ASW #134
- Steam Flaws, Kerberos Exploit, Facebook Lawsuit, & Black Mirror – Wrap Up – SWN #88
- Layer 8 Podcast Episode 36: Inês Narciso – Teamwork Makes Dreamwork
- The Privacy, Security, & OSINT 199-Physical Security Assessments
- The InfoSec & OSINT Show 37 – Jenny Radcliffe & People Hacking
Webinars & Webcasts
- ZAP Deep Dive Series
- Webcast: Getting Started with Burp Suite & Webapp Pentesting
- Q&A: Finding & Reversing Malicious Mobile Apps with Kristina (chmodxx)
Slides & Workshop material
Medium to advanced
- Abusing exposed Docker Registry APIs
- 4 Free Easy Wins That Make Red Teams Harder
- Connecting GoPhish with Office365
- A Pentester’s Guide to Command Injection
- Finding bugs at limited scope programs (Single Domain Websites)
- Alternative ways to Pass the Hash (PtH)
- Bypassing IP Based Rate-Limit
- Don’t Hesitate, Isolate (Your Virtual Machine)
- SSD Secure Disclosure December – 2020 challenge
- Intigriti’s December XSS Challenge winners & writeups
Responsible(ish) disclosure writeups
- SRC-2020-0031 : Microsoft Exchange Server EWS RouteComplaint ParseComplaintData XML External Entity Processing Information Disclosure Vulnerability #Web
- GHSL-2020-205: Remote Code Execution in Apache Struts 2 – S2-061 – CVE-2020-17530 #Web
- Watchcom Discovers New Cisco Jabber Vulnerabilities #Web
- Prototype Pollution in ini package #Web
- Vulnerabilities in McAfee ePolicy Orchestrator #Web
- CVE-2020-17049: Kerberos Bronze Bit Attack – Overview, Theory & Practical Exploitation #AD
- Novel Abuses On Wi-Fi Direct Mobile File Transfers #Wifi
- PsExec Local Privilege Escalation #Windows #LPE
Bug bounty writeups
- Game On – Finding vulnerabilities in Valve’s “Steam Sockets” (Valve)
- How I dumped PII information of customers in an ecommerce site?
- A very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service (Basecamp, $1,000)
- How i got my First Bug Bounty in Intersting Target (LFI to SXSS)
- CVE-2020-8286: Inferior OCSP verification (Curl, $900)
See more writeups on The list of bug bounty writeups.
- Solarflare & Intro: SolarWinds Orion Account Audit / Password Dumping Utility
- Cloudlist: A Go tool for listing Assets from multiple Cloud Providers
- FlyDNS: Related subdomains finder
- JNDI-Exploit-Kit: A modified version of @welk1n’s JNDI-Injection-Exploit. It can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection
- CornerShot: Amplify network visibility from multiple POV of other hosts
- pstf^2 & Intro: Passive Security Tools Fingerprinting Framework
- SnitchDNS & Intro: Database Driven DNS Server with a Web UI, that makes DNS admin easier for red teams & pentesters
- rga / ripgrep-all: ripgrep wrapper that can also search in PDFs, E-Books, Office documents, zip, tar.gz, etc
- “Wraps ripgrep, the fastest grep-like tool, but enables it to search pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc.”
- rawsec_cli: Rawsec’s Cybersecurity Inventory cli. Search pentesting tools, resources, ctf, os.
Misc. pentest & bug bounty resources
- @irsdl research notes
- OpenSSF CVE Benchmark project & Intro
- OWASP GraphQL Cheat Sheet
- Twitter SecLists
- Infrastructure as Code: Dynamic Systems for the Cloud Age
- Bugs found by Cryptofuzz
- Week in OSINT #2020-49
- 12 Days Of Hacky Holidays CTF
- The 2020 Sans Holiday Hack Challenge
- sconwar – sensecon 2020 & Szensecon Discord Bot
- Web Almanac by HTTP Archive – Security
- Deciphering Google’s mysterious ‘batchexecute’ system
- Using The UK Planning System For OSINT
- ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
- Web fuzzers review
- Adventures in Dynamic Evasion
- Improving DNS Privacy with Oblivious DoH in 18.104.22.168
Bug bounty & Pentest news
- Good News: SANS Virtual Summits Will Be FREE for the Community in 2021
- Pwine Award Winners 2020
- The World’s Largest Live Hacking Event
- SANS Open-Source Intelligence Summit 2021 – Live Online
- Questions a mentor will want to ask you
- Communication In Bug Bounty Programs (As Triager, Researcher, Manager)
- Analysis of the RECON/Attack Surface Management Space
- Hacker Spotlight: Interview With Tolo7010
- A CVE in our Executive Summary
- Bad CTF Bingo
- Get your work recognized: write a brag document
- Summary: The Pentester’s BluePrint
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/06/2020 to 12/13/2020.