Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 13 to 20 of December.
Our favorite 5 hacking items
1. Tips of the week
@irsdl’s #XMas2020 research notes
@eur0pa_’s method for using Burp 1.7 with the latest extensions
@irsdl has been sharing awesome hacking notes and tips on topics like deserialization bugs, WAF bypass, Burp & Fiddler, SalesForce apps security & many more. Really worth checking out!
Another noteworthy tip is for people who prefer to stay on Burp 1.7. @eur0pa_ shows how to make it work with all the latest extensions.
2. Writeups of the week
Coordinated disclosure of XML round-trip vulnerabilities in Go’s standard library
LogRhythm Zero Days
This is how I was able to view anyone’s private email and birthday on Instagram (Facebook, $13,125)
This week’s writeups are about authentication bypass in Go’s XML parser, a critical chain of WebSocket-related vulnerabilities in LogRhythm (a popular SIEM solution!) and a simple but impactful information disclosure on Instagram.
3. Video of the week
STOK Interviewed Me! 😱😱😱
I hacked Outlook and could’ve read all of your EMAILS!
Fans of @NahamSec’s interviews with hackers will love this special edition. He is the one being interviewed and answering all the usual questions on his hacker journey, life/time balance, time management, bug bounty collaboration, etc.
The second video by @ngalongc is a cool writeup of a $20k JWT bug he found in Outlook.
4. Tutorial of the week
Subdomain Takeover: Going for High Impact
@0xpatrik noticed that subdomain takeovers are harder to find nowadays and considered less dangerous because of new mitigations by cloud providers. But they’re not dead yet! If you find a subdomain takeover, make sure to increase its impact using the escalation methods he is sharing (or if you know of other ones, the community would love to hear them).
5. Resource of the week
OAuth 2.0 authentication vulnerabilities
PortSwigger just released this new Web Security Academy course on OAuth and OpenID Connect vulnerabilities. With their usual clear explanations and many labs, this is the perfect opportunity to practice or learn about OAuth hacking!
Other amazing things we stumbled upon this week
- A Conversation With Farah Hawa | The Uncommon Journey | Episode Seventeen | With Alyssa Miller, Chloe Messdaghi, And Phillip Wylie
- Infosec Prep Podcast 0x03 byt3bl33d3r AMA
- PyMicropsia Trojan, Alphabet Outages, SolarWinds, & Jason Wood – SWN #89
- SolarWinds Attack, AIR-FI Technique, & Zodiac Cypher Decoded – PSW #678
- SolarWinds, Gitpaste-12, G-Suite Attack, & Show Summaries – Wrap Up – SWN #90
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- WhiteChocolateMacademiaNut & Intro: Interact with Chromium-based browsers’ debug port to view open tabs, installed extensions, and cookies
- Python2Intruder: Pythonize Intruder Payload
- JupyterPen: A Repository dedicated to creating modular and automated penetration testing frameworks utilizing Jupyter Notebooks
- Lazy-FuzzZ: Wrapper around ffuf
- Fast security scanners/checks: Dockerized tools for various Web security tests
- fridroid-unpacker: Defeat Java packers via Frida instrumentation
- dmut: A tool to perform permutations, mutations and alteration of subdomains in golang
- Emba: Analyzer for Linux-based firmware of embedded devices
- Fortiscan: A high performance FortiGate SSL-VPN vulnerability scanning and exploitation tool.
- GRecon: Python tool that automates the process of Google Based Recon AKA Google Dorking
- deepce: Docker Enumeration, Escalation of Privileges and Container Escapes
- Go365: An Office365 User Attack Tool
- PrettyRECON & Intro: Commercial recon tool with GUI
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/13/2020 to 12/20/2020.