Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 20 to 27 of December.
Our favorite 5 hacking items
1. Articles of the week
Fun with IP address parsing
Helping secure DOMPurify (part 1) & A word about DOMPurify bypasses a.k.a why DOM parsing is crazy | Sekurak.tv
@dave_universetf wrote an IPv4+6 parser from scratch which led him to discover several cursed IP address representations. This type of corner cases are interesting when looking for URL validation bypasses (e.g. for SSRF or open redirect).
The second article (and accompanying video) are excellent resources for anyone who saw the many recent DOMPurify bypasses and wondered how to find such vulnerabilities.
2. Writeups of the week
Cookie Tossing to RCE on Google Cloud JupyterLab (Google, $3133.70)
[Google VRP] Hijacking Google Docs Screenshots (Google)
Supply Chain Pollution: Hunting a 16 Million Download/Week npm Package Vulnerability for a CTF Challenge (Node.js third-party modules)
@kl_sree found a cool PostMessage misconfiguration on Google Docs that allowed him to steal the content of documents by screenshotting them.
@spaceraccoonsec shares the details of a prototype pollution he found in the “ini” NPM package. Since it is used by almost 2000 dependent packages, this bug could’ve been exploited for a serious supply chain attack.
@S1r1u5_ wrote about an RCE on Google. It covers the interesting topic of “Cookie tossing” that can be used to increase the impact of XSS bugs found in out of scope or sandboxed domains.
3. Videos of the week
How to duplicate less with Bug Bounties
Automate your Bug Hunting using Nuclei | Writing our own nuclei template | Be The H.A.C.R. – Ep. 18
Continuing his excellent series for bug bounty beginners, @codingo_ shares advice to help increase bug impacts and avoid duplicates.
The second video by @AseemShrey should also help with those dreaded dupes. He explains how to write your own Nuclei templates. It is a good introduction for anyone who wants to automate some bug bounty checks and customize Nuclei to differentiate yourself.
4. Resource of the week
Subdomain tools review & Recon suites review
These are two cool benchmarks for Web application testers. Six2dez1 does an awesome job of comparing subdomain enumeration tools (based on their features and results) and recon suites (based on their features and tools).
5. Tutorial of the week
Metasploit Tips and Tricks for HaXmas 2020
This one is for Metasploit power users. It has many advanced tips and tricks with a mix of old and recent features (e.g. how to debug failed HTTP modules, how to inline options when running a module, resource scripts for streamlining repetitive workflows, refining search results, etc).
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/20/2020 to 12/27/2020.