Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 27 of December to 03 of January.
Our favorite 5 hacking items
1. Tools of the week
ote (One Time Email)
Here is a bunch of fantastic new tools you might find very useful!
@CoreyD97’s Burp Customizer is a Burp extension that provides 58 new themes to customize Burp.
Lilly by @Dheerajmadhukar leverages favicon hashes to help find the real IP behind CDNs/WAFs.
@s0md3v’s ote allows you to quickly generate temporary email addresses and get OTPs or confirmation links directly in your terminal.
Finally, BurpRequestCleaner by @StaticFlow is a Burp extension that redacts potentially sensitive information (e.g headers & parameters) using Shannon Entropy analysis. This is useful when you want to take and share screenshots without revealing your passwords or data.
2. Writeups of the week
Cache-Key Normalization – What could go wrong?
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers (Facebook, $30,000)
The first writeup is about a new Denial of Service technique. @iustinBB leveraged Web cache poisoning to force a server to return 404 errors for existing pages, which is basically a DoS. A pretty smart and a very well explained finding!
The second writeup is about an account takeover @samm0uda found on Facebook. He discovered an XSS in an out of scope domain that can be chained with two other bugs to take over Oculus and Facebook accounts.
3. Conference of the week
Digital OWASP AppSec Israel 2020
Here’s a nice set of talks on a variety of Web security related topics: practical techniques to find bugs in GraphQL APIs, mutation XSS, Android hacking, CSP, race conditions, Web fuzzing, browser storage, etc.
4. Video of the week
Ziot Talks About Hacking Apple, Collaboration, Recon, and Getting Started in Hacking!
This is a cool interview with Brett Buerhaus (aka ziot aka @bbuerhaus)! @NahamSec and him chat about the usual topics, his background, bug bounty collaboration, recon, mentorship, bug hunting stories, imposter syndrome, etc. If you want to relax while getting inspired to hack, this is the perfect thing to watch.
5. Tutorial of the week
The Burp Extension No One Told You About & Burp-Send-To-Extension
burp-send-to is a Burp extension that allows you to send requests to any command line tool. If this reminds you of something, it might be piper but the two extensions work differently. Piper allows to run CLI tools and view the results inside Burp, while burp-send-to runs tools in a terminal. It saves you the hassle of copy-pasting requests from Burp to the terminal when you want to pass them to tools like sqlmap or ffuf.
Since burp-send-to when unnoticed when released, @fyoorer is sharing how he uses it and why you may want to!
Other amazing things we stumbled upon this week
- Darknet Diaries Ep 82: Master of Pwn
- Security Now: Sunburst & Supernova – Ransomware Task Force, Chrome 87, Firefox Caches, Preserving Flash Video & SolarBlizzard – SolarWinds’ Orion Software, Swatting Goes IoT, PHP Zend Framework Vulnerability
- Risky Business #609 — It’s not NotPetya
- Kubernetes Clusters, Microsoft Solarigate, & Apple’s Security DIY – ASW #135
- ElectroRAT, Zyxel Vulnerability, Ticketmaster, & Section 230 – SWN #91
- Cyber Security Saun 048| The Year in Cyber: 2020
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Burp Customizer: Because just a dark theme wasn’t enough!
- ote (One Time Email): Generate Email, Register for anything, Get the OTP/Link
- Mapper: A tool to help the distributed scannning of hosts
- BurpRequestCleaner: Burp extension that redacts potentially sensitive header and parameter values from requests using Shannon Entropy analysis
- blackrock-go: Golang port of the BlackRock cipher from the Masscan project
- Clairvoyance: Obtain GraphQL API schema despite disabled introspection!
- Lilly: Tool to find the real IP behind CDNs/WAFs like cloudflare using passive recon by retrieving the favicon hash. For the me hash value, all the possible IPs, PORTs and SSL/TLS Certs are searched to validate the target in-scope.
- Eyeballer Pytorch version: A reimplementation of Bishop Fox’s Eyeballer in PyTorch
- Tamper DEV / Tamper Chrome: Extension by Google that allows you to intercept and edit HTTP/HTTPS requests and responses as they happen without the need of a proxy. Works across all operating systems (including Chrome OS).
- Soxy: Multi-threaded socks proxy checker written in Go!
- bountyRecon v2: Framework to automate Bug Bounty Reconnaissance
- OpenCVE: Platform that alerts you about new vulnerabilities related to the CVE list (formerly known as Saucs)
- ctf-collab: Create a collaborative programming environment inside GitHub Actions – like Google Docs for hacking competitions
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/27/2020 to 01/03/2021.