Bug Bytes #106 – THE blind SSRF reference, Apple & Microsoft RCEs & Scanning for logic flaws

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 10 to 17 of January.

Intigriti News

Did you know that Bug Bytes is two years old? It is time to freshen it up a bit and you can help us by providing your feedback. We love to improve based on data and insights. So, your input is highly appreciated and will help us improve the quality of this newsletter.

Fill out the survey for a chance to win an Intigriti Swag voucher of € 50.

The winner of the Intigriti Swag voucher will receive a personal email before January 27.

Take the survey

Introducing report collaboration: split these bounties!
Google Titan 2FA keys cloned, Microsoft Exchange’s unpatched RCE & Mimecast supply chain attack

Our favorite 5 hacking items

1. Resource of the week

A Glossary of Blind SSRF Chains & GitHub repo

This is a massive post on exploit chains that help escalate the impact of blind SSRF. This is simply a must see for bug hunters, a new amazing resource by @assetnote.

There is also a GitHub repo. You can contribute with additionl techniques by sending a pull request.

2. Writeups of the week

Finding 0day to hack Apple (Apple, $50,000)
Making Clouds Rain :: Remote Code Execution in Microsoft Office 365 (Microsoft)

There’s a bunch of exceptional findings and excellent writeups that were published this week. Make sure to check out the entire writeups section below. These two are the one that caught my attention the most for their impact and interesting technical details.

@rootxharsh and @iamnoooob got Remote Code Execution on three Apple subdomains by analyzing the CMS they use (Lucee). @steventseeley also popped shells but on Microsoft Office 365 and he also bypassed two different patches for the vulnerability.

3. Tools of the week

bbrf-burp-plugin

OpenAPI Security Scanner & Automating Permission Checks Using OpenAPI Security Scanner?

Remember BBRF, @honoki‘s Python tool for storing/querying bug bounty data in a CouchDB database? I’ve been using it and it is an excellent solution for easily handling assets and scopes. Now it also has a Burp plugin that allows you to add domains/URLs to your database from Burp! Fantastic, right?

The second tool is an innovative scanner for automating authorization tests. Logic flaws are notoriously difficult to automate but @ngalongc manages to do just that! His OpenAPI Security Scanner pointed to an API with a set of credentials monitors for changes in permissions and notifies you if any permissions have changed.

4. Video of the week

@Farah Hawa Talks About Learning How to Code, Javascript, Creating Content, Mentorship and more!

Anyone who thinks it is too late to start bug bounties or they don’t have the right technical background should watch this interview. @Farah_Hawaa shares her story and how she got into Web hacking in a relatively short time. She went from journalism / mass media studies to becoming a hacker, triager for a bug bounty platform and content creator. Such an inspiration!

5. Podcast of the week

Day[0] Episode 60 – Breaking Lock Screens & The Great Vbox Escape

Day[0] is already at episode 60 and I’ve just heard of it! I love that it’s not just about generic InfoSec news but also comments on very technical writeups and topics. A really nice discovery!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Tips

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

We’d love hearing from you and celebrating your wins! Tag us if like Stefan you’re in swag heaven or want to share your bug hunting joys with other Bug Bytes readers.