Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 1st to February 8.
Our favorite 5 hacking items
1. Writeup of the week
Wow, this is such a great writeup! If you don’t have time to check out anything else, just read this for a dose of mindblowing Web security research. Alex Birsan (@alxbrsn) explains an attack he calls “dependency confusion” that affected big companies.
In a nutshell: If a company uses a private package to install Python, Ruby or Node dependencies and a public repository is created with the same name and a latest version, the package manager will give preference to the public package. It makes it possible to run code on the target’s internal servers and developers’ PCs. That’s how Alex pwned Paypal, Shopify, Apple, Microsoft and many more.
Silent Signal researchers had to test an RSA implementation but did not have the public keys used to verify signatures. So, they came up with a new technique to derive public keys from just two signatures. The most interesting bit for bug hunters is that it helps forge JWT tokens as shown in the PoC exploiting CVE-2017-11424 (a key confusion vulnerability in pyJWT).
3. Tools of the week
UDdup is a handy Python tool that detects similar endpoints (e.g. /product/123?is_prod=false and /product/222?is_debug=true) in a list and removes them. This is helpful for removing redundant URLs from the output of recon tools like gau or waybackurls.
dwn is a “docker-compose for hackers”. @leonjza created it to solve some limitations of docker-compose. It allows you to run dockerized tools from any folder with the ability to make on-the-fly configuration changes, dynamic port maps and volume mounts (all of which aren’t possible with docker-compose).
4. Videos of the week
These videos will be very informative if you want to improve your recon. @codingo_ shares why using sources directly (as opposed to running multiple subdomain enumeration tools) can be benefial and how to do it, with a focus on the Rapid7 Open data project.
5. Resource of the week
This is a new cool cheatsheet full of XSS payloads, filter bypasses and tips that work in modern browsers.
Other amazing things we stumbled upon this week
- WhatsApp – a malicious GIF that could execute code on your smartphone – Bug Bounty Reports Explained
- Does Hacking Require Programming Skills?
- @Busra Demir Talks About Pentesting, Content Discovery, Getting Started With OSCP, Creating Content🔥
- Android Pentesting | Insecure Logging & Storage + Setup Genymotion & pidcat – Pt. 02
- $2 Rubber Ducky – Steal WiFi Passwords in Seconds
- Hack From Anywhere! – ZeroTier Remote Access
- DAY Episode 63 – MediaTek BootROM Broken, Free Coffee, and an iOS Kernel Exploit
- SCADA Scandal – Defender Thinks Chrome is Malware, Plex Media Servers in DDoS Attacks
Webinars & Webcasts
- BSides København 2020, especially:
Medium to advanced
- Recon with Me !!!
- bash aliases: command-line tools #3
- A Pentester’s Guide to WebSocket Pentesting
- Skeletons in the IT Closet: Seven Common Microsoft Active Directory Misconfigurations that Adversaries Abuse
- Relaying 101
- Bypassing WAFs (Web Application Filters)
- RCE using Path Traversal
- Customising an existing evilginx phishlet to work with modern Citrix
Responsible(ish) disclosure writeups
- Automatic Vulnerability ApacheDruid Remote Code Execute Detection and Exploitation & Nuclei template #RCE #Web
- Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities #RCE
- Unauthenticated SQL injection Time-based user enumeration #Web #CodeReview
Bug bounty writeups
- How I was able to Turn a XSS into a Account Takeover
- Facebook Messenger Desktop App Arbitrary File Read (Facebook, $2,000)
- Escalating SSRF to RCE
- XXE To AWS Metadata Disclosure
- How I Gain Access to the Server Administration of a Million-Dollar Company ($5,000)
- Microsoft Remote Desktop Web Access Authentication Timing Attack (Microsoft)
- Reflected XSS on a Public Program
- SSRF Exploitation in Libreoffice Spreadsheet File Converter
- Spoofing and Attacking With Skype (Microsoft)
- Github Account hijack through broken link in developer.twitter.com (Twitter)
See more writeups on The list of bug bounty writeups.
- Ditto: A Go tool for IDN homograph attacks and detection
- Doldrums & Reverse engineering Flutter for Android: A Flutter/Dart reverse engineering tool
- WebDork: A Python tool to automate Google dorking
- Thumbscr-EWS & Intro: A wrapper around the amazing exchangelib to do some common EWS operations
Tips & Tweets
- _method swapping on Rails & Symfony apps
- Subdomain takeover edge cases on can-i-take-over-xyz
- UUID bypass for IDOR
- Bash alias to proxy curl traffic though Burp
Misc. pentest & bug bounty resources
- @sec_r0’s WebAuthZine
- Top 25 Vulnerability Parameters based on frequency
- Awesome Azure Penetration Testing
- 18 Inclusive Communities Worth Joining
- The 10 Most Common Bugs Of 2021 So Far, And How To Find Them!
- Google: Data Driven Security Hardening in Android
- Wave 2 – Analysis of Internet Wide Web Servers
- Hunting Azure Blobs Exposes Millions of Sensitive Files
- Relay Attacks via Cobalt Strike Beacons
Bug bounty & Pentest news
- Project Discovery: We are going fulltime
- Announcing The Hacker Of The Hill (February 20)
- Google: Vulnerability Reward Program: 2020 Year in Review
- Working with others hackers on the same targets/bounty
- Mortgage with Bug Bounties — Week 1
- Hacker Spotlight: Interview With Hazimaslam
Community pick of the week
We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.