By Anna Hammond
February 17, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 8 to February 15.
New XSS challenge, curated by @holme_sec
Congratulations @StanFaas, @holme_sec and @qimpz for your new hacker portraits!
New “Bounty bag” item in our swag store
Google’s Open Source Vulnerabilities, A US town’s water supply hack & Windows/Chrome security concerns
Scope Based Recon Methodology: Exploring Tactics for Smart Recon
You might’ve already seen Harsh Bothra (@harshbothra_)’s past talks on this same topic. This is a nice complement that includes a recon methodology with three options based on the program’s scope (small, medium and large), links to tools and a summary mindmap.
OAuth Misconfiguration Leads to Full Account takeover
This is an interesting finding by Yasser Mohammed (@boomneroli). It starts with OAuth CSRF that doesn’t work despite a missing CSRF token, debugging it with postMessage-logger, and ends up being a cool bug chain involving OAuth CSRF, postMessage and Clickjacking leading to account takeover.
For other cool writeups, also keep an eye on @Samm0uda who started sharing some of his 50 bugs found in Facebook.
Finding More IDORs – Tips And Tricks
The Lone Sharepoint
Who doesn’t like IDOR? The first tutorial goes over several IDOR techniques to check on ID parameters and API calls.
The second article is a nice collection of Sharepoint attacks that might come in handy during a pentest?
Short after the new dependency confusion writeup was published, @joohoi shared this tool that automates checking for it. It is in Go and currently supports three package managers (pypi, npm and composer).
Language Agnostic Security Code Review
This article provides a language-independent methodology for security code review. Of course, the more knowledge you have of a programming language, the better code review you can do but this is a good start. It’s a basic methodology to build upon with experience.
Bounty Thursdays #25 – Will AI really destroy the cyber security industry? find out now!
[Live Stream] CodeQL Code Scanning Language Tutorial #CodeReview #CodeQL
C.O.M.B. – Florida Water Supply Hack Update, Major Patch Tuesday, Android SHAREit Vulnerability
DAY[0] Episode 64 – ICS Fails, iOS and Windows Kernel Bugs, and a Package Disguised
GPGME Used Confusion, It’s Super Effective ! #API #VMWare
Exploiting CVE-2021-25770: A Server-side Template Injection In Youtrack
CVE-2020-35700: Exploiting a Second-Order SQL Injection in LibreNMS < 21.1.0 #Web
CVE-2021-22652: Advantech iView Missing Authentication RCE (FIXED) #RCE #Web
Hacking Chess.com and Accessing 50 Million Customer Records (Chess.com)
Access files uploaded by employees to internal CDNs / Regenerate URL signature of user uploaded content. (Facebook, $12,500)
Takeover an account that doesn’t have a Shopify ID and more (Shopify, $23,550)
External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing (TikTok, $2,727)
Remote hacker can download all the files of master branch in public projects where everything is members only. (GitLab, $1,500)
Regular expression denial of service in ActiveRecord’s PostgreSQL Money type
See more writeups on The list of bug bounty writeups.
dooked: DNS and Target HTTP History Local Storage and Search
RepeaterClips: Burp extension that sends a compressed Base64 encoding of any request to your clipboard for easily sharing it
BurpParamFlagger: Burp extension that adds a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI
Reconmap: Open-source pentesting management and reporting platform
Alternative to @terjanq’s unlimited iframe DOM-clobbering without the need of name=”X”
Avoid Google ReCAPTCHA detecting Burp proxy and raising the challenge difficulty
Different ways to handle CSRF tokens in Burp that must be different for each request
regex.rip: Check if a regex is vulnerabel to ReDoS
NahamCon2021 (March 14)
Burp Professional / Community 2021.2.1 updates:
Well-done on the XSS challenge, @liam_galvin!
Do you want swag too? Then make sure to check out our current XSS challenge! And tag us on social media if you want to share any cool swag, bug bounty wins and joys.