Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 15 to February 22.
Our favorite 5 hacking items
1. Video of the week
How to Find Your First Bug & TL;DR
Struggling to find your first bug? @InsiderPhD has some sensible tips that might help, including technical skills to learn and what to focus on. Make sure to watch the whole video, the note-taking tip at the end will help you maximize learning when reading writeups.
2. Writeup of the week
Enumerate internal cached URLs which lead to data exposure (Facebook, $4,800)
This writeup is about an issue in server-side caching on Facebook. @Samm0uda discovered an endpoint on developers.facebook.com that returned whether a URL (or partial URL) was present in the cache or not. The bug looks so obvious after reading about it! It sounds like a feature, I’m not sure I would’ve considered it a weakness leading to serious information disclosure (e.g. disclosure of URLs containing access tokens).
So, this is a great example that shows why it is important to always keep in mind business and technical impacts when assessing the security of a Web app.
3. Articles of the week
Misconfigurations in Java XML Parsers
Middleware, middleware everywhere – and lots of misconfigurations to fix
The first article is an amazing read if you’re interested in XXE or SSRF (via XXE). It goes over different scenarios that make Java XML parsers vulnerable. For instance, if HTTP(S) and FTP are blacklisted, you can still find a blind XXE by making an FTP request with a file:// URL!
The second article sums up some new misconfigurations in middleware for Nginx (for example HTTP splitting against misconfigured proxies that use cloud storage solutions). This type of misconfigurations are very interesting to learn and test for! They bypass current mitigations and can still be found even on hardened targets.
4. Tutorials of the week
Top 10 Tips for Burp Suite
Client Side Encryption Bypass Part-2 & Part-3
The first tutorial presents ten really practical Burp tips. Power users might already know them, but it takes only a minute to go through them and maybe learn a new useful feature that’ll change your Burp experience.
5. Tool of the week
Mubeng is a fast proxy IP rotator that will help bypass any type of IP ban (WAF, rate-limiting, bruteforce protection, etc). It’s in Go, supports HTTP and SOCKSv5 protocols, supports all HTTP(S) methods, and includes a proxy checker to make sure your proxy IP is still alive.
What I like the most about it is its ease of use. You just give it a list of proxy IPs, it randomly rotates between them after a certain number of requests. It can also be chained with Burp and ZAP as an upstream proxy.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- iframe-broker: Chrome / Firefox extension to log iframe and cross window communications
- MoneyScope: A Simple Tool to Pull Paid Bounty Scopes for Wide Recon Actvities
- MacHound & Intro: An extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts
- AzureC2Relay & Intro: Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile
Misc. pentest & bug bounty resources
Community pick of the week
We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.