Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 22 to March 1.
Our favorite 5 hacking items
1. Article of the week
An Exploration of JSON Interoperability Vulnerabilities & Labs
@theBumbleSec dropped excellent research on JSON parsing inconsistencies that can lead to serious business logic vulnerabilities. This is gold for bug hunters, a highly recommended read!
2. Writeups of the week
SSRF: Bypassing hostname restrictions with fuzzing
How I Might Have Hacked Any Microsoft Account (Microsoft, $50,000)
Unauthorized RCE in VMware vCenter & CVE-2021-21972 checker for Nmap NSE
What amazing findings!
@dee__see found inconsistencies in two NodeJS URL parsers that led to SSRF. The attack was discovered by fuzzing with radamsa and leverages parser differentials (parsers again). Though the impact was low, the techniques used are so interesting!
@ptswarm disclosed an unauthenticated RCE in VMware vCenter that’s probably keeping some bug hunters busy.
@laxmanmuthiyah found an account takeover on Microsoft’s Forgot password page. It involves decrypting a security code, bruteforcing it and leveraging a race condition to bypass anti-bruteforce protections.
3. Conference of the week
Black Hat USA 2020
Black Hat USA 2020 videos were just released and there is no less than 91! There’s a lot to watch on all kinds of hacking topics. To easily navigate this, check the briefings for descriptions of each talk and links to slides.
4. Tutorials of the week
How to Break Your JAR in 2021 – Decompilation Guide for JARs and APKs
DOM XSS is Dead*, Long Live DOM XSS
Don’t worry, DOM XSS isn’t really dead! @InfoSecP4nda did some research on DOM XSS automation with Burp and shares the results. It’s interesting to know the limits of Burp when testing for these vulnerabiilities.
The second tutorial is about decompiling JARs and APKs using including different decompilation approaches and tools. If like me you’ve only heard of JD-GUI and jadx, I highly recommend reading this. Next time these two tools fail to decompile obfuscated code for instance, you’ll know of other decompilation options!
5. Video of the week
SQL Injection | Complete Guide
This is a nice introduction to SQL injection by @ rana__khalil. A great resource if you’re interested in the topic and prefer videos for learning.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- 4-ZERO-3: 403/401 Bypass Methods
- pyndiff: Generate human-readable ndiff output when comparing 2 Nmap XML scan files
- posta: Cross-document Messaging security research tool
- 1u.ms: DNS utilities in Go to detect and exploit of SSRF & DNS Rebinding (existed as an online utility and was just open sourced)
- Endgame: AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account’s resources with a rogue AWS account
Misc. pentest & bug bounty resources
Bug bounty news