Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 15 to 22.
Our favorite 5 hacking items
1. Writeups of the week
H2C Smuggling in the Wild & h2cSmuggler
How I hacked Facebook: Part Two (Facebook, $54,800)
@seanyeoh published amazing research on H2C smuggling. He built on Jake Miller’s research on this vulnerability and exploited it in cloud providers that were initially considered not vulnerable.
The second writeup is about a cool bug chain that allowed @alaa0x2 to access a Facebook employee’s account and to compromise Facebook’s internal network. It involves SSRF, account takeover and cookie manipulation.
2. Article of the week
How we found and fixed a rare race condition in our session handling
GitHub released details about an interesting bug they fixed. It’s a race condition in their session handling that caused users logged into github.com to randomly be authenticated as other users.
3. Videos of the week
Hacking into Google’s Network for $133,337
Networking Fundamentals & Slides
Two videos of very different flavors: The first one is @LiveOverflow interviewing @epereiralopez about winning the 2020 Google Cloud Platform VRP Prize and the RCE that made it possible. So inspirational!
The second video is an excellent primer on networking fundamentals by @TomNomNom.
4. Tutorials of the week
Burp Suite – solving E-mail and SMS TAN multi-factor authentication with Hackvertor custom tags
Attack Surface Analysis – Part 2 – Custom Protocol Handlers
If you’re not familiar with the Hackvector Burp extension, the first tutorial shows cool examples of its usage and capabilities (e.g. how it helps automate MFA authentication).
In the second tutorial, @CryptoGangsta dives deep into the attack surface of custom protocol handlers. It’s an excellent read, packed with information for hackers interested in destop apps.
5. Resource of the week
Ways to alert(document.domain)
@TomNomNom shared this list of ~40 ways to execute alert(document.domain). It’s old and somehow I’m just finding out about it, but it’s still very relevant for bypassing WAFs and regexes.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- normal.py: Find unicode codepoints to use in normalisation and transformation attacks
- UnChain: A tool to find redirection chains in multiple URLs
- gitlab-unauth-parser & Intro: Parses unauthenticated Gitlab APIs for users, repos, groups and secrets
- xeuledoc: Fetch information about a public Google document
- Spectroscope: Chrome extension that helps search for endpoints potentially vulnerable to Spectre
- nList: An nmap script to produce target lists for use with various tools
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
Well done, @sunilyedla2! Continue keeping calm and hacking, it suits you 🙂
Want to share your bug bounty wins, swag and joys with other Bug Bytes readers? Tag us on social media, we’d love to hear from you too!