Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 22 to 29.
Our favorite 5 hacking items
1. Articles of the week
Hidden OAuth attack vectors
Recovering A Full PEM Private Key When Half Of It Is Redacted
OAuth and SSRF are the gifts that keep on giving! @artsploit revealed three entirely new OAuth2 and OpenID Connect vulnerabilities: “Dynamic Client Registration: SSRF by design”, “redirect_uri Session Poisoning”, and “/.well-known/webfinger User Enumeration”. This is fantastic research, simply a must-read!
Also worth noting, ActiveScan++ was updated to detect and report these bugs.
The second article is the reason why you should never include a partially redacted PEM in a pentest report (or share it on social media). @CryptoHack__ was challenged to recover a full private key from a partially redacted private RSA key, and shows exactly how they did it.
2. Writeups of the week
From 500 to Account Takeover
[h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) (Shopify, $3,100)
Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forgery, remote file inclusion, local file inclusion, and more (CVE-2021-28918) & Serious Netmask vulnerability found to affect three Perl IP modules
The second writeup is a cool FQDN takeover on Shopify that @securinti found during a live hacking event. The impact is similar to subdomain takeover except that it didn’t require access to DNS records. It only took adding a single dot… but it’s better explained with video!
The third writeup is about a vunerability affecting the Netmask NPM package used in almost 279k projects. If you like SSRF and IP validation bypasses, it’s worth a read.
3. Resource of the week
MindAPI (online version) & Repo
dsopas published this cool mindmap of API hacking resources and methodology for all types of APIs. If you’re into API hacking, this is a nice way to organize a lot of information on the topic (not only steps and tools, but also videos, writeups, labs, tutorials, etc).
4. Tutorials of the week
Poking At Elasticsearch: Beyond Just Dumping Data
SAML XML Injection
Elasticsearch is often associated with data dumps and information disclosure, but there is so much more to Elasticsearch security. The first tutorial shows how to bruteforce credentials when an Elasticsearch instance is using authentication and what to next after obtaining credentials (discovering user accounts and post-exploitation recon techniques).
The second article is about a vulnerability NCC Group pentesters detected in several assessments of SSO services. It is a great read about SSO / SAML hacking.
5. Tool of the week
masher & From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts)
Masher stands for “multiple password ‘asher“. It helps break password hashes when non obvious combinations of hashing algorithms are used.
Identifying the type of a hash is something I always struggle with. So, I find this very helpful. Since it’s just a script using Python’s hashlib, it’s also easy to modify to add more combinations.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- S3 Account Search & Intro: Python tool that finds the AWS account ID of any public S3 object/bucket
- SQLMap DNS Collaborator: Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed
- gitrecon: OSINT tool to get information from a Github and Gitlab profile and find user’s email addresses leaked on commits
- nsdp-discover: Nmap NSE script to discover NSDP service and retrieve basic information
- harlogger: Simple utlity for sniffing decrypted HTTP/HTTPS traffic on a jailbroken iOS device into an HAR format
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
So happy for you @sumgr0! Keep it up 💪
Want to share your bug bounty wins, swag and joys with other Bug Bytes readers? Tag us on social media, we’d love to hear from you too!