Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 29 to April 5.
Our favorite 5 hacking items
1. Writeups of the week
Breaking GitHub Private Pages for $35k (GitHub, $35,000)
This Man Thought Opening A TXT File Is Fine, He Thought Wrong. MacOS CVE-2019-8761 (Apple)
Facebook account takeover due to a wide platform bug in ajaxpipe responses (Facebook, $30,000)
I Built a TV That Plays All of Your Private YouTube Videos (Google, $6,000)
The first finding is a cool bug chain by @NotDeGhost that involves XSS, CRLF and Web cache poisoning on GitHub.
The second writeup will forever change what you think about TXT files being harmless. @PaulosYibelo found a way to inject HTML into TXT files that steal local MacOS passwords when opened.
The third writeup is about @Samm0uda finding yet another creative way to pwn Facebook, with an impressive account takeover.
Lastly, @xdavidhu shared an excellent writeup on a CSRF in YouTube for Android TV that made it possible to access anyone’s private videos.
2. Challenges of the week
$31,000 Google Cloud blind SSRF + HANDS-ON labs
NodeJS WebSocket SQLi vulnerable WebApp
The first link is actually a video explanation of @david_nechuta‘s $31k blind SSRF on Google Cloud Monitoring. It also links to a lab by @gregxsunday that recreates the vulnerability. This is an excellent opportunity to not only understand but also practice exploiting a real-world blind SSRF.
The second challenge is a WebSocket Web app vulnerable to blind SQL injection. @rayhan0x01 created it to practice automating SQL injection over WebSockets, and made it public to our great delight.
3. Article of the week
Never a dill moment: Exploiting machine learning pickle files & Fickling
Machine Learning is one of those topics that seem so complex, I don’t dare to try and learn how it works let alone how to exploit it. This article makes the topic approachable.
Most Machine Learning models are just Python pickle files under the hood which makes them potentially vulnerable to deserialization. The article explains all that with a bug example found in PyTorch, plus Fickling, a Python pickling decompiler and static analyzer.
4. Tools of the week
If you find yourself often tweaking wordlists to change their format, you might like COOK. It’s a handy Go tool for quickly generating wordlists following “recipes”.
Another cool tool is intitools. @0xJeti created it to monitor his Intigriti activity feed, which you might find useful too. Any new program updates and submission messages are detected and sent as notifications to Slack or Discord.
5. Video of the week
Security YouTuber Drama…
All drama aside, this is the most heartwarming InfoSec video I’ve ever seen. I’m not gonna say more in case you haven’t watched it yet, except that you really need to!
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- wappalyzergo: A high performance go implementation of Wappalyzer Technology Detection Library
- hakcron: Easily schedule commands to run multiple times at set intervals (like a cronjob, but with one command)
- Reflection: Automated Reflected Parameter Finder & XSS/SQLi/SSRF tester
- scanlimits: Tool to examine the behaviour of setuid binaries under constrained limits
- ldsview: Offline search tool for LDAP directory dumps in LDIF format
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
Nice ride @abison_binoy 😎 Congrats on this cool achievement!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!