Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from April 5 to 12.
Our favorite 5 hacking items
1. Article of the week
Contextual Content Discovery: You’ve forgotten about the API endpoints & Kiterunner
This is about Kiterunner, a groundbreaking content discovery tool that Assetnote released at BSides Canberra 2021. Its premise is that existing tools are mostly based on file/folder bruteforcing with wordlists. They miss routes in modern apps and APIs that expect specific HTTP methods, headers or parameters.
Kiterunner solves these limitations by performing context-aware bruteforce, based on Swagger files collected from different datasources and by scanning the Internet.
Note that in addition to the tool itself, the article presenting the whole research is a gem. It also links to the Swagger dataset used and slides.
2. Writeups of the week
What if you could deposit money into your Betting account for free? Oh wait where has this 25k came from…
Unexpected Journey #7 – GravCMS Unauthenticated Arbitrary YAML Write/Update leads to Code Execution (CVE-2021-21425)
@mikey96_bh shares interesting research on abusing payment systems of UK online gambling companies. Leveraging logic bugs and bruteforce, it was possible to deposit money ($25k!) for free on his betting account.
The second writeup is a detailed account of a remote code execution @mdisec found in GravCMS. It is an excellent read and a good example of RCE found with PHP code review.
3. Video of the week
XSS to LFI to RCE – Search for LFI everywhere!
Did you know that XSS can be server-side and lead to RCE? That’s what this video by @PinkDraconian is all about. It’s short but so well-explained!
4. Tool of the week
Autowasp is a Burp suite extension for Web penetration testers. It creates a tab where you can load the OWASP Web Security Testing Guide (WSTG) checklist or your own custom checklist.
Since pentesters often have to follow this type of checklist, the extension streamlines the process. It allows you to keep track of your progress, add comments, note requests related to each check (via a “Logger tab”), etc. All in all, a pretty handy extension!
5. Conferences of the week
Exploiting Misconfigured JIRA Instances for $$ with Harsh Bothra & Slides
All NahamCon2021 talks are now public. If you’re into bug bounty, recon or Web app security, make sure to check them out! Also for slides and villages talks that were previously released, take a look at Bug Bytes 114.
Another interesting talk by @harshbothra_ is about exploiting misconfigured Jira instances. If you’re new to the topic, this is a nice introduction to Jira hacking.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- PD Actions & Intro : Continuous recon and vulnerability assessment using Github Actions
- Kubesploit & Intro : A cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments
- goop: Yet another tool to dump a git repository from a website
- GodSpeed: Fast and intuitive manager for multiple reverse shells
- protoscan: Prototype Pollution Scanner in Golang, based on @TomNomNom’s NahamCon2021 talk
- Bloodhound for Linux & Intro: Ingest openldap data into bloodhound
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
Thank you for the compliment @iambouali, you are too kind!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!