Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from May 17 to 24.
Our favorite 5 hacking items
1. Tools of the week
Armada is @d0nutptr‘s high performance TCP SYN port scanner in Rust. It doesn’t do any type of scans other than TCP SYN scans (so Nmap isn’t dead yet!), but does that extremely fast.
I did a mini-benchmark by scanning all TCP ports on a target just to get an idea of its performance. Masscan was fast but missed the open ports (maybe I misused it?), Nmap would’ve surely found them but it was so slow I stopped it, and Armada found all open ports in less than a minute. Armada’s accuracy and speed make it a worthwhile tool to experiment with.
IPATool allows you to search and download iOS app packages (or IPA files) from the App Store using your Apple ID, all from the command-line. It supports 2FA and streamlines the process of fetching IPA files, making it a very useful utility for iOS app testers. Great work by @freemanrepo!
2. Writeup of the week
Finding and Exploiting Unintended Functionality in Main Web App APIs ($4,000)
This is an excellent writeup on API hacking. @bendtheory reports two vulnerabilities (IDOR and Information disclosure / Privilege escalation) found on bug bounty programs and, more importantly, the detailed methodology used to find them. It is generic enough that you can reproduce it and add to it to find similar bugs on other targets.
3. Videos of the week
SecuriTEA & Crumpets – Episode 6 – Gareth Heyes – Hackvertor
Why do Bug Bounty hunters love Obsidian?
If you’re curious to know how Hackvector’s own creator, @garethheyes uses it, I highly recommend the first video. In addition to the tool’s basics, Gareth covers some advanced features like custom tags, tag variables, how to use Hackvector in Repeater and Intruder, how to use it for JS hacking, etc.
Make sure you’re not missing out on any features of this powerful Burp extension!
The second video is about note-taking. Even if you don’t want to use Obsidian, it is very informative for anyone who struggles with organizing bug bounty notes.
@InsiderPhD goes over the different types of notes you can take during bug hunting (knowledge base vs notes on targets), a methodology for note-taking, and how Obsidian has unique features that make it complementary to other tools like Notion.
4. Article of the week
Method Confusion In Go SSTIs Lead To File Read And RCE.
If you look at SSTI research and repos like PayloadsAllTheThings and HackTricks, there isn’t much about SSTI in Go apps. The only resource I could find is this article about exploiting SSTI in Go to get XSS. But what if we want more than a simple PoC or XSS? What if we want RCE?
That’s what this new research by @SecGus is all about. It describes how methods defined in the modules imported by an app can be called using template injection, and leading to various actions like File read or RCE.
5. Conference of the week
HTTP Request Smuggling via higher HTTP versions, Slides, Additional tip & All PHDays 10 talks
PHDays 10 videos are released, including many interesting talks for pentesters and bug hunters on topics like insecure deserialization, pentesting AI apps, pwning mobile apps and WebView security. There is only one small hiccup: talks are in Russian, dubbed in English with some slides only in Russian.
It’s still worth checking out, especially @emil_lerner‘s presentation on new HTTP Request Smuggling research.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- DivideAndScan: Automate port scans into 3 phases using Nmap and Masscan / RustScan / Naabu
- pyWhat: Identify anything. pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it’ll tell you what it is!
- HelpColor: Agressor script that lists available Cobalt Strike beacon commands and colors them based on their type
- DNSStager & Intro: A Pythool tool to hide your payload in DNS
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
Excellent thinking, @CookiesHttpOnly. Very well done!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!