Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from May 24 to 31.
Our favorite 5 hacking items
1. Tutorial of the week
Adventures into HTTP2 and HTTP3
This is an excellent introduction to the different HTTP specifications. @JCoertze took a look at HTTP/1.x, HTTP/2 and HTTP/3, their differences and what they mean in terms of security. With the increasing adoption of HTTP/2 and HTTP/3, it is essential for Web app testers to learn how they work and their risks.
2. Writeups of the week
AppCache’s forgotten tales (Google, $10,000)
CVE-2021-33564 Argument Injection in Ruby Dragonfly
@lbherrera_ delved into the security of Chrome’s AppCache before its deprecation and found two ways to leak sensitive information cross-origin. This is a great example of building on existing research to come up with new attacks.
ZX Security researchers discovered an argument injection vulnerability in the Ruby Gem Dragonfly, an image handling library used by multiple CMSs. Though it was possible to inject arguments, the library had filters against LFI and the usual command injection payloads. Remote code execution was achieved by exploiting ImageMagick’s convert utility.
This writeup is full of details on techniques tried that both worked and didn’t work, and interesting ImageMagick hacks.
3. Article of the week
Playing With Imagetragick Like It’s 2016
While we’re on the subject of ImageMagick, this article by @loadlow and @alexisdanizan covers interesting techniques to exploit it and obtain arbitrary file read and write. It focuses on the latest version available on Debian Buster repositories which is a legacy version.
The exploitation vectors mentioned are worth remembering the next time you’re testing a file upload functionality.
4. Conference of the week
NorthSec 2021 Conference Day 1, Day 2, Schedule & Introduction to fuzzing, especially: You are not an idiot & Slides
There are so many interesting talks in this NorthSec edition, on all kinds of topics: GraphQL hacking, repo jacking, request smuggling, burnout, crypto best practices and many more.
@angealbertini‘s keynote in particular is of high relevance to hackers. It touches on difficulties a lot of us in InfoSec face including failure, burnout, imposter syndrome, manipulation, suicide… and how to protect ourselves.
5. Resource of the week
Mobile Nuclei Templates
Did you know Nuclei can also be used for mobile app tests? Its File requests feature allows you to check local files using matching/extracting. This makes it possible to use for finding dangerous patterns in mobile apps.
This repository provides good examples to get started with this type of scans.
Other amazing things we stumbled upon this week
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- ReServ: A set of simple servers (currently HTTP/HTTPS and DNS) which allow configurable and scriptable responses to network requests
- bnew: A more performant implementation of @TomNomNom’s anew utility
- getAllParams.py: Burp extension that parses an already crawled sitemap to build a custom parameter list
- macOCR: Get any text on your screen into your clipboard
- UserWritableLocations.ps1 & Intro: A PowerShell script for finding writable folders and hijackable DLLs
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
A warm welcome to @hacksplained who joined Intigriti this week! 🎉
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!