Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from May 31 to June 7.
Our favorite 5 hacking items
1. Conference of the week
Unexpected Execution: Wild Ways Code Execution can Occur in Python & Repo
In this talk, Graham Bleaney and Ibrahim Mohamed show several functions that enable Remote Code Execution in Python other that the standard eval and exec libraries. This is so insightful for anyone interested in RCE, SSTI or Deserialization vulnerabilities in Python apps.
2. Writeup of the week
XSS in the AWS Console (Amazon)
@Frichette_n found two XSS vulnerabilities in AWS Console. Like he says, the writeup has everything from XSS to CSP bypass, Client-Side template injection and memes. A great read and cool findings!
3. Resources of the week
zseano’s methodology & Other BugBountyHunter.com news
@zseano‘s methodology is freeee! It’s a 71 pages ebook where he details his own methodology for bug hunting, including tools and all the questions he asks himself at each step that allow him to find vulnerabilities that most people miss.
@dee__see‘s NotKeyHacks is such a great idea! It’s the opposite of KeyHacks, so a collection of tokens that look sensitive but are not. Next time you intent to report hardcoded tokens or API keys, make sure to check if they appear in this repo.
4. Tools of the week
XSS Hunter Express
page-fetch & What is a Prototype Pollution vulnerability and how does page-fetch help?
If you want a self-hosted version of XSS Hunter to test for Blind XSS, this is it! @IAmMandatory re-wrote the tool to make it easy to install and maintain thanks to Docker and Let’s Encrypt certificates.
page-fetch is @TomNomNom‘s latest open source tool that helps test for client-side bugs like Prototype pollution. It comes with a detailed tutorial on this vulnerability class, how it works and how page-fetch helps detect it.
5. Tutorial of the week
ASP.NET Cryptography for Pentesters & Cheatsheet
This tutorial by @paulmmueller covers the practical exploitation of ASP.NET cryptography, with a cheatsheet for pentesters. This could be an invaluable resource when you’re testing an ASP.NET app for the first time.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
Awesome! It looks good, @sumgr0, and is very well deserved!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!