Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from June 7 to 14.
Our favorite 5 hacking items
1. Webinar of the week
How to Analyze Code for Vulnerabilities
I know a bug hunter who earned thousands of bounties by focusing on source code review on a single target. He’d ask for demos of apps and perform code review on them. I was shocked when I heard this as at that time the black box approach seemed to be the most common and at first glance the target’s main asset was just a Web app. This illustrates how effective code reviews can be.
If you want to acquire this skill, this webinar is an excellent start. @vickieli7 does an amazing job of explaining how to get started and what to focus on.
2. Writeups of the week
Exploiting outdated Apache Airflow instances ($13,000)
Bypassing 2FA using OpenID Misconfiguration
@iangcarroll discovered vulnerabilities in Apache Airflow and automated testing for them and for an old public CVE on bug bounty programs. The first writeup details this research and how it resulted in $13,000 bounties.
The second writeup is a great read for anyone interested in 2FA bypass or OpenID security. @iustinBB shows an interesting OpenID misconfiguration that can be used to bypass 2FA.
3. Tutorial of the week
When I hear about escalating XSS to RCE, the first thing I think about is: It must be an XSS in an Electron app. This tutorial shows that there are other frameworks used for developing Desktop apps that allow for escalating XSS to RCE, with concrete examples.
4. Conferences of the week
Improving Internet Wide Scanning with Dynamic Scanning & Active Scanning Techniques repo
WOOT 2021, especially: The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches, Slides & Paper/demo/PoC
These talks both introduce very interesting research. The first one is about several strategies for discovering assets. Some of them you might’ve heard about, but others like IPv6 scanning are less known.
The second talk shows how the Cache API can be exploited to elevate the impact of vulnerabilities like XSS, allowing for a new class of attacks.
5. Resource of the week
Subdomain Enumeration Guide
This is a cool GitBook on subdomain enumeration. With the growing number of tools and techniques being published, it’s nice to have this reference that sums up the most commonly used ones.
It’s also a good introduction for anyone just starting out.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them (Facebook, $30,000)
- GitLab Arbitrary File Read & Write through Kroki – CVE-2021-22203 (GitLab, $5,600)
- Two weeks of securing Samsung devices: Part 1 (Samsung, $20,690)
- Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs (Microsoft)
- Attacker can obtain write access to any federated share/public link (Nextcloud, $4,000)
- Hackerone is not properly deleting user id (HackerOne, $2,500)
See more writeups on The list of bug bounty writeups.
- mobsfscan: A static analysis tool that can find insecure code patterns in your Android and iOS source code
- Burpa: Burp Automator – A Burp Suite Automation Tool. It provides a high level CLI and Python interfaces to Burp Suite scanner and can be used to setup Dynamic Application Security Testing (DAST)
- purl: A Go script to proxy URLs from stdin through any HTTP proxy tool very quickly for analysis
- showSSID: Python tool that Generates continuous probe requests to identify hidden SSIDs
- SMERSH: A pentest oriented collaborative tool used to track the progress of your company’s missions
- StandIn: Small .NET35/45 AD post-exploitation toolkit
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
Woohooo! Amazing, enjoy your ride @dewcode91!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!