Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from June 14 to 17.
Our favorite 5 hacking items
1. Webinar of the week
Attacking GraphQL’s Autocorrect – null Ahmedabad Meet
As part of the null Ahmedabad June Meet, @s0md3v presented a new attack vector against GraphQL. It leverages GraphQL’s Autocorrect to reverse engineer GraphQL schemas when introspection is disabled.
The tool that automates the attack, Tide, isn’t public yet but will be soon hopefully.
2. Writeups of the week
Why dynamic code loading could be dangerous for your apps: a Google example (Google)
How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It (Apple, $18,000)
The first writeup demonstrates why it is a bad idea for Android apps to load code dynamically: it enables escalating Intent Redirection vulnerabilities into arbitrary code execution, with the example of a vulnerable Google app. This prompted Google to issue a warning for developers about apps that contain Intent Redirection.
Another interesting writeup this week is an iCloud account takeover by @LaxmanMuthiyah. Using a combination of race condition, 2FA bypass and rate-limiting bypass, it was possible to change the password of any Apple ID with just their phone number.
3. Resource of the week
Lightning Components: A Treatise on Apex Security from an External Perspective & AppOmni Labs learning environment
@ConspiracyProof dives deep into the security of Apex (Salesforce’s proprietary programming language), how to audit Lightning Components and find common vulnerabilities like SOQL injection. Interestingly, the outlined methodology allowed him to find most of his bug bounty findings.
4. Tutorial of the week
iOS App Testing Through Burp on Corellium
This is one of the most comprehensive tutorials I’ve seen on the topic. It answers questions like why you need a physical device if you’re a bug hunter, how to set up Burp, jailbreak, bypass certificate pinning, decrypt apps, set up a Corellium instance, etc. Great work by @defparam!
5. Video of the week
Understand Security Risk vs. Security Vulnerability!
This is a must-watch for bug hunters. @LiveOverflow explains the difference between a security risk and a security vulnerability. This will clear up why open redirects are not accepted by many bug bounty programs, and why some reported “vulnerabilities” are fixed despite being rejected.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- goverview: Get overview about list of URLs
- ZDNS: Fast CLI DNS Lookup Tool
- hakrevshell: A tool for easily generating reverse/bind shells via tcp/udp on your system
- namemash.py: Creating a user name list for brute force attacks
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
Beautiful, well done @iqimpz!
See this cool poster @Zwoltopia makes only for our 1337 hackers? If you want one too, you have 7 days left to try and get into our quarterly leaderboard!
Also if you have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love to hear from you!