Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from June 28 to July 5.
Our favorite 5 hacking items
1. News of the week
Trusted Types – mid 2021 report
alert() is dead, long live print()
Google is waging war against XSS with Trusted Types and soon disabling alert for cross-domain iframes in Chrome. If you’re wondering whether XSS (especially DOM XSS) and alert() are dead, these resources will provide some insightful answers.
2. Tool of the week
Introducing DOM Invader: DOM XSS just got a whole lot easier to find
DOM Invader is a new Burp tool implemented as an extension to the embedded browser. Until Trusted Types are adopted everywhere, DOM XSS is still an issue and this extension will make it much easier to test for it.
3. Writeups of the week
Taking over Uber accounts through voicemail
Kaspersky Password Manager: All your passwords are belong to us
Fail2exploit: a security audit of Fail2ban
@assetnote disclosed a creative Uber account takeover. Basically when signing into the app, they force the OTP to be sent to voicemail which can be hacked in different ways to retrieve the OTP. Even though the report was closed as informative, it is a cool finding and informative writeup.
The second writeup is about Kaspersky Password Manager using a weak password generator. Jean-Baptiste Bédrune found several issues in it, mostly that its PRNG used the current time as a single source of entropy. This meant all passwords could be bruteforced in seconds!
The third writeup isn’t about a successful hack, rather about pentesting an open source project and not finding anything. Despite the lack of vulnerabilities, it is an insightful dive into fail2ban’s security, and how to approach such a pentest.
@kevin_backhouse shows his methodology from identifying the attack surface to auditing the code and testing for different vulnerabilities.
4. Video of the week
Live Recon on Rockstar Games With @zseano
In this Live Recon session, @zseano shares with @NahamSec his bug hunting workflow and many tips including how he uses Burp.
If you are into Web application security testing, this is a goldmine of information. It’s like watching over a bug hunter’s shoulder to see how they do their magic.
5. Resource of the week
The extended BApp store & Intro
The BApp Store is great for finding Burp extensions but it lacks some features like a search functionality or knowing when an extension’s original repo has updates not yet merged into the BApp Store.
To solve these issues, @BurpSuiteGuide came up with this brilliant site. It allows you to quickly search extensions (including the open source ones that are not yet on the BApp Store), supports tags, and tells you which extensions are deprecated or have updates.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
- PrintNightmare / CVE-2021-34527 (originally considered as CVE-2021-1675):
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Fleex: Go tool that allows you to create multiple VPS on cloud providers (Linode & DigitalOcean) and use them to distribute your workload
- hashit: Small bash script for encoding piped input to then pass on
- Gotator: A Go tool to generate DNS wordlists through permutations
- Trello_dorker: Google dorker via Serpapi to find exposed Trello boards
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
That’s how you do it! Congratulations @bug_dutch, we’re happy for you too 👏
If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!