By Anna Hammond
July 14, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from July 5 to 12.
ppmap
WILSON Cloud Respwnder & Intro
ppmap is a Go scanner to test for XSS via prototype pollution using known gadgets and existing research. Being 100% automated, it is a handy way to test for those low-hanging prototype pollution bugs.
WILSON Cloud Respwnder is an alternative to Burp Collaborator and Interactsh by @honoki. Why another tool? Because it allows you to continue receiving OOB requests for a long time (no need to keep Burp or an Interactsh session open). It can send notifications to Slack or Discord, allows block-listing domains from notifications and serving custom files.
If only it was named AlorsOnDNS!
Credential stuffing in Bug bounty hunting ($8,300)
Whose app are you downloading? Link hijacking Binance’s shortlinks through AppsFlyer
It is interesting to see credential stuffing (usually more associated with pentest/red teaming) leveraged for bug bounties. @Krevetk0Valeriy shares how they did it and managed to score several bounties.
The second writeup is about exploiting a third-party app analytics platform. By overwriting shortlinks, it was possible to serve malicious apps to thousands of users. As usual, a very insightful writeup by @samwcyo.
SQHell & ep02 CTF TEARDOWN SQHELL on TryHackMe
SQHell is a free TryHackMe room by @adamtlangley. It covers 5 types including nested SQL injection / SQL inception that is interesting to practice. If stuck, check out the hour-long video walkthrough by the challenge’s author himself.
Hacker Tools – CyberChef & Blog post
Hacker Heroes #4 – @real_bitmap (Interview)
I love listening to interviews when I am walking outside, so this new Hacker Heroes series by @PascalSec comes at a perfect time.
If I’m at a mood for more technical content, @PinkDraconian‘s byte-sized tutorials (both blog posts and this new video format) always teach me something new.
Great job and not just because we’re colleagues!
Did you know that XML elements are a good place to test for SQL injection? It’s worth remembering especially in cases where all your XXE attempts are failing.
Interview With @Base_64 : 19 Y/o | ~7000 Rep On Hackerone | Methodology, Mindset, Life & More…
What is a Browser Security Sandbox?! (Learn to Hack Firefox)
$20,000 RCE in GitLab via 0day in exiftool metadata processing library CVE-2021-22204
REvil’s Clever Crypto – Microsoft Fails to Patch PrintNightmare & Sodinokibi Malware’s Crypto Design
Two One-liners for Quick ColdFusion Static Analysis Security Testing #CodeReview
Hacking Rendertron and Puppeteer— What to expect if you put a browser on the internet
Long passwords don’t cause denial of service when using proper hash functions
Full Stack Web Attack 2021 :: Zero Day Give Away (CVE-2021-28169)
So many different techniques to learn here! [CTF walkthrough]
SQL Injection – Lab #15 Blind SQL injection with out-of-band interaction
CVE-2021-28474: Sharepoint Remote Code Execution Via Server-side Control Interpretation Conflict #Web
Solarwinds Serv-U 15.2.3 Share URL XSS (CVE-2021-32604) #Web
Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587) #Web
CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities & Metasploit PoC #RCE
Windows Defender Antivirus SYSTEM RCE #MemoryCorruption
Old dog, same tricks #Network #RCE
UDP Technology IP Camera vulnerabilities #IoT #RCE
FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com (GitLab, $6,000)
Stored XSS via Mermaid Prototype Pollution vulnerability (GitLab, $3,000)
Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store! (Shopify, $2,900)
See more writeups on The list of bug bounty writeups.
AioResolver: Fast DNS resolver
JiraScan: A simple remote scanner for Atlassian Jira
roboXtractor: Extract endpoints marked as disallow in robots files to generate wordlists
UserEnumTeams: User enumeration with Microsoft Teams API
TokenTactics: Azure JWT Token Manipulation Toolset
rfc.fyi: Browseable, searchable RFC index
Filesec.io & Intro: A catalog of the latest file extensions being used by attackers
@0xAwali’s methodologies for testing File upload & Login
Vuldroid: An intentionally Vulnerable Android Application
Don’t Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly & InlineExecute-Assembly
Bypassing macOS TCC User Privacy Protections By Accident and Design
Ransomwhere project wants to create a database of past ransomware payments
Microsoft Bug Bounty Programs Year in Review: $13.6M in Rewards
Firefox becomes latest browser to support Fetch Metadata request headers
Chinese government lays out new vulnerability disclosure rules
Tool updates
Upcoming events
You’re killing it! Congratulations @isira_adithya 🔥
If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!