Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from July 26 to August 2.
Our favorite 5 hacking items
1. Writeups of the week
Securing XML implementations across the web
Zimbra 8.8.15 – Webmail Compromise via Email
Mattermost researcher @jupenur disclosed round-trip vulnerabilities found in four XML parsers. Interestingly, they lead to authentication bypass in major SAML implementations.
The other writeup by @scannell_simon is about DOM-based stored XSS and authenticated SSRF. Chaining them increased their impact and would’ve allowed unauthenticated attackers to compromise Zimbra webmail servers.
2. Writeups² of the week
XXE Case Studies
Potential remote code execution in PyPI (pypi.org, $3,000)
The first writeup by @cinzinga_ has some interesting attack vectors for XXE, e.g. XXE via KML, proprietary, PDF and Excel files. They’re worth knowing if you like to test for XXE.
The second writeup is the continuation of @ryotkak‘s work on supply-chain attacks. Static analysis of PyPI’s source code revealed three vulnerabilities including RCE on pypi.org.
3. Tool of the week
hallucinate & Intro
Hallucinate allows you to inspect and manipulate TLS traffic using dynamic instrumentation. The difference with a Web proxy like Burp is that it does not replace certificates, so it is particularly useful when you want to analyze an app’s encrypted traffic without bypassing certificate pinning.
4. Video of the week
DO NOT USE alert(1) for XSS & Blog post
If you use alert(1) when looking for XSS, you’ll find this very informative. @LiveOverflow demonstrates why it can lead to false positives (e.g. if the XSS payload runs in a sandbox domain/iframe) and what other Proofs of Concept are generally better to use.
5. Resource of the week
Last Week in Security (LWiS) – 2021-08-02
Last Week in Security (LWiS) is @badsectorlabs‘s weekly summary of offensive security news, techniques and tools. It is similar to Bug Bytes but focuses more on the red team / internal pentest / Active Directory side. So if these are the topics you’re most interested in, it is a great newsletter to follow.
I usually also include these topics in Bug Bytes but this week in particular, there have been too many noteworthy new tools and attacks. So exceptionally, this Bug Bytes will be almost only focused on Web / API / mobile hacking and for all the new AD and red teaming fun, please refer to LWiS.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
0-day & N-day vulnerabilities
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- dnsline: Tool for making it easy to collect dns results from the CLI
- Sanity: MXSS Fuzzer
- SaveBrowsingImages: Burp extension to save all browsed images to disk
- Revealin: Uncover the full name of a target on Linkedin
- Key-Checker: Go scripts for checking API key / access token validity
- reverse-apk: Quickly analyze and reverse engineer Android applications
- plution: Prototype pollution scanner using headless chrome
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates:
Community pick of the week
This is so inspiring! Make sure to check out @zseano’s free methodology to see how these guys did it 😎
Also tag us on social media to share your own bug hunting wins and joys, we love hearing from you!