Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from August 2 to 23.
Intigriti News
Our favorite 5 hacking items
1. Conference of the week
DEF CON 29 Main Stage Presentations & Media Server
Recon Village, AppSec Village & Red Team Village CTF: Day 1
There are so many amazing talks and new research in this DEF CON edition! So, I’m only going to mention two of the most notable ones:
- HTTP/2: The Sequel is Always Worse by @albinowax (plus Tips on how to find a HTTP/2 playmate);
- @orange_8361‘s From Pwn2Own 2021: A New Attack Surface On Microsoft Exchange – Proxyshell! that earned him $200K at Pwn2Own 2021.
2. Writeups of the week
Sophos UTM Preauth RCE: A Deep Dive into CVE-2020-25223
Zoom RCE from Pwn2Own 2021 (Zoom, $200,000)
@jstnkndy came across CVE-2020-25223 in a pentest and didn’t find any public exploit. So, he reverse engineered the vulnerability’s patch to develop his own proof of concept. The writeup is very well written and explains the methodology in great detail.
The second writeup is about a 0-click RCE via heap buffer overflow found in Zoom. Thijs Alkemade & Daan Keuper demonstrated the bug during Pwn2Own and share details on this impressive and lucrative finding.
3. Webinar of the week
How to do Code Review – The Offensive Security Way
If you’re interested in learning source code review to get a leverage as a bug hunter, this is a must-watch. @infosec_au shares insightful techniques for obtaining source code in the context of bug bounties, plus interesting bug examples and tips for both beginners and experienced code reviewers.
4. Video of the week
Working with HTTP/2 in Burp Suite & Blog post
Since @albinowax‘s talk on HTTP/2 desync attacks, Burp Suite was updated to enhance HTTP/2 support. This video demonstrates these new changes and how to use Burp to test for HTTP/2-exclusive vulnerabilities.
5. Tools of the week
Malicious PDF Generator
apk-recon.yaml, api-linkfinder.sh, Links & parameters wordlists extracted from the top 55 mobile apps
Malicious PDF Generator is a Python script that generates 10 different malicious PDF files and supports Burp for receiving out-of-band requests. @jonasl created it for Web app testers to automate several known attacks.
The other tools are a Nuclei template and a Bash script that @nullenc0de uses to extract parameters and links from APKs and API documentation. The regexes they use can also be tweaked if you need to dump more/different information.
Other amazing things we stumbled upon this week
Videos
- Hack Chat Live at Black Hat 2021
- How to Use WPScan With ethicalhack3r
- “Game-Over For The Company” with @d0nut (Hacker Heroes #8), “I Want To Know Where The Aliens Are” with @RobinZekerNiet (Hacker Heroes #9) & “Unlimited Money To Your Account?” with @bug_dutch (Hacker Heroes #10)
- What To Do When You Have DEFCON FOMO?? :((((
- SecuriTEA & Crumpets – Episode 11 – Grant Douglas – Frida
- Interview w @SherlockSecure : Top 15 on Github \| Top 400 on BC \| Approach, Mindset & More…
- Learning to Hack in 2021: What resources should you use? & Blog post
Podcasts
Webinars
- OWASP Talk – HTTP3 Security – Robin Marx
- Ethical Hacking & System Defense (Free Ethical Hacking class by @PhillipWylie)
Conferences
- Black Hat USA 2021 & Slides
- BSides Noida : Day – 1 & Day – 2
- USENIX Security ’21 Technical Sessions, including:
- Weaponizing Middleboxes for TCP Reflected Amplification & Video
- Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web
- Abusing Hidden Properties to Attack the Node.js Ecosystem
- Why TLS is better without STARTTLS: A Security Analysis of STARTTLS in the Email Context, NO STARTTLS
- Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS
Slides & Workshop material
- CyberTruckChallenge19 (Android security workshop material)
Tutorials
Medium to advanced
- Proxy managed by enterprise? No problem! Abusing PAC and the registry to get burpin’
- How does git diff –ignore-matching-lines work
- How to install Frida into an Android application
- Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit
- Knock knock, who’s there? Your new DA!
- The ultimate tag team: PetitPotam and ADCS pwnage from Linux
Beginners corner
- How to Hack APIs in 2021
- Out-of-band Application Security Testing with OWASP ZAP
- Hacker Tools: Ciphey – Automatic decryption, decoding & cracking & Hacker Tools: How to set up XSSHunter
- Blast Radius: Misconfigured Kubernetes & Blast Radius: DNS Takeovers
- Common mistakes when using permissions in Android
Writeups
Challenge writeups
- DEFCON 29 Red Team Village CTF Writeup: Supply Chain Attack
- Prototype pollution in Google Analytics?! Solution to August ’21 XSS Challenge & Written walkthrough by @WHOISbinit
- Intigriti’s PHP challenge breakdown & Intigriti’s Flask Challenge Breakdown
Pentest writeups
Responsible(ish) disclosure writeups
- Fortinet FortiPortal Vulnerability Disclosures #Web #CodeReview
- (Authenticated) Remote Code Execution Possible in Pi-Hole Web Interface 5.5
- SSD Advisory – IP-Board Stored XSS to RCE Chain #Web
- Razer mouse + Physical access = Local admin on Windows 10 & PoC
- Don’t shoot the emissary #CodeReview #Web
- elFinder – A Case Study of Web File Manager Vulnerabilities #CodeReview #Web
0-day & N-day vulnerabilities
Bug bounty writeups
- Zoom RCE from Pwn2Own 2021 (Zoom, $200,000)
- How to Hack Apple ID (Apple, $10,000)
- Modify in-flight data to payment provider Smart2Pay (Valve, $7,500)
- A Bug’s Life: CVE-2021-21225 & Exploiting CVE-2021-21225 and disabling W^X (Google, $22,000)
- Two weeks of securing Samsung devices: Part 2 (Samsung, $18,040)
- Partial report contents leakage – via HTTP/2 concurrent stream handling (HackerOne, $2,500, related to the “Timeless timing attacks” DEF CON talk)
See more writeups on The list of bug bounty writeups.
Tools
- WARCannon: High speed/Low cost CommonCrawl RegExp in Node.js
- CAIDO: A lightweight web security auditing toolkit
- PaperChaser: A Google Drive/Docs/Sheets/Slides Enumeration Spider
- dirtywords & Intro: A targeted word list generation tool
- GoKart & Intro: A static analysis tool for securing Go code
Tips & Tweets
- Using Autorepeater to automate testing for SSRF
- Outputting a specific part of a match in grep
- HTTP Parameter Pollution in PHP
- OpenID Connect / OAuth 2.0 “claims” hack
Misc. pentest & bug bounty resources
- OWASP Mobile Security Testing Guide (MSTG) v1.2
- SecurityGOAT
- Auto_Wordlists
- 31 Tips — Advanced Bug Bounty & Pentesting
Challenges
- screenshotter (web) & Video walkthrough
- Kontra AWS Top 10
- TyphoonCon CTF 2021: The impossible Chrome challenge
- SQL Injection – Challenge 1: NahamSec inspired (by BugHuntr.io)
Articles
- Find real website ip bruteforcing ipv4 ranges & real_ip_discover
- Mitigation schmitigation: Control HttpOnly cookies through XSS
- Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication
- Phishing for NetNTLM Hashes
- 1Password Secret Retrieval — Methodology and Implementation & 1PasswordSuite
- Oh, Behave! Figuring Out User Behavior
Bug bounty & Pentest news
- Bug bounty
- Cybersecurity
- Upcoming events
- OWASP Nagpur Meetup #12 (Virtual) featuring @codingo_ (August 28)
- BSides Berlin 2021 (August 28)
- Tool updates
- reNgine 1.0
- Interactsh v0.0.4 (Added authentication for self-hosted instances)
- Axiom controllers now support Docker
- Turbo Intruder introduced decorators for ffuf-like response matching/filtering
