Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from August 2 to 23.
Our favorite 5 hacking items
1. Conference of the week
DEF CON 29 Main Stage Presentations & Media Server
Recon Village, AppSec Village & Red Team Village CTF: Day 1
There are so many amazing talks and new research in this DEF CON edition! So, I’m only going to mention two of the most notable ones:
2. Writeups of the week
Sophos UTM Preauth RCE: A Deep Dive into CVE-2020-25223
Zoom RCE from Pwn2Own 2021 (Zoom, $200,000)
@jstnkndy came across CVE-2020-25223 in a pentest and didn’t find any public exploit. So, he reverse engineered the vulnerability’s patch to develop his own proof of concept. The writeup is very well written and explains the methodology in great detail.
The second writeup is about a 0-click RCE via heap buffer overflow found in Zoom. Thijs Alkemade & Daan Keuper demonstrated the bug during Pwn2Own and share details on this impressive and lucrative finding.
3. Webinar of the week
How to do Code Review – The Offensive Security Way
If you’re interested in learning source code review to get a leverage as a bug hunter, this is a must-watch. @infosec_au shares insightful techniques for obtaining source code in the context of bug bounties, plus interesting bug examples and tips for both beginners and experienced code reviewers.
4. Video of the week
Working with HTTP/2 in Burp Suite & Blog post
Since @albinowax‘s talk on HTTP/2 desync attacks, Burp Suite was updated to enhance HTTP/2 support. This video demonstrates these new changes and how to use Burp to test for HTTP/2-exclusive vulnerabilities.
5. Tools of the week
Malicious PDF Generator
apk-recon.yaml, api-linkfinder.sh, Links & parameters wordlists extracted from the top 55 mobile apps
Malicious PDF Generator is a Python script that generates 10 different malicious PDF files and supports Burp for receiving out-of-band requests. @jonasl created it for Web app testers to automate several known attacks.
The other tools are a Nuclei template and a Bash script that @nullenc0de uses to extract parameters and links from APKs and API documentation. The regexes they use can also be tweaked if you need to dump more/different information.
Other amazing things we stumbled upon this week
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
0-day & N-day vulnerabilities
Bug bounty writeups
- Zoom RCE from Pwn2Own 2021 (Zoom, $200,000)
- How to Hack Apple ID (Apple, $10,000)
- Modify in-flight data to payment provider Smart2Pay (Valve, $7,500)
- A Bug’s Life: CVE-2021-21225 & Exploiting CVE-2021-21225 and disabling W^X (Google, $22,000)
- Two weeks of securing Samsung devices: Part 2 (Samsung, $18,040)
- Partial report contents leakage – via HTTP/2 concurrent stream handling (HackerOne, $2,500, related to the “Timeless timing attacks” DEF CON talk)
See more writeups on The list of bug bounty writeups.
- WARCannon: High speed/Low cost CommonCrawl RegExp in Node.js
- CAIDO: A lightweight web security auditing toolkit
- PaperChaser: A Google Drive/Docs/Sheets/Slides Enumeration Spider
- dirtywords & Intro: A targeted word list generation tool
- GoKart & Intro: A static analysis tool for securing Go code
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates