Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from August 30 to September 6.
Our favorite 5 hacking items
1. Vulnerabilities of the week
CVE-2021-26084 Remote Code Execution on Confluence Servers
CVE 2021-26084 is an OGNL injection on Confluence servers that leads to unauthenticated RCE. A few days after the vender advisory was published, @iamnoooob and @rootxharsh reversed the patch and published this excellent writeup/PoC.
The vulnerability is already being exploited en-masse, was successfully exploited on Jenkins, has a Nuclei template, a WAF bypass, and a root cause that goes back to 2020.
The other vulnerability that is making headlines is an RCE in GhostScript 9.50. @emil_lerner discovered it on several bug bounty programs and demonstrated the vulnerability at ZeroNights X. Then @ducnt_ published a PoC.
2. Writeups of the week
More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers (Facebook, $126,000)
SSRF in PDF export with PhantomJs
Anyone who thinks there are no bugs left to be found on bug bounty programs should just @Samm0uda‘s writeups. The latest one is about three account takeovers he discovered on Facebook. Amazing findings and writeup!
The second writeup is about an SSRF found in a PDF export feature that used PhantomJs. Interestingly, LFI payloads were blocked so @xhzeem used an XHR request to read files.
3. Tools of the week
RepeaterSearch & BurpSuiteAutoRepeaterNaming
@s0md3v‘s json2paths implements a cool idea by @imranparray101. It collects JSON keys from JSON responses in Burp’s history, and uses them to create a wordlist of URL paths. This is a nice Python tool that can help find hidden API endpoints.
The other tools are new Burp extensions by @_StaticFlow_. RepeaterSearch adds a search bar to the Repeater tab. BurpSuiteAutoRepeaterNaming replaces repeater tab names with the URL path of the repeater request (instead of incremental numbers). So, both extensions can be useful if you find yourself opening dozens of Repeater tabs and in need of a way to manage them better.
4. Conferences of the week
Make JDBC Attacks Brilliant Again
Weird proxies/2 and a bit of magic (in Russian) & Slides
The first talk is about @pyn3rd and Chen Hongkun’s latest research on JDBC attacks. They share new ways of exploiting JDBC including XXE, RCE, and vulnerabilities they found in Weblogic, Spring Boot H2 console, JBoss/Wildfly, Apache Druid and many others.
The second talk is a follow-up to @antyurin‘s research on reverse proxy related attacks. The talk is sadly in Russian but the slides and updates to the Weird Proxies are in English and full of new tricks for poking at reverse proxies.
5. Resource of the week
Who doesn’t like a well-curated wordlist for Web fuzzing? @SamuelAnttila‘s Samlists is a wordlist of ~47K parameter names collected from CommonCrawl data. It is based on recent data, uses several techniques to remove unuseful parameters and is sorted based on the likelihood of occurence.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- dnstake: A fast tool to check missing hosted DNS zones that can lead to subdomain takeover
- iHide & Intro: A utility for hiding jailbreak from iOS applications
- ghidra2frida & Intro: The new bridge between Ghidra and Frida
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates