Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 6 to 13.
Our favorite 5 hacking items
1. Resource of the week
Web Application Security Roadmap
The number of resources for hackers and skills to learn can be intimidating. This roadmap created by @HolyBugx compiles interesting resources and books for all levels. Most importantly, they are divided into tiers which helps choose what to focus on without getting overwhelmed.
2. Writeups of the week
Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling
Hacking CloudKit – How I accidentally deleted your Apple Shortcuts (Apple, $64,000)
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances (Microsoft)
GitHub Actions check-spelling community workflow – GITHUB_TOKEN leakage via advice.txt symlink (GitHub)
The first writeup is about an integer overflow in HAProxy that was exploited to enable request smuggling. An interesting crossover of different types of vulnerabilities.
The second writeup is @fransrosen‘s story of hacking Apple, which clarifies why Apple shortcuts broke back in March…
Next is a writeup on Azure Container Instances. @yuval_avrahami found a cross-account container takeover that could’ve allowed a malicious Azure user to attack other customers.
Another interesting finding is a vulnerability in GitHub Actions. @justinsteven found a way to leak GITHUB_TOKEN API keys and introduce malicious code to Microsoft, NASA, PowerDNS and Jekyll repos.
3. Vulnerability of the week
CVE-2021-40444: Microsoft MSHTML Remote Code Execution Vulnerability
CVE-2021-40444 is an RCE in Microsoft MSHTML (the Internet Explorer browser engine). It is triggered simply by opening a malicious Microsoft Office document (without macros) and was discovered as a a zero-day actually being exploited in the wild.
Here are a few resources if you want to know more:
4. Non technical item of the week
Obsidian, Taming A Collective Consciousness
This is an excellent post on the knowledge management system used by TrustedSec’s red team. The article details how they leverage Obsidian and the Zettelkasten method for efficient note-taking as a team.
5. Article of the week
Introduction to OWASP Top 10 2021 & Intigriti’s insights on it
The draft OWASP Top 10 2021 is out. Among other changes, injection lost its first place for the first time since 2007 and SSRF made it to the list. Also, some vulnerabilities were included in broader categories, for instance XSS is now in the “Injection” category, XXE in “Security Misconfiguration”, etc.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- cspp-tools: Client-Side Prototype Pollution Tools
- Apkeep: CLI for downloading APK files from various sources
- Lazydroid: Bash script to facilitate some aspects of an Android application assessment
- gcpHound: A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP)
- htmlq: Like jq, but for HTML
- WWWGrep: A rapid search “grepping” mechanism that examines HTML elements by type
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates