Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 20 to 27.
Our favorite 5 hacking items
1. Tutorial of the week
How Secure Are Your Universally Unique IDentifiers (UUIDs)? & extract-uuid-infos
UUIDv1 Sandwich Attacks aren’t new but I’m just discovering them thanks to @0xLupin. This led me to discover an excellent article by @VerSprite on UUID versions and their security implications. Also, @righettod has a PIPER script to automate the detection of UUIDs and extract info based on their version (all within Burp).
2. Writeups of the week
Autodiscovering the Great Leak (Microsoft)
“A tale of making internet pollution free” – Exploiting Client-Side Prototype Pollution in the wild (Apple, Atlassian, Mozilla, HubSpot, Segment Analytics & others)
@0xAmit discovered that the Microsoft Autodiscover protocol used by Exchange leaks Windows domain credentials to autodiscover.[tld] domains. Some of these domains were available to purchase. By registering them, Amit received hundreds of thousands of domain credentials…
Another amazing piece of research is about prototype pollution at scale. A team of researchers scanned vulnerability disclosure programs looking for prototype pollution vulnerabilities, trying to find script gadgets for XSS. They found 18 vulnerable libraries, 80 bugs reported, and share lots of details on the methodology and tools they used.
3. Videos of the week
How To Search For DOM-Based XSS!
How to Create a Better Infosec Resume (with @jhaddix)!
If you struggle with this vulnerability type, this will clarify all the steps you need to detect and exploit it.
The second video is for anyone in InfoSec who wants to create or improve their resume. @NahamSec and @Jhaddix talk about the dos and don’ts, demonstrate the creation of a resume for a fake persona, then review some resumes sent by viewers.
4. Article / Tools of the week
SecurityTrails x Amass ReconMaster contest
@yougina came ninth in SecurityTrails’s Recon Master contest and share how they did it. It is interesting to see that no intricate or obscure recon tools or techniques were used. It’s all about how well-known tools were chained together, with custom scripts to overcome memory and storage space limitations.
5. Tip of the week
How to send remote VPS requests to your local BURP using SSH
Some of you may already know how to do this. For those who don’t, this is good to know in case you need to run tools on your VPS and proxy the traffic through your local Burp.
The solution shared by @bsysop is simply to run
ssh -R 8080:127.0.0.1:8080 root@VPS_IP -f -N locally, then use
http://127.0.0.1:8080 as a proxy when running tools on the VPS (e.g.
curl -k https://example.com -x http://127.0.0.1:8080).
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
0-day & N-day vulnerabilities
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- fullhunt.io & Intro
- Chronos: Extract pieces of info from a web page’s Wayback Machine history
- ssh-key-confirmer: Test if a public key would theoretically be allowed on a SSH target if you had the private key
- crawlergo: A powerful browser crawler for web vulnerability scanners
- Mitra: A generator of weird files (binary polyglots, near polyglots…)
- Cariddi: Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more…
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates