Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 27 to October 4.
Our favorite 5 hacking items
1. Video of the week
Bug Bounty | $2000 for SSRF bypass using DNS rebinding & Lab
If you want to practice SSRF or DNS rebinding attacks, this is a great resource. “Leet Cipher” shares details of an SSRF bypass via DNS rebinding found in a bug bounty program. The lab provided reproduces the issue and is easy to deploy using Docker. Make sure to try first before watching the solution!
2. Writeups of the week
Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings
The first writeup is about an ingenious attack chain involving XSLT and XXE that @_tint0 discovered in PingFederate. Pwning this popular SSO product led to critical information disclosure bugs on many programs and bounties from Netflix, Paypal, Ping, etc.
The second writeup by @Ankorik and @__mn1__ relates (among other vulnerabilities) an interesting RCE via password field in Cisco HyperFlex.
3. Tip of the week
“Sesh Gremlin” attack
@SlandailLtd shared an interesting excerpt from a pentest report on what they call a “Sesh Gremlin” attack. The idea is to keep an eye on all endpoints that return a session cookie, then re-use each cookie collected to access authenticated areas.
4. Resource of the week
Burp Suite documentation
The official Burp documentation was recently updated and is worth the detour. It includes extensive details on generic Burp usage, all the features including advanced ones you may not know about, how to use the tool for penetration testing or mobile testing, and more.
5. Conference of the week
BSides Berlin 2021
This conference includes many interesting talks on all kinds of topics such as attacking cookie-based authentication or webinar platforms. I especially recommend the keynote by @niemand_sec. He shares some bug examples and the approach/mindset used to find them, the types of questions he asks himself when doing research or when reading writeups.
Other amazing things we stumbled upon this week
Slides & Workshop material
Responsible(ish) disclosure writeups
0-day & N-day vulnerabilities
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Mariana Trench: Facebook’s security focused static analysis tool for Android and Java applications
- Certgraph & Intro: An open source intelligence tool to crawl the graph of certificate Alternate Names
- GitOops!: A tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls (Inspired from Bloodhound and Cartography)
- interactsh-web: Web Client for Interactsh
- Gowap: Wappalyzer implementation in Go
- DonPAPI: Dumping DPAPI credz remotely
- Weggli & Difference with CodeQL: A fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates