Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 4 to 11.
Our favorite 5 hacking items
1. Conference of the week
4 Weird Google VRP Bugs in 40 Minutes – Hacktivity 2021
@xdavidhu talks about four vulnerabilities he found in Google products. This is a great watch if you like weird but very creative bugs (or video over written writeups).
2. Writeup of the week
Compass Security researchers discovered a padding Oracle vulnerability in the SAML login flow of ArcGIS. They were able to decrypt an encrypted assertion, and use an XSW4 attack and the oracle to reencrypt and login as other users.
3. Vulnerability of the week
Apache advisory for CVE-2021-42013
Remember last week’s CVE-2021–41773, a zero-day path traversal in Apache HTTP Server? It turns out it is also an RCE if mod-cgi is enabled, and the fix was incomplete which led to CVE-2021-42013. Here is a meme that sums it up, a Docker Playground and a couple new PentesterLab exercises to practice, as well as a Nuclei template for CVE-2021-42013 for automation.
4. Tips of the week
Use an array to bruteforce OTP without triggering rate limiting
HTTP header bruteforce
@EnesSaltk7 shared a creative idea that allowed them to bypass email verification and could be useful in other contexts too. They replaced the code for email verification (passed via JSON post data) with an array of codes. So, it is a way of bruteforcing codes with a single request, without triggering rate limiting.
Another handy tip by @nnwakelam is to bruteforce custom HTTP headers like x-FUZZ and x-FUZZ-internal. Also, keep a look at response lengths and status codes as they may indicate that you have found valid headers.
5. Tools of the week
Ghostinthepdf is a tool that embeds GhostScript exploits into PDF files that bypass signature checks. It can be used to first detect that a target is actually using GhostScript for PDF processing, then to run exploits against it.
Also, if you haven’t seen @emil_lerner’s previous work on GhostScript, it is worth checking out to see the type of vulnerabilities that he found with this tool.
Another helpful tool is @lmpact_l‘s reFlutter, a framework for reverse enginnering Flutter apps. It can be used to repack Flutter apps and make them trust installed certificates, so you can intercept their traffic (without root).
Other amazing things we stumbled upon this week
Videos
- Automatic Vulnerability Scanner! Nuclei – Hacker Tools
- Nessus / Vulnerability scanning series by @HackerSploit
- Staying Sane in Cybersecurity – Dealing with Burnout and Stress & Accompanying blog post
- Video Essay about the Security Creator Scene
Podcasts
- Day[0]: SharePoint RCE & an Apache Path Traversal [Bounty Hunting Podcast]
- Radio Hack Ep6: Offensive Security – Mohammad Askar (in Arabic)
Webinars
- Detect complex code patterns using Semgrep
- CSAM 2021 – Secure Coding Standards : Avoiding Mistakes And Correct Them
- SANS Workshop – Reflection in C#
Conferences
Slides & Workshop material
Tutorials
Medium to advanced
- Hunting for Prototype Pollution and it’s vulnerable code on JS libraries
- AWS Access Keys – A Reference
- Never put AWS temporary credentials in the credentials file (or env vars)—there’s a better way
- Persistence Through Service Workers—part 1: Introduction And Target Application Setup & Part 2: C2 Setup And Use
- Offensive BPF
Beginners corner
- Practical strategies for exploiting FILE READ vulnerabilities
- DNS Records and Record Types: Some Commonly Used, and Some You Might Not Know About
- Testing Methodology for Insecure Deserialization Vulnerability
- GraphQL Security: The complete guide
Writeups
Challenge writeups
- SnykCon CTF – “Invisible Ink” Prototype Pollution, Sauerkraut – Python Pickle Vulnerabilities & “Random Flag Generator” Weak PRNG Seed
- CSRF – Lab #6 CSRF where token is duplicated in cookie
Pentest writeups
Responsible(ish) disclosure writeups
- Reverse engineering and decrypting CyberArk vault credential files #Crypto
- Misconfigured Airflows Leak Thousands of Credentials from Popular Services #Web
- 23andMe’s Yamale Python code injection, and properly sanitizing eval() #Web
- Swimming Upstream: Uncovering Broadcom SDK Vulnerabilities from Bug Reports. #MemoryCorruption
0-day & N-day vulnerabilities
- PHP 7.0-8.0 disable_functions bypass [user_filter]
- CVE-2019-9053
- Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2 (CVE-2021-30883) (Apple)
Bug bounty writeups
- How I got access to many PIIs through a source code leak
- Accessing Apple’s internal UAT Slackbot for fun and non-profit (Apple)
- Stumbling across a DOM XSS on google.com (Google)
- [EN] Stored XSS in the administrator’s panel due to misuse of MarkupSafe (pass Culture)
- Hacking Netflix Eureka!
- Zero-Day: Hijacking iCloud Credentials with Apple Airtags (Stored XSS) (Apple)
- CVE-2021-26420: Remote Code Execution In Sharepoint Via Workflow Compilation (Microsoft)
- Improper Validation at Partners Login (Zomato, $2,000)
See more writeups on The list of bug bounty writeups.
Tools
- vCenter SAML Login Tool & Intro: A tool to extract the IdP cert from vCenter backups and log in as Administrator
- kdigger & Intro: A context discovery tool for Kubernetes
- ReDoSHunter & Paper: A Combined Static and Dynamic Approach for Regular Expression DoS Detection
Tips & Tweets
- Use Get + Range header for fast fuzzing
- Trusted Types in jQuery
- SSTI to RCE using tplmap and requestbin
- ESI injection WAF bypass
- 403 bypass using %03 %08 %10 %83 etc
Misc. pentest & bug bounty resources
- pwny.cc & Repo
- Secure Coding Handbook & Repo
- snyk Learn
- 0xAwali’s methodology for testing Request Smuggling & Privilege escalation
- iOS Pentesting / Hacking
- weakpass_3a
- initstring/passphrase-wordlist
Challenges
- soXSS challenge
- HTB University CTF (November 19-21)
Articles
- Protect Your GitHub Actions with Semgrep
- Safe DOM manipulation with the Sanitizer API
- Is It Post Quantum Time Yet?
- Always-on Processor magic: How Find My works while iPhone is powered off
- Life is Pane: Persistence via Preview Handlers
- Abusing Weak ACL on Certificate Templates
Bug bounty & Pentest news
- Cybersecurity
- Upcoming events
- Visma Security Conference 2021 (November 11)
- Pen Test HackFest FREE Virtual Summit (November 15-16)
- Tool updates
- Burp Professional / Community 2021.9 (New asynchronous SSTI payloads amongst other things)
- BurpSuiteSharpener 1.07
- ZAP 2.11.0 (OWASP 20th anniversary release)