Bug Bytes #144 – Bug hunting on the modern Web, Token spraying & Discourse RCE

By Anna Hammond

October 27, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from October 18 to 25.

Intigriti news

Intigriti’s October XSS challenge By @0xTib3rius

Our favorite 5 hacking items

1. Tool of the week

DataExtractor

DataExtractor is a Burp extension by @gwendallecoguic that adds passive scans to extract data from source code.
There are already other tools to do the same thing, but this one is particularly interesting because it is easily customizable. It allows you to ignore extensions and to use regexp to ignore files, extract data or exclude results.

2. Writeups of the week

Discourse SNS webhook RCE (Discourse)

This is a great writeup by @joernchen. He exploited Discourse’s AWS notification webhook handler to obtain OS command injection. It wasn’t that simple of course! SNS messages must be signed by Amazon. Bypassing the payload’s signature involved chaining weaknesses in AWS SNS and in Ruby’s x509 parsing, and a lot of staring at the code.

3. Challenge of the week

Design Flaw in Security Product – ALLES! CTF 2021, @LiveOverflow’s video, & @gregxsunday’s walkthrough

@liveoverflow released this fun Web app challenge that he created for the ALLES! CTF 2021. I don’t want to spoil what the vulnerability is, so let’s just say that it involves WAF bypass and blind exploitation.

4. Resource of the week

Nuclei token-spray templates, Token Spray – Introduction to self-contained template & A Snapshot of CAST in Action: Automating API Token Testing

Have you ever found an exposed API token without knowing for which service it is intended? This happens often to the Bishop Fox CAST team. So, they created Nuclei templates to quickly check the validity of an API token against all possible services.
Interestingly, these new templates are “self-contained”. This new type of Nuclei template “does not require any external information to run, such as target or input URLs.”

5. Video of the week

Katie Explains: Modern Web Development (GIVEAWAY)

This is an amazing introduction to the modern Web for bug hunters. If you want to know what today’s websites are made of, this is the most beginner friendly video that you’ll find.
@InsiderPhD explains microservices, the OOP paradigm, the MVC model, frameworks, middleware, controllers, inheritance, etc, and what all this means in terms of bugs that you should look for.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Go Whois: WHOIS library, CLI tool and server with restful APIs to query whois information for domains and IPs

  • Fugu14 – Untethered iOS 14 Jailbreak

  • ZipExec: A unique technique to execute binaries from a password protected zip for EDR bypass

  • Phishious: An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

You may also like