Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 18 to 25.
Our favorite 5 hacking items
1. Tool of the week
DataExtractor is a Burp extension by @gwendallecoguic that adds passive scans to extract data from source code.
There are already other tools to do the same thing, but this one is particularly interesting because it is easily customizable. It allows you to ignore extensions and to use regexp to ignore files, extract data or exclude results.
2. Writeups of the week
Discourse SNS webhook RCE (Discourse)
This is a great writeup by @joernchen. He exploited Discourse’s AWS notification webhook handler to obtain OS command injection. It wasn’t that simple of course! SNS messages must be signed by Amazon. Bypassing the payload’s signature involved chaining weaknesses in AWS SNS and in Ruby’s x509 parsing, and a lot of staring at the code.
3. Challenge of the week
Design Flaw in Security Product – ALLES! CTF 2021, @LiveOverflow’s video, & @gregxsunday’s walkthrough
@liveoverflow released this fun Web app challenge that he created for the ALLES! CTF 2021. I don’t want to spoil what the vulnerability is, so let’s just say that it involves WAF bypass and blind exploitation.
4. Resource of the week
Nuclei token-spray templates, Token Spray – Introduction to self-contained template & A Snapshot of CAST in Action: Automating API Token Testing
Have you ever found an exposed API token without knowing for which service it is intended? This happens often to the Bishop Fox CAST team. So, they created Nuclei templates to quickly check the validity of an API token against all possible services.
Interestingly, these new templates are “self-contained”. This new type of Nuclei template “does not require any external information to run, such as target or input URLs.”
5. Video of the week
Katie Explains: Modern Web Development (GIVEAWAY)
This is an amazing introduction to the modern Web for bug hunters. If you want to know what today’s websites are made of, this is the most beginner friendly video that you’ll find.
@InsiderPhD explains microservices, the OOP paradigm, the MVC model, frameworks, middleware, controllers, inheritance, etc, and what all this means in terms of bugs that you should look for.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
0-day & N-day vulnerabilities
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Go Whois: WHOIS library, CLI tool and server with restful APIs to query whois information for domains and IPs
- Fugu14 – Untethered iOS 14 Jailbreak
- ZipExec: A unique technique to execute binaries from a password protected zip for EDR bypass
- Phishious: An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers
Misc. pentest & bug bounty resources
Bug bounty & Pentest news