Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 25 to November 1.
Our favorite 5 hacking items
1. Resource of the week
Common Threat Matrix for CI/CD Pipeline & Attacking and Securing CI/CD Pipeline
We’ve seen some amazing writeups involving CI/DC pipelines recently. Their attack surface is large, they are trendy, and they can lead to serious suppy chain attacks which makes them a good target for attackers.
So, if you want to learn about CI/DC security (from both a defender and attacker standpoints), this new threat matrix by @rung is a great resource.
2. Writeup of the week
While testing Web apps, you might encounter strings that seem to be base64 encoded but can’t be decoded properly because they’re actually Protobuf serialized data that is encoded in Base64. Not knowing about this serialization format can make you miss critical vulnerabilities.
That’s what this writeup is all about: An excellent introduction to Protobuf, how to decode and deserialize Protobuf data, exploit this entry point for SQL injection and how to create a SQLmap tamper script to automate the process.
3. Tools of the week
CookieMonster & Intro
jolokia-exploitation-toolkit (JET) & Tutorial
CookieMonster is a Go tool/API that automates testing for vulnerabilities in stateless authentication. It supports several frameworks and helped @iangcarroll find bugs in many large bug bounty programs.
If you want to automate your testing even further and mass-scan targets, @naglinagli suggests combining it with his Cookies-extractor.
@TheLaluka released Jolokia Exploitation Toolkit, a Python tool that helps exploit exposed Jolokia endpoints. The accompanying article goes over detail on how to use it to get RCE on a Tomcat/Catalina server. This can be handy if you want to escalate an SSRF that allows to reach an internal Jolokia endpoint, to RCE.
4. Tutorial of the week
Android security checklist: WebView
This is a great tutorial on how to attack and protext WebView on Android. It includes different exploitation techniques, ways to increase the impact of attacks, and lots of details.
5. Non technical items of the week
How to Start Bug Bounties 101 & How to Make a Million in 4 Years
Creativity, Self-Doubt & Doing Remarkable Work
If you wonder how hackers like @ozgur_bbh and @s0md3v do their magic, I recommend reading these articles they wrote.
The TL;DR is there is no magic, “Just work.”. However, it is still interesting to hear what they have to say on the topic, the mindset and steps they took that made all the difference.
Other amazing things we stumbled upon this week
- Hack The Box Hacking Battlegrounds Streamed Tournament #2 – Commentated by IppSec and John Hammond
- HackerSploit: Red Team Security Series Part 1: Caldera, Reconnaissance, Luckystrike & PowerShell Empire & Part 2
Medium to advanced
- 5 Ways to Exploit a Domain Takeover Vulnerability
- Create a proxy DLL with artifact kit
- Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses
- Analyzing Java Heap Dumps via OQL queries
- What can I do with Open Redirect with OAuth?
- Defeating Android Certificate Pinning with Frida & frida-android-unpinning
- Browser, what are you doing?! Solution to October ’21 XSS Challenge
- [ECW] Red Team Challenge Write Up
- HTB: Explore (The first Android box on HTB)
- This bug doesn’t exist on x86: Exploiting an ARM-only race condition
- How to search for XXE!
- Photographer Walkthrough with S1REN
Responsible(ish) disclosure writeups
- Sitecore Experience Platform Pre-Auth RCE #Web #CodeReview
- Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD #CI/CD #Web
- Finding An Unauthenticated RCE Vulnerability In MovableType :: CVE-2021-20837/JVN#41119755 #Web #Perl #CodeReview
- 50 Shades of SolarWinds Orion (Patch Manager) Deserialization (Final Part: CVE-2021–35218) #Web
- 1,000,000 Sites Affected by OptinMonster Vulnerabilities #Web #CodeReview
- Zimbra “nginx” Local Root Exploit & Zimbra “zmslapd” Local Root Exploit. #Linux #LPE
- CVE-2021-22205: Rapid7 analysis & Nuclei template #Web (the Gitlab / Exiftool RCE thought to be unauthenticated is actually a pre-auth RCE)
- NGINX Custom Snippets CVE-2021-25742 #Kubernetes
- Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260) & Nuclei template #IoT
Bug bounty writeups
- Apple XAR – Arbitrary File Write (CVE-2021-30833) (Apple)
- A journey from XML External Entity (XXE) to NTLM hashes!
- Write Up – XSS Stored In api.media.atlassian.com Via Doc File (iOS) (Atlassian)
- Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection (Apple)
- This is how i was able to Permanently Crash all Mapillary users within minutes
- Use-After-Free in Voice Control: CVE-2021-30902 Write-up (Apple)
- Image queue default key of ‘None’ and GraphQL unhandled type exception (Reddit, $500)
See more writeups on The list of bug bounty writeups.
- Web Cache Vulnerability Scanner (WCVS) & Intro: Go tool for testing for web cache poisoning
- Quiet Riot & Intro: A Scalable AWS Enumeration and Footprinting Tool
- Frogy: Subdomain enum tool
Tips & Tweets
- If you have trouble reversing Hermes bytecode in a React Native Android app, check the iOS version instead
- Some useful Burp hotkeys
- How to load an openapi.json file (based on v3 specification) into Burp & Useful converters
- Did you know you can do WHOIS lookups on IP addresses and ASN numbers, not just domain names?
- Hackvertor AMF tags
Misc. pentest & bug bounty resources
- Mobile Application Penetration Testing (TCM Academy course) ($29.99)
- Privilege Escalation Techniques: Learn the art of exploiting Windows and Linux systems & Introductory video (Starting at $31.19)
- Offensive-Resources V2
- GoSecure’s Presentation Material
- XXE – XML External Entity Attack flyer
- Air pollution challenge
- Damn Vulnerable NodeJS Application
- DUNGEON – BSides Ahmedabad CTF 2021 (November 6-7)
- Bypassing ModSecurity WAF
- Attacking Azure & Azure AD, Part II
- Enumerating Services in AWS Accounts in an Anonymous and Unauthenticated Manner
- Cracking WiFi at Scale with One Simple Trick
- From Zero to Domain Admin
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates