Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from November 1 to 8.
Our favorite 5 hacking items
Driftwood & Intro
Burp PAC Server
Driftwood is the result of A-M-A-Z-I-N-G research on asymmetric private keys, by the creators of TruffleHog. Identifying if and what private keys are used for, is a problem bug hunters and pentesters might often face. Driftwood will let you know quickly if the private key is used for TLS or as a GitHub SSH key.
I highly recommend the introductory video for details on the research and inner workings of the tool.
Another very useful tool is @honoki‘s Burp PAC Server. It is a Burp extensions that generates a PAC script to use in your browser. It makes it route only traffic that matches your Burp scope to Burp. So, no more noisy requests from the browser appearing in Burp!
2. Vulnerability of the week
Trojan Source: Invisible Vulnerabilities (CVE-2021-42572) & Rapid7 analysis
“Trojan Source” attacks described in this paper rely on Unicode Bidirectional control characters. Including them inside comments makes them invisible to humans, but most compilers don’t support these characters and reorder them. This causes discrepancies in how the code is read by human reviewers and interpreted by compilers.
3. Conference of the week
OWASP Global AppSec Virtual 2020
You will love this playlist if you are interested in topics like AppSec, mass recon, OAuth, hacking APIs, mobile apps, WhatsApp, containers, code review, and crypto. I know I’m going to be busy for a while watching these.
4. Writeup of the week
Escalating XSS to Sainthood with Nagios
This is such a well written writeup! I love the “End-to-End Attack” examples that show how the different vulnerabilities can be chained to fully compromise Nagios servers. If you are a pentester, writing these sections that illustrate complete attack scenarios is a great way to convey both the technical and overall business risk to clients.
Using smart contracts to bypass front-end validation and register ENS names that contain XSS payloads
I am not into smart contract security but bugs like this are really cool. @theRaz0r found a way to register ENS (Ethereum Name Service) names with XSS, which is not allowed by the frontend on https://ens.domains. This can be bypassed using a smart contract and, makes any applications that integrate ENS vulnerable to XSS.
Other amazing things we stumbled upon this week
Slides & Workshop material
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- ghorg: Quickly clone an entire org/users repositories into one directory – Supports GitHub, GitLab, Bitbucket, and more
- smbls & Intro: A simple Impacket-based tool to check a set of credentials against many Windows hosts and get permission for SMB shares
- CredMaster & Intro : Password spraying tool that uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Tool updates