Bug Bounty & Agile Pentesting Platform

Bug Bytes #147 – From won’t fix to $100k+ bounties, HTTP Header Smuggling & ChaosDB

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from November 8 to 15.

Intigriti news

Our favorite 5 hacking items

1. Article of the week

Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond & Slides + Whitepaper

Daniel Thatcher presented a new technique called “HTTP header smuggling” at Black Hat Europe 2021.
Basically, it is about attacking chains of servers and smuggling headers that will be hidden to some servers in the chain and visible to others.
This can lead to HTTP request smuggling, cache poisoning or IP restriction bypass (by leveraging a weakness in the AWS API Gateway).
As part of this research, Daniel released a Param Miner fork. However note that it was merged into the master branch.

2. Whitepaper of the week

T-Reqs: HTTP Request Smuggling with Differential Fuzzing & T-Reqs HTTP Fuzzer

This is a different take on HTTP Request Smuggling. It focuses on creating a generic framework and infrastructure to fully automate detecting HRS at scale using grammar-based fuzzing.
This is a neat paper/research that explores new areas, for instance finding web server and proxy pairs that are vulnerable even though each one individually is not.

3. Writeups of the week

ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough (Microsoft, $40,000)
Exploiting CSP in Webkit to Break Authentication & Authorization (Apple, $100k+)
Multiple Concrete CMS Vulnerabilities ( Part1 – RCE )

Remember ChaosDB from a few weeks ago? It allowed @sagitz_ and @nirohfeld to gain unrestricted access to the databases of Microsoft Azure customers. The researchers finally released technical details on the chain of misconfigurations that made this impressive attack possible.

The second writeup is about a vulnerability in Safari’s browser engine, Webkit. It did not adhere to the W3C specification when handling CSP violation reports, but Apple deemed this not severe enough to fix quickly. So, @sachinnthakuri and @1lastBr3ath found a way to use this and exploit multiple OAuth/SSO implementations, earning more than $100k bounties. Not bad for a won’t fix quickly bug!

In the third writeup, FORTBRIDGE researchers combine file upload with two race conditions to get RCE. This is really worth reading, both creative and very informative.

4. Tool of the week

bugbounty-openvpn-socks

Let’s say you need to use several VPNs simultaneously (e.g. corporate VPN + training platform VPN + bug bounty platform VPN).
What bugbounty-openvpn-socks allows you to do is expose each VPN via a local SOCKS proxy. So, when you run any tool, you can choose which VPN it should go through (e.g. curl -x socks5://localhost:1000).
This is a very useful tool by @honoki, that also integrates well with BBRF if you use it.

5. Resources of the week

Android App Hacking Workshop
@0xAwali’s methodology for testing Secondary Contexts

The first resource is a slide deck by Google on Android app hacking for bug hunters. It is accompanied with two APKs that include challenges/flags, and a PDF for solutions.
If you want to dive into Android app security and like hands-on learning, this is fantastic. It is beginner friendly but also covers advanced topics, not just the basics.

Another amazing resource is @0xAwali‘s compilation of 110+ things to try when hacking secondary contexts. So many good tips, each one with its reference(s) if you want to find out more about it.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conferences

Slides & Workshop material

Tutorials

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • GrepAddr: Python script that extracts different kinds of addresses (URLs, IPs, e-mail addresses, MAC addresses, etc) from stdin
  • lsarelayx: NTLM relaying for Windows made easy
  • dnsline: Tool for making it easy to collect dns results from the CLI

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

%d bloggers like this: