Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from December 6 to 13.
Our favorite 5 hacking items
1. Vulnerability of the week
I came back to work from a long weekend only to find a deluge of information on this incredibly impactful RCE in Log4j.
For a quick introduction to the vulnerability, I recommended starting with this lunasec.io article and the first 15 minutes of this SANS video.
If you want more technical details, here is a list of resources I posted on GitHub: pentesterland/Log4Shell.
2. Vulnerability² of the week
@j0v0x0 just published a writeup on how he discovered CVE-2021-43798 using source code review and Web fuzzing. It is a great read to understand the context behind the vulnerability.
If you’re more interested in looking for it in pentest targets or bug bounty programs, check out @nahamsec‘s awesome video tutorial.
3. Writeup of the week
Don’t Reply: A Clever Phishing Method In Apple’s Mail App (Apple, $5,000)
$5k for a bug bounty report on phishing, that’s not so common! It is understandable though.
@jon_bottarini got a hint from @samwcyo that it was possible (at the time) to load PHP files inside
<img> tags. This behavior could be exploited to create extremely credible phishing emails targetting Apple Mail.
4. Video of the week
@PwnFunction is back with a new video on prototype pollution. As usual, a very informative and clear explanation of an interesting bug class.
5. Webinar of the week
If you’re struggling with the high learning curve in InfoSec, you will find this webinar enlightening. It is about learning how to learn, creating a learning plan, and common pitfalls that might be hindering your progress.
Other amazing things we stumbled upon this week
- I opened on a malicious email attachment.. and this is what happened!
- Command injection vulnerability in source code & Blog post
- Update requests with rotated session after user logs out | Burp Suite Pro | Cookies & Authorization
- #MentorshipMondays | Mental Health for Hackers!
- XMPP: An Under-appreciated Attack Surface
- Introduction to Request Smuggling
- Practical Introduction to CodeQL
- Common vulnerabilities in Java and how to fix them
- Developing with VBA for Script Kiddies — TrustedSec
- Cyber Santa is Coming to Town – Hacking Party
- How to search for IDORs!, What is Clickjacking? & Exploiting an SSRF vulnerability
- Metasploit Community CTF 2021 WriteUp
- HackTheBox – Writer
Responsible(ish) disclosure writeups
- The Hacker Recipes: sAMAccountName spoofing, CVE-2021-42287/CVE-2021-42278 Weaponisation, noPac & WazeHell/sam-the-admin
- ModSecurity DoS Vulnerability in JSON Parsing (CVE-2021-42717)
- Bypassing Box’s Time-based One-Time Password MFA
Bug bounty writeups
- A phishing document signed by Microsoft – part 1 (Microsoft)
- Bypass a fix for report #708013 (Login bruteforce) (Shopify, $3,500)
- My mindset while hunting on Yandex and my SSRF (Yandex)
See more writeups on The list of bug bounty writeups.
- HeySerial & Intro: Systematically Hunting for Deserialization Exploits
- whoc: A container image that exfiltrates the underlying container runtime to a remote server
- SAPP (Static Analysis Post Processor): Takes the raw results of Facebook’s static analysis tool Pysa, and makes them explorable both through a CLI and a web UI
- Dependency Combobulator: Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks
- GoTestWAF: Golang project to test different WAFs for detection logic and bypasses
Tips & Tweets
- Springboot >2.2.6.RELEASE behavior that can be used to bypass path traversal allowlists
- JSON payload blocked by WAF? Change the Content-Type!
- If a server reflects the Connection or Keep-Alive header over HTTP/2, it might be used for cache-poisoning DoS against Safari
- Certified Practitioner exam prep tips
- Using fff to quickly fetch a list of URLs in CLI, while adding them to Burp
Misc. pentest & bug bounty resources
- Cloud Service Provider security mistakes
- WiFi Penetration Testing Cheat Sheet
- Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks
- How Acunetix addresses HTTP/2 vulnerabilities
- The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory
Bug bounty & Pentest news
- Bug bounty
- Tool updates