By Anna Hammond
January 12, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 03 to 10, 2022.
Intigriti’s January XSS challenge By @TheRealBrenu
HackVector custom tag to escape JSON strings
Using chrome heap snapshots to find hidden API Endpoints
@TechBrunchFR‘s HackVector tag is a real time saver if you often find yourself editing JSON data in Burp. It makes it easy to escape special characters especially when handling large payloads.
The second tip by @imranparray101 is intriguing. I haven’t had the chance to test it but it sounds mindblowing.
The idea is to grep Chrome’s heap snapshots for “/api” to find all endpoints mentioned in a site’s JavaScript code.
The advantage over other techniques is that this finds endpoints that are never called (and so don’t appear in a Web proxy) and it is really quick, without the need to run many tools or spend time analyzing JavaScript.
Exploiting Url Parsing Confusion
@Claroty and @snyksec collaborated on this research paper about URL parsing confusion. They analyzed 16 URL parsing libraries and found five types of URL parsing inconsistencies and eight vulnerabilities in Web apps and third-party libraries.
This is fantastic research if you are interested in vulnerabilities that result from URL validation bypass such as SSRF, Open redirect, XSS, DoS, filter bypass, and even RCE (the example given being Log4J).
Breaking Parser Logic: Gain Access To NGINX Plus API — Read/Write Upstreams.
Exploiting Redash instances with CVE-2021-41192 ($90,000+)
Didn’t get enough of parsing inconsistencies? Then check out @z0idsec‘s writeup. It is full of insightful details on how to detect, exploit and increase the impact of secondary context path traversal.
The second writeup is about @iangcarroll‘s research on stateless authentication. It is what led him to create CookieMonster, report CVE-2021-41192 (a Redash misconfiguration issue), scan for it on bug bounty programs with the help of @haxor31337 and @naglinagli, and earn almost $100k.
Simpler unpickle payloads with the walrus operator
@ZetaTwo shares a clever trick for exploiting Pickle/Python insecure deserialization when no output is returned and outbound connections are not allowed (so no reverse shell).
By leveraging the new Python operator walrus, it becomes possible to get your injected commands’ output.
Security Explained
Awesome list of secrets in environment variables
One obstacle that can hinder our progress as hackers is not knowing what we do not know. Initiatives like Security Explained help with that. @harshbothra_ regularly shares notes on vulnerability types, methodologies, tools… Something new to learn (almost) everyday.
The second resource is a list of secrets (API keys, tokens, passwords, etc) that are commonly stored in environment variables. It was compiled by @pulik_io and will be useful if you find a vulnerability that allows reading environment variables (e.g. CVE-2021-44228).
Open-Source Intelligence (OSINT) in 5 Hours – Full Course – Learn OSINT!
Introduction to GraphQL | GraphQL Exploitation – Part – 1 | DVGA
Hacking through screenshots! EyeWitness- Hacker Tools & Blog post
Learning about nss (Linux Name Service Switch) During Sudo Exploitation & Creating The First Sudoedit Exploit
Intruding 5G SA core networks from outside and inside](https://penthertz.com/blog/Intruding-5G-core-networks-from-outside-and_inside.html)
PHP 7.3-8.1 disable_functions bypass [concat_function] #Web #MemoryCorruption
The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console #Web
The Story of How I Hacked my ISP’s Cheapo Standard Issue Router #Router #Network
How I Reverse-Engineered one of the biggest GSM Operator’s application. #iOS
Unpacking CVE-2021-40444: A Deep Technical Analysis of an Office RCE Exploit #Windows #Malware
Facebook android webview vulnerability : Execute arbitrary javascript (xss) and load arbitrary website (Facebook, $1,075)
Remote Code Execution in Google Cloud Dataflow (Google, $3,333.70)
Accessing GoDaddy internal instance through an email logic bug. (GoDaddy)
A phishing document signed by Microsoft – part 2 (Microsoft)
See more writeups on The list of bug bounty writeups.
PMHunter & Intro: A Python tool to automate searching in postman for public data
Modified Nuclei Templates Version to FUZZ Host Header & Nuclei Templates to reproduce Cracking the lens’s Research
mikedesu/amass-setup: @therealdarkmage’s Amass setup
objectify-s3: A tool that recursively checks AWS S3 buckets and objects for misconfigured permissions
ZKar: A Java serialization protocol analysis tool implement in Go
@jstnkndy: If you’re auditing Java or .NET apps, you should really try out Burp Infiltrator
8 different techniques to Bypass Rate Limits in Web Applications and API’s
Chrome blocks JavaScript URLs in data attributes for object tags but Firefox doesn’t
Encoded backslash to bypass domain validation filters & Why it’s a good idea to use MySQL’s group_concat() to exploit SQL injection
Implementing Django-rest API Throttling and Unauthenticated bypass & IP spoofing bug leaves Django REST applications open to DDoS, password-cracking attacks
Persistence without “Persistence”: Meet The Ultimate Persistence Bug – “NoReboot”
The Mac Malware of 2021 👾 – a comprehensive analysis of the year’s new malware!
Thread on macOS vulnerability research / exploit development published in 2021
Bug bounty
Tool updates
BBRF v1.3.0 (added where
statements & remove
command)