Bug Bytes #154 – URL parsing confusion, Forging cookies for almost $100k & Exploiting impossible Pickle deserialization

By Anna Hammond

January 12, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from January 03 to 10, 2022.

Intigriti news

Intigriti’s January XSS challenge By @TheRealBrenu

Our favorite 5 hacking items

1. Tips of the week

HackVector custom tag to escape JSON strings
Using chrome heap snapshots to find hidden API Endpoints

@TechBrunchFR‘s HackVector tag is a real time saver if you often find yourself editing JSON data in Burp. It makes it easy to escape special characters especially when handling large payloads.

The second tip by @imranparray101 is intriguing. I haven’t had the chance to test it but it sounds mindblowing.
The idea is to grep Chrome’s heap snapshots for “/api” to find all endpoints mentioned in a site’s JavaScript code.
The advantage over other techniques is that this finds endpoints that are never called (and so don’t appear in a Web proxy) and it is really quick, without the need to run many tools or spend time analyzing JavaScript.

2. Paper of the week

Exploiting Url Parsing Confusion

@Claroty and @snyksec collaborated on this research paper about URL parsing confusion. They analyzed 16 URL parsing libraries and found five types of URL parsing inconsistencies and eight vulnerabilities in Web apps and third-party libraries.
This is fantastic research if you are interested in vulnerabilities that result from URL validation bypass such as SSRF, Open redirect, XSS, DoS, filter bypass, and even RCE (the example given being Log4J).

3. Writeups of the week

Breaking Parser Logic: Gain Access To NGINX Plus API — Read/Write Upstreams.
Exploiting Redash instances with CVE-2021-41192 ($90,000+)

Didn’t get enough of parsing inconsistencies? Then check out @z0idsec‘s writeup. It is full of insightful details on how to detect, exploit and increase the impact of secondary context path traversal.

The second writeup is about @iangcarroll‘s research on stateless authentication. It is what led him to create CookieMonster, report CVE-2021-41192 (a Redash misconfiguration issue), scan for it on bug bounty programs with the help of @haxor31337 and @naglinagli, and earn almost $100k.

4. Article of the week

Simpler unpickle payloads with the walrus operator

@ZetaTwo shares a clever trick for exploiting Pickle/Python insecure deserialization when no output is returned and outbound connections are not allowed (so no reverse shell).
By leveraging the new Python operator walrus, it becomes possible to get your injected commands’ output.

5. Resources of the week

Security Explained
Awesome list of secrets in environment variables

One obstacle that can hinder our progress as hackers is not knowing what we do not know. Initiatives like Security Explained help with that. @harshbothra_ regularly shares notes on vulnerability types, methodologies, tools… Something new to learn (almost) everyday.

The second resource is a list of secrets (API keys, tokens, passwords, etc) that are commonly stored in environment variables. It was compiled by @pulik_io and will be useful if you find a vulnerability that allows reading environment variables (e.g. CVE-2021-44228).

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Webinars

Slides & Workshop material

Tutorials

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

2021 retrospectives

Challenges

Bug bounty & Pentest news

Non technical

You may also like