Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 03 to 10, 2022.
Our favorite 5 hacking items
1. Tips of the week
HackVector custom tag to escape JSON strings
Using chrome heap snapshots to find hidden API Endpoints
@TechBrunchFR‘s HackVector tag is a real time saver if you often find yourself editing JSON data in Burp. It makes it easy to escape special characters especially when handling large payloads.
The second tip by @imranparray101 is intriguing. I haven’t had the chance to test it but it sounds mindblowing.
2. Paper of the week
Exploiting Url Parsing Confusion
@Claroty and @snyksec collaborated on this research paper about URL parsing confusion. They analyzed 16 URL parsing libraries and found five types of URL parsing inconsistencies and eight vulnerabilities in Web apps and third-party libraries.
This is fantastic research if you are interested in vulnerabilities that result from URL validation bypass such as SSRF, Open redirect, XSS, DoS, filter bypass, and even RCE (the example given being Log4J).
3. Writeups of the week
Breaking Parser Logic: Gain Access To NGINX Plus API — Read/Write Upstreams.
Exploiting Redash instances with CVE-2021-41192 ($90,000+)
Didn’t get enough of parsing inconsistencies? Then check out @z0idsec‘s writeup. It is full of insightful details on how to detect, exploit and increase the impact of secondary context path traversal.
The second writeup is about @iangcarroll‘s research on stateless authentication. It is what led him to create CookieMonster, report CVE-2021-41192 (a Redash misconfiguration issue), scan for it on bug bounty programs with the help of @haxor31337 and @naglinagli, and earn almost $100k.
4. Article of the week
Simpler unpickle payloads with the walrus operator
@ZetaTwo shares a clever trick for exploiting Pickle/Python insecure deserialization when no output is returned and outbound connections are not allowed (so no reverse shell).
By leveraging the new Python operator walrus, it becomes possible to get your injected commands’ output.
5. Resources of the week
Awesome list of secrets in environment variables
One obstacle that can hinder our progress as hackers is not knowing what we do not know. Initiatives like Security Explained help with that. @harshbothra_ regularly shares notes on vulnerability types, methodologies, tools… Something new to learn (almost) everyday.
The second resource is a list of secrets (API keys, tokens, passwords, etc) that are commonly stored in environment variables. It was compiled by @pulik_io and will be useful if you find a vulnerability that allows reading environment variables (e.g. CVE-2021-44228).
Other amazing things we stumbled upon this week
Slides & Workshop material
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news