Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 31 to February 07, 2022.
Our favorite 5 hacking items
1. Tutorial of the week
This is worth a read if you’re interested in postMessage XSS. @oliverrickfors shares a methodology to easily find addEventListener in JS files (given a list of hosts as input), then what to do next to test and exploit them for XSS.
2. Writeups of the week
Can’t get enough of postMessage XSS? Check out @spaceraccoonsec‘s writeup on two XSS vulnerabilities he found on bug bounty programs. They involve interesting bypasses and advanced tips worth adding to any DOM XSS methodology.
Another interesting finding is a CSRF found on Grafana by @jub0bs and @theabrahack. It could basically make a Grafana Admin unwittingly send you a user invite to become admin of their instance, demonstrating that CSRF is definitely not dead.
3. Video of the week
Testing a small intentionally vulnerable API is one thing, but where to start when you’re looking for bugs in a large API with thousands of requests on a hardened bug bounty target?
Watch @InsiderPhD explain a sensible approach that combines automation and a manual workflow, with details on the tools she recommends.
4. Article of the week
What is better than finding a vulnerability in a WordPress plugin? Finding over 100 vulnerabilities in dozens of popular WordPress plugins!
@kazet1234 details a semi-automatic approach used to scan for multiple vulnerability classes including XSS, SQL injection, CSRF, arbitrary file read and more. Amazing research that is interestingly transferable to other CMSes.
5. Tool & Tip of the week
@s0md3v just dropped these two beautiful gems. The first one is a Go tool that tells you whether a string is machine-generated or human readable. I’m not sure which use case he has mind, but I’d use this to programatically extract potential secrets from code.
The second tool is a neat PHP webshell that is protected by a password and supports arbitrary function calls despite being very short. From now on, this is my go-to PHP webshell!
Other amazing things we stumbled upon this week
- OrwaGodFather Methodology
- 100 hours of bug bounty on a public Hackerone program. Bounty vlog #1 – Stripe
- Listen and learn from pentester Rana Khalil
- 🐛 Bug Bounty Recap 🐜 January 27 – February 2
- How to Be an Ethical Hacker in 2022 & Blog post
- Assembly – Pwn Zero To Hero 0x00
- Reverse Engineering 101 – Introduction to IDA PRO: Reversing/Patching a Binary from crackmes.one
- OAuth 2.0 Hacking for Beginners with Farah Hawa
- Vulns Unleashed: Pwnkit
- [SecWed] 26 Jan 22 | Automate Reverse Engineering CTF with Angr & An introduction to container hacking
- DefCamp 2021, especially:
- ChaosDB: How We Hacked Databases of Thousands of Azure Customers (rev)
- CactusCon 10
Slides & Workshop material
- Nmap: Host Discovery
- How to restrict XXE resolving? #BlueTeam
- Vulnerabilities that aren’t. ETag headers
- OSINT without APIs
- I’m Bringing Relaying Back: A Comprehensive Guide On Relaying Anno 2022
- SSTI Method Confusion in Go.
- UHC – Pressed
- SQLi, SSTI & Docker Escapes / Mounted Folders – HackTheBox University CTF “GoodGame”
- H1-CTF Hacky Holidays Writeups by akshansh & w31rd0
Responsible(ish) disclosure writeups
- My experience of Hacking The Dutch Government #Web
- Don’t trust comments #Web
- A misconfigured Apache Airflow to AWS Account Compromise
- Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments #CI/CD
- CoronaCheck App TLS certificate vulnerabilities #iOS #Android
Bug bounty writeups
- What Bypassing Razer’s DOM-based XSS Patch Can Teach Us
- How I approached Dependency Confusion!
- Abusing Facebooks
Call To ActionTo Launch Internal Deeplinks (Facebook, $4,000)
- My first bounty, IDOR + Self XSS [€3000] (Intigriti, $3,000)
- HigherLogic Community RCE Vulnerability ($1,250)
- A wontfix request header injection vulnerability in net/http (Ruby)
- CVE-2021-44142: Details On A Samba Code Execution Bug Demonstrated At Pwn2Own Austin ($45,000)
- LFIDump: A simple python script to dump remote files through a local file read or local file inclusion web vulnerability
- Aerides & Intro: An implementation of infrastructure-as-code scanning using dynamic tooling
- SMBSR: Lookup for interesting stuff in SMB shares
- SMBeagle: SMB fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written (useful for lateral movement and privilege escalation)
- EvilSelenium: A C# tool that weaponizes Selenium to attack Chrome
Tips & Tweets
- @mrtuxracer, @equat0rium & @samm0uda‘s inspiring success stories
- Bypass for XSS filters that allow SVG tags
- XSS filter bypass
- How to limit the RAM used by Burp
Misc. pentest & bug bounty resources
- InsecureProgrammingDB: Insecure programming functions database
- Awesome Cyber Security Newsletters
- Linux /proc/ virtual file system in one single page
- Top 25 Browser Extensions for Pentesters and Bugbounty Hunters (2022)
- File formats, Techniques and Tools that can be used to execute code in MS Office
- GitHub: The Red-Teamer’s Cheat-Sheet
- Windows Drivers Reverse Engineering Methodology
- How Android updates work: A peek behind the curtains from an insider
- Linux (In)security
- Windows Persistence Using WSL2
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Intigriti 1337UP LIVE (March 12)
- Hacking Battlegrounds #4: Valentine’s Special – Hacking Will Tear Us Apart! (Live stream on February 18)
- Tool updates