Bug Bytes #158 – postMessage XSS tips, API testing toolbox & Finding 100+ bugs in WordPress plugins

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from January 31 to February 07, 2022.

Intigriti news

Our favorite 5 hacking items

1. Tutorial of the week

eventlistener-xss-recon

This is worth a read if you’re interested in postMessage XSS. @oliverrickfors shares a methodology to easily find addEventListener in JS files (given a list of hosts as input), then what to do next to test and exploit them for XSS.

2. Writeups of the week

Solving DOM XSS Puzzles
CVE-2022-21703: cross-origin request forgery against Grafana

Can’t get enough of postMessage XSS? Check out @spaceraccoonsec‘s writeup on two XSS vulnerabilities he found on bug bounty programs. They involve interesting bypasses and advanced tips worth adding to any DOM XSS methodology.

Another interesting finding is a CSRF found on Grafana by @jub0bs and @theabrahack. It could basically make a Grafana Admin unwittingly send you a user invite to become admin of their instance, demonstrating that CSRF is definitely not dead.

3. Video of the week

My API Testing Automated Toolbox

Testing a small intentionally vulnerable API is one thing, but where to start when you’re looking for bugs in a large API with thousands of requests on a hardened bug bounty target?
Watch @InsiderPhD explain a sensible approach that combines automation and a manual workflow, with details on the tools she recommends.

4. Article of the week

A technique to semi-automatically find vulnerabilities in WordPress plugins

What is better than finding a vulnerability in a WordPress plugin? Finding over 100 vulnerabilities in dozens of popular WordPress plugins!
@kazet1234 details a semi-automatic approach used to scan for multiple vulnerability classes including XSS, SQL injection, CSRF, arbitrary file read and more. Amazing research that is interestingly transferable to other CMSes.

5. Tool & Tip of the week

fonetic-go
35 bytes PHP backdoor that’s protected by a password & supports arbitrary function calls

@s0md3v just dropped these two beautiful gems. The first one is a Go tool that tells you whether a string is machine-generated or human readable. I’m not sure which use case he has mind, but I’d use this to programatically extract potential secrets from code.

The second tool is a neat PHP webshell that is protected by a password and supports arbitrary function calls despite being very short. From now on, this is my go-to PHP webshell!

Other amazing things we stumbled upon this week

Videos

• OrwaGodFather Methodology
• 100 hours of bug bounty on a public Hackerone program. Bounty vlog #1 – Stripe
• Listen and learn from pentester Rana Khalil
• 🐛 Bug Bounty Recap 🐜 January 27 – February 2
• How to Be an Ethical Hacker in 2022 & Blog post
• Assembly – Pwn Zero To Hero 0x00
• Reverse Engineering 101 – Introduction to IDA PRO: Reversing/Patching a Binary from crackmes.one

Podcasts

• History of Hacking. Joe “Kingpin” Grand, Hardware Hacker. Former L0pht Member.

Webinars

• OAuth 2.0 Hacking for Beginners with Farah Hawa
• Vulns Unleashed: Pwnkit
• [SecWed] 26 Jan 22 | Automate Reverse Engineering CTF with Angr & An introduction to container hacking

Conferences

• DefCamp 2021, especially:
  • Abusing postMessage API for 6 figures/year
  • What it takes to be good at bug bounty hunting
  • Recipe for a beginner in bug bounty hunting
• ChaosDB: How We Hacked Databases of Thousands of Azure Customers (rev)
• CactusCon 10

Slides & Workshop material

• Attacking JavaScript Engines in 2022

Tutorials

• Nmap: Host Discovery
• How to restrict XXE resolving? #BlueTeam
• Vulnerabilities that aren’t. ETag headers
• OSINT without APIs
• I’m Bringing Relaying Back: A Comprehensive Guide On Relaying Anno 2022

Writeups

Challenge writeups

• SSTI Method Confusion in Go.
• UHC – Pressed
• SQLi, SSTI & Docker Escapes / Mounted Folders – HackTheBox University CTF “GoodGame”
• H1-CTF Hacky Holidays Writeups by akshansh & w31rd0

Pentest writeups

• How We “Forced” Our Client To Fix A Low Severity Security Bug And Still Got Appreciated!

Responsible(ish) disclosure writeups

• My experience of Hacking The Dutch Government #Web
• Don’t trust comments #Web
• A misconfigured Apache Airflow to AWS Account Compromise
• Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments #CI/CD
• CoronaCheck App TLS certificate vulnerabilities #iOS #Android

Bug bounty writeups

• What Bypassing Razer’s DOM-based XSS Patch Can Teach Us
• How I approached Dependency Confusion!
• Abusing Facebooks Call To Action To Launch Internal Deeplinks (Facebook, $4,000)
• My first bounty, IDOR + Self XSS [€3000] (Intigriti, $3,000)
• HigherLogic Community RCE Vulnerability ($1,250)
• A wontfix request header injection vulnerability in net/http (Ruby)
• CVE-2021-44142: Details On A Samba Code Execution Bug Demonstrated At Pwn2Own Austin ($45,000)

Tools

• LFIDump: A simple python script to dump remote files through a local file read or local file inclusion web vulnerability
• Aerides & Intro: An implementation of infrastructure-as-code scanning using dynamic tooling
• SMBSR: Lookup for interesting stuff in SMB shares
• SMBeagle: SMB fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written (useful for lateral movement and privilege escalation)
• EvilSelenium: A C# tool that weaponizes Selenium to attack Chrome

Tips & Tweets

• @mrtuxracer, @equat0rium & @samm0uda‘s inspiring success stories
• Get an alert(1) by swearing at JavaScript
• Bypass for XSS filters that allow SVG tags
• XSS filter bypass
• How to limit the RAM used by Burp

Misc. pentest & bug bounty resources

• InsecureProgrammingDB: Insecure programming functions database
• Awesome Cyber Security Newsletters
• Linux /proc/ virtual file system in one single page
• Top 25 Browser Extensions for Pentesters and Bugbounty Hunters (2022)
• File formats, Techniques and Tools that can be used to execute code in MS Office
• reapoc

Articles

• GitHub: The Red-Teamer’s Cheat-Sheet
• Windows Drivers Reverse Engineering Methodology
• How Android updates work: A peek behind the curtains from an insider
• Linux (In)security
• Windows Persistence Using WSL2

Challenges

• Intigriti’s February XSS challenge By @aszx87410
• wrongsecrets: Examples with how to not use secrets

Bug bounty & Pentest news

• Bug bounty
  • Intel Launches Project Circuit Breaker (A new expansion of its Bug Bounty program)
  • Announcing the public launch of Cloudflare’s bug bounty program
• Cybersecurity
  • Bittersweet Symfony: Devs accidentally turn off CSRF protection in PHP framework
  • Microsoft to block internet macros by default in five Office applications
  • Open Source Security Foundation launches new initiative to stem the tide of software supply chain attacks
• Upcoming events
  • Intigriti 1337UP LIVE (March 12)
  • Hacking Battlegrounds #4: Valentine’s Special – Hacking Will Tear Us Apart! (Live stream on February 18)
• Tool updates
  • Findomain v6.0.0 (Breaking changes)
  • reconFTW v2.2
  • Mythic 2.3 — An Interface Reborn & Apollo 2.0 — New Year, New Features

Non technical

• CVELE: Wordle but for CVE!
• Stop Storing Secrets In Environment Variables!