Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 07 to 14.
Our favorite 5 hacking items
1. Article of the week
GitBleed – Finding Secrets in Mirrored Git Repositories & GitBleed Tools
@nightwatchcyber noticed that tools that scan for secrets in Git repositories will miss some secrets if they clone repos without the
They share how to looks for these secrets, some Bash scripts that automate the process and a couple of intentionally vulnerable repos.
2. Writeup of the week
BigQuery SQL Injection Cheat Sheet ($50k+)
@ozgur_bbh and @anilyukk discovered and exploited a BigQuery SQL injection on a bug bounty target. They share the syntax and queries they used, which is valuable considering the lack of resources on SQL injections targetting this specific type of DBMS.
3. Tutorial of the week
Bypassing the AWS WAF protection with an 8KB bullet
@riyazwalikar describes a known limitation of AWS WAF: It only inspects the first 8KB of the web request body. This allows bypassing AWS WAF by placing payloads after 8KB of junk data.
Actually, this issue is not new. @securityfu wrote about it in AWS WAF’s Dangerous Defaults, but this tutorial serves as a good reminder of this interesting behavior.
4. Tool of the week
Salesforce Recon and Exploitation Toolkit (SRET) & Intro
While learning about Salesforce vulnerabilities, @uraniumhacker created this tool to automate testing for and exploiting misconfigurations in Salesforce instances.
He used it to report multiple Critical and High impact information disclosure bugs.
5. Non technical item of the week
Being stuck on a challenge for too long can result in loosing interest or unnecessarily wasting time in one’s learning journey. So, if you are struggling with Hack The Box machines/challenges or certifications like the OSCP, make sure to read and apply this advice by @ippsec and @0xdf_.
It will help you make consistent progress, and know when to try harder and when to look at solutions.
Other amazing things we stumbled upon this week
- 🐛 Bug Bounty Recap 🐜 February 3 – 9
- Bug Bounty Live Recon – Grabbing Domains!
- Chrome and FireFox don’t agree on this!
- Polkit – 12-year-old Security Vulnerability to Privilege Escalation | PolicyKit | Linux | #Explained
- Reverse Engineering 101 – Introduction to IDA Free on Linux: Reversing 2 crackmes
- Sudo Exploit for (old) Ubuntu 20.04 LTS
- Windows Privilege Escalation series by @HackerSploit
- Create Your Own Python DNS ENUMERATION TOOL & Create Your Own Python SUBDOMAIN ENUMERATION TOOL
Podcasts / Audio
- Introduction to Spring Boot Related Vulnerabilities
- How to integrate Nuclei with Interactsh and Notify
- Improving the impact of a mouse-related XSS with styling and CSS-gadgets
- How does UTF-8 turn “😂” into “F09F9882”?
- Using Power Automate for Covert Data Exfiltration in Microsoft 365
- Vulnerabilities that aren’t. Unquoted Spaces
- Extremely Short XSS?! Solution to February ’22 XSS Challenge & Winners
- HackTheBox – EarlyAccess
- Heap Tricks Never Get Old – Insomni’Hack Teaser 2022
- XSS via HTTP Parameter Pollution! & SQL Injection to Retrieve Hidden Data!
- HTB: SteamCloud #Kubernetes
Responsible(ish) disclosure writeups
- Oracle Server Side Request Forgery (SSRF) Metadata (Oracle)
- impressCMS – unauthenticated code execution #Web #CodeReview
- Multiple Vulnerabilities In Concrete CMS – Part2 (PrivEsc/SSRF/etc) #Web
- A Zero-Click RCE Exploit for the Peloton Bike (And Also Every Other Unpatched Android Device) #MemoryCorruption
- From Stored XSS to Code Execution using SocEng, BeEF and elFinder CVE-2021-45919 #Web
Bug bounty writeups
- “Zero-Days” Without Incident – Compromising Angular via Expired npm Publisher Email Domains (GitHub) & Related paper
- WordPress < 5.8.3 – Object Injection Vulnerability (WordPress)
- How i made 15k$ from Remote Code Execution Vulnerability ($15,000)
- How Docker Made Me More Capable and the Host Less Secure (Microsoft)
- Mindshare: When Mysql Cluster Encounters Taint Analysis (Oracle)
- SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022-21999) & SpoolFool (Microsoft)
See more writeups on The list of bug bounty writeups.
- Ghostbuster & Introhttps://blog.assetnote.io/2022/02/13/dangling-eips/: Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts
- Copy Regex Matches: Burp extension to copy regex matches from selected requests and/or responses to the clipboard
- Nuclei – Burp Extension: Simple Burp extension to run Nuclei directly from Burp, transforming JSON results into issues
- OAUTHScan: Burp extension useful to verify OAUTHv2 and OpenID security
- JWT Editor: A Burp Suite extension and standalone application for creating and editing JSON Web Tokens
- hardCIDR: Bash script to discover an organization’s netblocks or ranges (in CIDR notation)
Tips & Tweets
- Why you should check the default amass config.ini file regularly
- Something to check when testing Chrome extensions
- HTTP response “Content-type: image/png, text/html” will render the “text/html” even if the content type is actually “image/png”
- PoC for evading MS default setting and smuggling VBA macros back in
- One of @_nwodtuhs’s latest paths to Domain Admin
Misc. pentest & bug bounty resources
- HTTP header smuggling mindmap
- The Art of Attack: Attacker Mindset for Security Professionals ($22.49)
- Practical Phishing Assessments (New TCM course) ($29.99)
- Reversing Golang
- s0cm0nkey’s Security Reference Guide
- Top 10 web hacking techniques of 2021
- PostgreSQL Driver Logger Injection
- Dropping Files on a Domain Controller Using CVE-2021-43893 & Blank Space
- SPN-jacking: An Edge Case in WriteSPN Abuse
- AD CS: from ManageCA to RCE
- Gaining the upper hand(le)
- PPE — Poisoned Pipeline Execution
- SecurityLabs challenge
- KustomizeGoat: Vulnerable by design Kustomize deployment
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- @stokfredrik’s Bounty Thursdays – Live (Thursday 16:00 CET)
- Apply to learn how to hack Intel® SGX
- IWCon 2022 (February 26-27, $5)
- Tool updates