Bug Bounty & Agile Pentesting Platform

Bug Bytes #160 – Invisible SQL Injection, Reading redacted text & Coinbase’s largest-ever bug bounty

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from February 14 to 21.

Intigriti news

Our favorite 5 hacking items

1. Vulnerability of the week

@Tree_of_Alpha on Coinbase’s “largest-ever bug bounty”, Coinbase’s Retrospective & A 60s explanation by @Farah_Hawaa ($250,000)

@Tree_of_Alpha shares how they discovered a business logic issue on Coinbase and was rewarded a quarter-million-dollar bounty.
The wild part is that it didn’t involve any Web3 hacking. The root cause was a missing logic validation check in an API endpoint, which allowed selling Bitcoin and other cryptocurrencies without owning them.

2. Writeup of the week

Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql

This is about an escape function in mysqljs/mysql that is commonly misunderstood and misused. It causes many Node.js projects that use this package to be vulnerable to SQL injection.
According to the author, @stereotype32, this vulnerability has been known to many web security researchers but most SQL injection scanners miss it.

3. Tool of the week

Unredacter & Never, Ever, Ever Use Pixelation for Redacting Text

@2600AltF4 released a new tool for uncovering redacted pixelated text. It solves some limitations that another similar tool, Depix, has.
Two useful takeways for pentesters / bug hunters: The only way to securely redact text is to use black bars. And if you find redacted documents or screenshots that may contain sensitive information, try reading it with Unredacter.

4. Video of the week

BOUNTY THURSDAYS – LIVE #1 (SVG-XML/Redirects/OOB servers and Community Questions)

Do you know what’s better than a Bounty Thursdays episode? A LIVE Bounty Thursday episode!
This is an amazing opportunity to be part of the show, interact with @stokfredrik and his co-host @Jhaddix, and stay up-to-date with bug bounty news in a fun way.
It’s supposed to be a bi-weekly show, so keep an eye on the channel.

5. Challenge of the week

Javascript reverse engineering challenge & Video walkthrough

This is a good challenge to test your JavaScript deobfuscating and reverse engineering skills. The video shows how to solve it using dynamic analysis with DevTools.
So even if you’re not interested in reverse engineering per se, it may teach you some useful tricks on DevTools and how to approach big JavaScript files when doing client-side code review.

Other amazing things we stumbled upon this week

Videos

Webinars

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Known vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • TLD:er: TLDs finder — check domain name availability across all valid top-level domains.
  • OnHandlers: Script to generate Event Handlers and bypass filters
  • uproot-JS/: Extract JavaScript files from burp suite project with ease
  • nrich: A Rust tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities
  • KrbRelay: Framework for Kerberos relaying
  • ltmod (Left To My Own Devices) & Intro: Fast NTCracking tool in Rust

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

%d