Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 30 to June 6.
Our favorite 5 hacking items
1. Articles of the week
In the first article, @pyn3rd shares some tricks to bypass WAFs when testing for file upload vulnerabilities in Java apps. One of them is also useful for SSRF and XXE.
The second article is a new addition to @pyn3rd‘s research on JDBC attacks. It focuses on PostgreSQL databases which were not included in the “Make JDBC Attacks Brilliant Again” talk .
“Port Scanner Shootout” is a benchmark of port scanning tools by @s0cm0nkeysec. They compare nmap, masscan, naabu and rustcan, with details on each tool’s capabilities and pros/cons.
2. Writeup of the week
@SonarSource‘s R&D team describe a cool RCE they discovered in Horde Webmail’s default configuration.
It is triggered when a user authenticated on the webmail server opens the attacker’s email (containing a CSRF exploit), and results in RCE on the server and stealing the victim’s clear-text credentials.
3. Video of the week
Google recently announced the winners of the 2021 GCP VRP Prize.
In this video, @LiveOverflow dissects their writeups, trying to understand the bugs, if he could’ve found them, and what differentiates the winning writeup.
4. Challenge of the week
@notsosecure released this new playground for practicing insecure deserialization. It includes four web apps vulnerable to Java, PHP, Python and Node deserialization, with solutions.
If you want to play with this trendy vulnerability, import the VM in VirtualBox and put your hacker detective hat on!
5. Vulnerability of the week
CVE-2022-26134 – Confluence Server and Data Center unauthenticated RCE
- Atlassian advisory
- Volexity advisory
- Technical analysis by Rapid7
- Nuclei template
- @Junior_Baines’s “Through the Wire” PoC
New week, new critical 0-day. CVE-2022-26134 is an unauthenticated RCE in all versions of Confluence. It was first discovered as a 0-day being exploited in the wild.
If you are new to OGNL injection, this is a good opportunity to learn about it with this real-life example.
Other amazing things we stumbled upon this week
- Bug Bounty 101: #20 – Rapidly Testing APIs for Broken Access Control
- Live com Jason Hadix
- Command Injection | Complete Guide
- Best Hacking Podcast in the world?
- Why You Shouldn’t Be an Ethical Hacker
- Security Fest 2022 – Day 1 & Day 2
- The Hitchhiker’s Guide to Pod Security – Lachlan Evenson, Microsoft & A Treasure Map of Hacking (and Defending) Kubernetes
- Introducing the Latest Ghostwriter v2.3.0 @ Black Hat Asia 2022 – Christopher Maddalena & BloodHound @ Black Hat Asia 2022 – Andy Robbins
- SSTIC 2022 (Click on talk titles to see slides and videos)
Medium to advanced
- Securing Cloud Services against Squatting Attacks
- SetUID Rabbit Hole
- Blocking ISO mounting
- Impacket Offense Basics With an Azure Lab
- Hunting Sourcemaps On Steroids
- Pending Intents: A Pentester’s view
- From Zip Slip to System Takeover
- Security Source Code Review – Manual Approaches
- How to find Log4j Vulnerabilities in Every Possible Way
- Prototype pollution is everywhere! Solution to May ’22 XSS Challenge & Challenge winners and community writeups
- HackTheBox – Timing
- CA CTF 2022: Exploiting LFR and forging Cookies – Mutation Lab
- AASLR: Antisyphon Address Space Layout Randomization (MetaCTF walkthrough)
- A Detailed Approach to Solving Oversecured (OVAA) Vulnerable App (For Android Application Security Enthusiasts)
- Hacking an AWS hosted Kubernetes backed product, and failing
- Enumeration and lateral movement in GCP environments
- Your cloud? My cloud now
- Public Report – Lantern and Replica Security Assessment
Responsible(ish) disclosure writeups
- hoot hoot pwn – Meeting Owl security disclosure report #IoT
- PoC for a Post-Auth SQL-Injection (CVE-2022-0757) in Nexpose Vulnerability Scanner <= 6.6.128 #Web
- Multiple vulnerabilities in Zyxel zysh #MemoryCorruption #LPE
Bug bounty writeups
- Microsoft Dynamics Container Sandbox RCE via Unauthenticated Docker Remote API 20,000$ Bounty (Microsoft, $20,000)
- Bug bounty reports from Core Rule Set live hacking event (Core Rule Set)
- Hijacking Over 100k GoDaddy Websites (GoDaddy)
- Is Exploiting A Null Pointer Deref For LPE Just A Pipe Dream? (Microsoft)
- Steal private objects of other projects via project import & Bypass (GitLab, $40,000)
See more writeups on The list of bug bounty writeups.
- npmdomainchecker: Checks all maintainers of all NPM packages for hijackable domains
- websitewatcher: Monitor sites for changes with email notifications
- dsieve: Take a list of urls and filter or extract domains by level
- Astra-Bot: Python based Discord bot which allows you to run tools like nmap and amass from Discord
- Reverse SSH: SSH based reverse shell
Tips & Tweets
- Practical tips for long-running Turbo Intruder attacks
- Don’t limit yourself to Git when checking for exposed source code
- Keywords to grep for in a list of URL page titles
- How to tag each request with the corresponding browser profile (within Burp’s embedded browser) & Using Sharpener
- Some of the best new infosec GitHub projects
- Does using JWTs make an app not vulnerable to CSRF?
See more tips on this week’s Twitter collection.
Misc. pentest & bug bounty resources
- trickest/containers & Intro: Automated privilege escalation of the world’s most popular Docker images
- PROMPT# Issue: Better Together
- Container security Learning Path bundle by AppSecEngineer ($59 until June 17)
- Leveraging AWS QuickSight dashboards to visualize recon data
- Searching SMB Share Files
- DeepPass — Finding Passwords With Deep Learning
- Abuse and replay of Azure AD refresh token from Microsoft Edge in macOS Keychain
Bug bounty & Pentest news
- Bug bounty
- US export ban on hacking tools tweaked after public consultation
- 6 ‘nightmare’ cloud security flaws were found in Azure in the last year. Does Microsoft have work to do?
- Discord Is the World’s Most Important Financial Messenger, and a Hotbed for Scammers
- The Surreal Case of a C.I.A. Hacker’s Revenge
- WhatsApp accounts hijacked by call forwarding
- Upcoming events
- Tool updates