Bug Bytes #10 – Command Injection, Sublert by @yassineaboukir & Bypassing XSS Detection

By intigriti

March 19, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 8 to 15 of March.

Our favorite 5 hacking items

1. Conference of the week

OWASP AppSec California 2019, especially:
An Attacker’s View of Serverless and GraphQL Apps & Slides
Endpoint Finder: A static analysis tool to find web endpoints, Slides & EndpointFinder
Pose a Threat: How Perceptual Analysis Helps Bug Hunters & Slides
Creating Accessible Security Testing with ZAP & Slides
Cache Me If You Can: Messing with Web Caching & Slides
Automated Account Takeover: The Rise of Single Request Attacks & Slides
Open-source OWASP tools to aid in penetration testing coverage & Slides
The Call is Coming From Inside the House: Lessons in Securing Internal Apps & Slides

OWASP AppSec conferences are great for anyone interested in (both offensive and defensive) Web app security. This one is particularly good, as you can judge from the list of talks above that I’m planning to watch!
Some of the topics addressed are: extracting endpoints from JS files, FaaS & GraphQL security, Web Caching vulnerabilities, scaling visual identification for bug hunters, new features in ZAP, interesting OWASP tools for white box pentesting…
The only thing missing is the video/slides from workshops which look really interesting. Gonna have to go there myself some day!

2. Article of the week

Exploiting CVE-2018-1335: Command Injection in Apache Tika

Have you ever found an open port on a target, and the service’s version had a CVE but no disclosed exploit? This might happen a lot, especially on (internal) pentests where the number of open ports is generally higher than during bug bounty.
This article is a great example of you how to reverse engineer the patched version and locate the vulnerability – an RCE in this case, using diff (or rcdiff).

3. Tool of the week

Sublert & Introduction

This is a new recon tool by @yassineaboukir who also wrote Asnlookup. They’re both very handy tools for bug hunters.
Sublert monitors changes in CT logs, and notifies you via Slack when a new SSL/TLS was issued for the organization you’re monitoring.
What’s new compared to existing CT monitoring tools like Facebook’s CT tool or CertSpotter is that it was created by a bug hunter for bug hunters. It won’t spam you with irrelevant results, you can enable DNS resolution, disable monitoring for specific domains, and since it’s in Python, you can integrate it with any bug hunting (automated) scripts you are already using.

4. Slides of the week

Pwning mobile apps without root or jailbreak

This is an awesome presentation if you’re into mobile app testing! It’s understandable even without video.
The question answered is: how do you test the security of an app if for some reason you can’t use a rooted/jailbroken device?
This happens when the app refuses to run on a rooted device, or when it requires an iOS version that doesn’t have a public jailbreak.
Solutions explained including commands and resources are:

  • For Android, modify the APK, enable backups, enable debugging, repackage the app, bypass certificate pinning manually using grep, bypass root detection manually, or do the same thing using Frida

  • iOS repackaging or use Frida

  • Use Objection (wrapper around Frida)

5. Resource of the week

Bypassing XSS Detection Mechanisms

This is a great resource for learning how to bypass WAFs for XSS, by the author of XSStrike & Photon.
I often see people sharing complex XSS payload on Twitter. But without context, I don’t find them very useful. This paper is a much better resource for understanding what filters do and how to bypass them with a solid methodology, as opposed to randomly running a list of payloads.
The steps proposed are:

  1. Determining the payload structure based on the context where you are injecting (HTML inside or outside tag, JavaScript…)

  2. Probing to determine the regex used

  3. Obfuscation

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • Stepper: A natural evolution of the Repeater tool for Burp Suite! Create sequences of requests to simplify testing of multi-stage endpoints, and create regular expressions to define variables for use in later steps.

More tools, if you have time

Misc. pentest & bug bounty resources




Bug bounty news

Breaches & Vulnerabilities

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/08/2019 to 03/15/2019.

Curated by Pentester Land & Sponsored by Intigriti

You may also like