Bug Bytes #100 – Apache XSS trick, Google in CLI without Captcha & How to easily fetch bug bounty scopes

By Anna Hammond

December 9, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

Before we dive into the meat of this newsletter, we’d like to acknowledge some of our favorite sources of information as a means of celebrating this 100th issue.

This publication would not exist without all you hackers and content creators who share your knowledge and help others improve each in your own different ways. This short list won’t do justice to all, it is just a tiny fraction of the sources on which we keep a close eye for their regularity and excellent quality. Immense gratitude and respect to all:

  • PortSwigger for the incredible research, invaluable training academy and daily news (Daily Swig);

  • Darknet Diaries for entertaining us with fascinating real-life hacker stories;

  • ProjectDiscovery.io for the many sweet well-polished tools;

  • NahamSec for allowing us to “meet” so many talented hackers in delicious interviews;

  • Daniel Miessler for the bubbly mix of technical topics and thought-provoking essays;

  • NCCGroup for the numerous and quality responsible disclosure advisories, tools and research;

  • InfoSec Write-Ups for helping us keep up with the latest bug bounty writeups;

  • SANS Information Security Webcasts for regularly offering free high-quality webcasts on all kinds of Information Security topics;

  • Bishop Fox research labs for the excellent tools, guides, security advisories and fantastic research;

  • Rhino Security Labs for your unique tools, challenges, guides and writeups on all things penetration testing, especially cloud security.

Lastly, an honourable mention to Appsecco for insightful presentations, writeups and free trainings on Cloud and Web security.

To everyone else who did not make the list, we also love you and appreciate your work <3

That said, let’s look at what the week (from 29 of November to 06 of December) brought us.

Intigriti News

Intigriti’s December XSS Challenge

The ultimate iPhone hack, The new threat of cyber-biological attacks & 2021 threats forecast

Our favorite 5 hacking items

1. Challenge of the week

Orange Tsai’s HITCON CTF 2020 XSS challenge & Solution

This XSS challenge shows a cool trick for getting XSS in Apache installations. Without spoiling it, here’s a little indication: It affects file upload functionalities when Apache supports content negotiation.

2. Writeups of the week

$10000 Facebook SSRF (Bug Bounty) (Facebook, $10,000)
Don’t Scan My Website I: Exploiting an Old Version of Wappalyzer #Web

How do people still find SSRF on Facebook? @amineaboud did it using a series of common bug hunting techniques (subdomains enumeration, file bruteforcing and JS analysis), yet the magic was in their combination, his thoroughness and perseverance. Hats off for a beautiful finding!

The second writeup answers the question: can you be pwned by running Wappalyzer against a malicious server? Malicious JavaScript hosted on a remote server cannot read local files in Web browsers because of the Same Origin Policy. Wappalyzer however uses on Zombie.js, a headless browser, with a default setting that made it possible to load and exfiltrate local files. It is fixed now but it is a very interesting read.

3. Resource of the week

xsleaks.dev

This is a new wiki by Google on Cross-site leaks (XS-Leaks). It’s a great resource for learning about this vulnerability class, common attacks and how to mitigate them. Also good to know, the project is open source and welcomes new contributions.

4. Tools of the week

bbscope

Degoogle

bbscope is a Go tool for fetching the scope of bug bounty programs from Intigriti, Bugcrowd and Hackerone. It has handy options that allow you to fetch only private programs, those that offer bounties, or to filter results by scope category (URL, CIDR, mobile, code, hardware…). Awesome work by @sw33tLie!

Degoogle is a Python script for querying Google and extracting result URLs. I haven’t dived into the code, so I’m not sure how it does it but somehow it avoids bot detection. No captcha is served even after running it for weeks.

5. Videos of the week

Finding Your Next Bug: GraphQL
Hacking Tips – Finding new Tools and Techniques Using Github
Hacking 1Password | Episode 4 – Two Simple Bugs that Worth $3,300

The sweet videos to watch this week are about a comprehensive introduction to GraphQL for bug hunters, a welcome reminder to leverage Github for discovering new tools and techniques, and (finally!) the overlooked bugs @ngalongc found in 1Password after decrypting it.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Windows Registry .burp file handler & Intro: Windows Registry file that adds handling of .burp files by allowing double-click to open projects directly. Also adds context menu options to launch with extensions disabled, spider and scanner paused, or both.

  • antiburl.py: Python tool inspired by @TomNomNom’s anti-burl, with advanced options

  • HackerOne Scripts: Collection of scripts to automate HackerOne things using their GraphQL API

  • CastleBravo: @m4ll0k’s BugBounty Automation Tool

  • metahttp: A bash script that automates the scanning of a target network for HTTP resources through XXE

  • galer: A fast tool to fetch URLs from HTML attributes by crawl-in

  • PyOracle2 & Intro: A python-based padding oracle tool

  • powersploit_portscan_db_import & Intro: Metasploit db importer for PowerSploit Invoke-Portscan

  • IAMFinder & Intro: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance

  • BackBomb: 💣 Dockerized penetration-testing/bugbounty/app-sec testing environment

  • WriteHat & Intro: A pentest reporting tool written in Python. Markdown –> HTML –> PDF

  • Carnivore: Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb

  • Distillo.io: Tracking website updates, automated and simplified

Tools updates

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/29/2020 to 12/06/2020.

You may also like