Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
Before we dive into the meat of this newsletter, we’d like to acknowledge some of our favorite sources of information as a means of celebrating this 100th issue.
This publication would not exist without all you hackers and content creators who share your knowledge and help others improve each in your own different ways. This short list won’t do justice to all, it is just a tiny fraction of the sources on which we keep a close eye for their regularity and excellent quality. Immense gratitude and respect to all:
PortSwigger for the incredible research, invaluable training academy and daily news (Daily Swig);
Darknet Diaries for entertaining us with fascinating real-life hacker stories;
ProjectDiscovery.io for the many sweet well-polished tools;
NahamSec for allowing us to “meet” so many talented hackers in delicious interviews;
Daniel Miessler for the bubbly mix of technical topics and thought-provoking essays;
NCCGroup for the numerous and quality responsible disclosure advisories, tools and research;
InfoSec Write-Ups for helping us keep up with the latest bug bounty writeups;
SANS Information Security Webcasts for regularly offering free high-quality webcasts on all kinds of Information Security topics;
Bishop Fox research labs for the excellent tools, guides, security advisories and fantastic research;
Rhino Security Labs for your unique tools, challenges, guides and writeups on all things penetration testing, especially cloud security.
Lastly, an honourable mention to Appsecco for insightful presentations, writeups and free trainings on Cloud and Web security.
To everyone else who did not make the list, we also love you and appreciate your work <3
That said, let’s look at what the week (from 29 of November to 06 of December) brought us.
Intigriti’s December XSS Challenge
The ultimate iPhone hack, The new threat of cyber-biological attacks & 2021 threats forecast
Orange Tsai’s HITCON CTF 2020 XSS challenge & Solution
This XSS challenge shows a cool trick for getting XSS in Apache installations. Without spoiling it, here’s a little indication: It affects file upload functionalities when Apache supports content negotiation.
$10000 Facebook SSRF (Bug Bounty) (Facebook, $10,000)
Don’t Scan My Website I: Exploiting an Old Version of Wappalyzer #Web
How do people still find SSRF on Facebook? @amineaboud did it using a series of common bug hunting techniques (subdomains enumeration, file bruteforcing and JS analysis), yet the magic was in their combination, his thoroughness and perseverance. Hats off for a beautiful finding!
The second writeup answers the question: can you be pwned by running Wappalyzer against a malicious server? Malicious JavaScript hosted on a remote server cannot read local files in Web browsers because of the Same Origin Policy. Wappalyzer however uses on Zombie.js, a headless browser, with a default setting that made it possible to load and exfiltrate local files. It is fixed now but it is a very interesting read.
xsleaks.dev
This is a new wiki by Google on Cross-site leaks (XS-Leaks). It’s a great resource for learning about this vulnerability class, common attacks and how to mitigate them. Also good to know, the project is open source and welcomes new contributions.
bbscope
Degoogle
bbscope is a Go tool for fetching the scope of bug bounty programs from Intigriti, Bugcrowd and Hackerone. It has handy options that allow you to fetch only private programs, those that offer bounties, or to filter results by scope category (URL, CIDR, mobile, code, hardware…). Awesome work by @sw33tLie!
Degoogle is a Python script for querying Google and extracting result URLs. I haven’t dived into the code, so I’m not sure how it does it but somehow it avoids bot detection. No captcha is served even after running it for weeks.
Finding Your Next Bug: GraphQL
Hacking Tips – Finding new Tools and Techniques Using Github
Hacking 1Password | Episode 4 – Two Simple Bugs that Worth $3,300
The sweet videos to watch this week are about a comprehensive introduction to GraphQL for bug hunters, a welcome reminder to leverage Github for discovering new tools and techniques, and (finally!) the overlooked bugs @ngalongc found in 1Password after decrypting it.
An iOS zero-click radio proximity exploit odyssey
Site Wide CSRF On Glassdoor (Glassdor, $3,000)
Exploiting Blind Postgresql Injection And Exfiltrating Data In Psycopg2 ($3,000)
“Important, Spoofing” – zero-click, wormable, cross-platform remote code execution in Microsoft Teams (Microsoft)
Leaking Browser URL/Protocol Handlers (Google, Microsoft, Mozilla)
RCE via LFI Log Poisoning – The Death Potion
Websites Can Run Arbitrary Code on Machines Running the ‘PlayStation Now’ Application (PlayStation, $15,000)
See more writeups on The list of bug bounty writeups.
Windows Registry .burp file handler & Intro: Windows Registry file that adds handling of .burp files by allowing double-click to open projects directly. Also adds context menu options to launch with extensions disabled, spider and scanner paused, or both.
antiburl.py: Python tool inspired by @TomNomNom’s anti-burl, with advanced options
HackerOne Scripts: Collection of scripts to automate HackerOne things using their GraphQL API
CastleBravo: @m4ll0k’s BugBounty Automation Tool
metahttp: A bash script that automates the scanning of a target network for HTTP resources through XXE
galer: A fast tool to fetch URLs from HTML attributes by crawl-in
PyOracle2 & Intro: A python-based padding oracle tool
powersploit_portscan_db_import & Intro: Metasploit db importer for PowerSploit Invoke-Portscan
IAMFinder & Intro: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
BackBomb: 💣 Dockerized penetration-testing/bugbounty/app-sec testing environment
WriteHat & Intro: A pentest reporting tool written in Python. Markdown –> HTML –> PDF
Carnivore: Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb
Distillo.io: Tracking website updates, automated and simplified
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/29/2020 to 12/06/2020.
