Bug Bytes #101 – XSS for PDFs, KringleCon & A whole bunch of fantabulous tools

By Anna Hammond

December 16, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 06 to 13 of December.

Intigriti News

FireEye hacked, Amnesia:33 & A device-bricking UEFI malware

Our favorite 5 hacking items

1. Article of the week

Portable Data exFiltration: XSS for PDFs & Presentation

This is @garethheyes’s new research presented at Black Hat Europe. He developed a new injection technique based on controlling a single HTTP link in a PDF document. It allows for exfiltrating the PDF file’s contents (like a Blind XSS via PDF) or SSRF. Several PDF libraries were found vulnerable including Acrobat and Chrome’s PDFium.

This is really cool. PDFs files are used all the time, and they can be totally compromised with just one little link!

2. Writeups of the week

Content-Security-Policy Bypass to perform XSS using MIME sniffing
How I hacked Facebook: Part One (Facebook, $7,500)
The YouTube bug that allowed unlisted uploads to any channel (Google, $6,337)

The first one is about two impossible XSS, blocked by CSP, that became exploitable when chained together using MIME sniffing. The second writeup is about an admin account takeover (in a thefacebook.com subdomain) caused by an exposed password change endpoint. The third writeup is about a simple IDOR that would’ve allowed anyone to upload videos to someone’s YouTube channel.

These are all proof that the best findings aren’t necessarily the most complicated!

3. Tutorial of the week

Advanced Testing Of Web Application With Custom Message Signing Using Hackvertor

This tutorial shows how to use the Burp extension Hackvector to bypass replay protection mechanisms like message signing. This isn’t a new problem but it is not extensively documented, so this can be helpful.

4. Conference of the week

KringleCon 2020

Y’all ‘ve been nice this year, so Santa Claus has great talks for you! Topics range from S3 buckets weaknesses tocar hacking, adversary emulation, HID card hacking, red teaming, Kubernetes attacks, Offensive Security Tools and more.

Burp Suite Sequencer users will also be interested in the “Random Facts About Mersenne Twisters” talk on pseudo-random number generators and this thread on how Sequencer works.

5. Tools of the week

Depix & Intro
Proxify
HTTPSignatures & Intro

Depix is a Python tool that helps recover passwords from pixelized screenshots. It’s worth trying when looking for information disclosure in public documents.

Proxify is a new Web proxy in Go by @pdiscoveryio. It looks interesting either as a standalone tool or chained with Burp/ZAP. It can dump all traffic to a file, replay traffic in Burp, match and replace requests and responses on-the-fly, match/filter traffic…

HTTPSignatures is a Burp extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft. As apps start adopting HTTP Signatures, this extension will help test them seamlessly.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Solarflare & Intro: SolarWinds Orion Account Audit / Password Dumping Utility

  • Cloudlist: A Go tool for listing Assets from multiple Cloud Providers

  • FlyDNS: Related subdomains finder

  • JNDI-Exploit-Kit: A modified version of @welk1n’s JNDI-Injection-Exploit. It can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection

  • CornerShot: Amplify network visibility from multiple POV of other hosts

  • pstf^2 & Intro: Passive Security Tools Fingerprinting Framework

  • SnitchDNS & Intro: Database Driven DNS Server with a Web UI, that makes DNS admin easier for red teams & pentesters

  • rga / ripgrep-all: ripgrep wrapper that can also search in PDFs, E-Books, Office documents, zip, tar.gz, etc

    • “Wraps ripgrep, the fastest grep-like tool, but enables it to search pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc.”

  • rawsec_cli: Rawsec’s Cybersecurity Inventory cli. Search pentesting tools, resources, ctf, os.

Tools updates

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/06/2020 to 12/13/2020.

You may also like