By Anna Hammond
December 16, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 06 to 13 of December.
FireEye hacked, Amnesia:33 & A device-bricking UEFI malware
Portable Data exFiltration: XSS for PDFs & Presentation
This is @garethheyes’s new research presented at Black Hat Europe. He developed a new injection technique based on controlling a single HTTP link in a PDF document. It allows for exfiltrating the PDF file’s contents (like a Blind XSS via PDF) or SSRF. Several PDF libraries were found vulnerable including Acrobat and Chrome’s PDFium.
This is really cool. PDFs files are used all the time, and they can be totally compromised with just one little link!
Content-Security-Policy Bypass to perform XSS using MIME sniffing
How I hacked Facebook: Part One (Facebook, $7,500)
The YouTube bug that allowed unlisted uploads to any channel (Google, $6,337)
The first one is about two impossible XSS, blocked by CSP, that became exploitable when chained together using MIME sniffing. The second writeup is about an admin account takeover (in a thefacebook.com subdomain) caused by an exposed password change endpoint. The third writeup is about a simple IDOR that would’ve allowed anyone to upload videos to someone’s YouTube channel.
These are all proof that the best findings aren’t necessarily the most complicated!
Advanced Testing Of Web Application With Custom Message Signing Using Hackvertor
This tutorial shows how to use the Burp extension Hackvector to bypass replay protection mechanisms like message signing. This isn’t a new problem but it is not extensively documented, so this can be helpful.
Y’all ‘ve been nice this year, so Santa Claus has great talks for you! Topics range from S3 buckets weaknesses tocar hacking, adversary emulation, HID card hacking, red teaming, Kubernetes attacks, Offensive Security Tools and more.
Burp Suite Sequencer users will also be interested in the “Random Facts About Mersenne Twisters” talk on pseudo-random number generators and this thread on how Sequencer works.
Depix & Intro
Proxify
HTTPSignatures & Intro
Depix is a Python tool that helps recover passwords from pixelized screenshots. It’s worth trying when looking for information disclosure in public documents.
Proxify is a new Web proxy in Go by @pdiscoveryio. It looks interesting either as a standalone tool or chained with Burp/ZAP. It can dump all traffic to a file, replay traffic in Burp, match and replace requests and responses on-the-fly, match/filter traffic…
HTTPSignatures is a Burp extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft. As apps start adopting HTTP Signatures, this extension will help test them seamlessly.
Gynvael Talks About Infosec Certificates, Playing Ctfs, Google’s Ctf, and Getting Into Hacking!
Cybertalk EP8 – Better Bug Bounty Hunting, CTF’s & Reverse Engineering
How To Prevent IDORs | Security Simplified, Intro to Command Injection | Security Simplified & How to Prevent Command Injections
Distributed Recon – Axiom Scan Resolves 6M FQDNs in 10 Minutes
Risky Business #608 — FireEye discloses breach and tool exfil
Atheris Python Fuzzer, Bronze Bit Attack, & FireEye Highlights – ASW #134
Steam Flaws, Kerberos Exploit, Facebook Lawsuit, & Black Mirror – Wrap Up – SWN #88
Layer 8 Podcast Episode 36: Inês Narciso – Teamwork Makes Dreamwork
The Privacy, Security, & OSINT 199-Physical Security Assessments
The InfoSec & OSINT Show 37 – Jenny Radcliffe & People Hacking
Webcast: Getting Started with Burp Suite & Webapp Pentesting
Q&A: Finding & Reversing Malicious Mobile Apps with Kristina (chmodxx)
GHSL-2020-205: Remote Code Execution in Apache Struts 2 – S2-061 – CVE-2020-17530 #Web
CVE-2020-17049: Kerberos Bronze Bit Attack – Overview, Theory & Practical Exploitation #AD
PsExec Local Privilege Escalation #Windows #LPE
Game On – Finding vulnerabilities in Valve’s “Steam Sockets” (Valve)
How I dumped PII information of customers in an ecommerce site?
A very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service (Basecamp, $1,000)
How i got my First Bug Bounty in Intersting Target (LFI to SXSS)
CVE-2020-8286: Inferior OCSP verification (Curl, $900)
See more writeups on The list of bug bounty writeups.
Solarflare & Intro: SolarWinds Orion Account Audit / Password Dumping Utility
Cloudlist: A Go tool for listing Assets from multiple Cloud Providers
FlyDNS: Related subdomains finder
JNDI-Exploit-Kit: A modified version of @welk1n’s JNDI-Injection-Exploit. It can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection
CornerShot: Amplify network visibility from multiple POV of other hosts
pstf^2 & Intro: Passive Security Tools Fingerprinting Framework
SnitchDNS & Intro: Database Driven DNS Server with a Web UI, that makes DNS admin easier for red teams & pentesters
rga / ripgrep-all: ripgrep wrapper that can also search in PDFs, E-Books, Office documents, zip, tar.gz, etc
“Wraps ripgrep, the fastest grep-like tool, but enables it to search pdf, docx, sqlite, jpg, movie subtitles (mkv, mp4), etc.”
rawsec_cli: Rawsec’s Cybersecurity Inventory cli. Search pentesting tools, resources, ctf, os.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/06/2020 to 12/13/2020.