Bug Bytes #102 – A $20k Outlook bug, The hacker interviewer interviewed & How to get pwned by your SIEM

By Anna Hammond

December 23, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 13 to 20 of December.

Intigriti News

SolarWinds whirlwind, Malwareless ransomware & Cisco 9.9/10 bug

Our favorite 5 hacking items

1. Tips of the week

@irsdl’s #XMas2020 research notes
@eur0pa_’s method for using Burp 1.7 with the latest extensions

@irsdl has been sharing awesome hacking notes and tips on topics like deserialization bugs, WAF bypass, Burp & Fiddler, SalesForce apps security & many more. Really worth checking out!

Another noteworthy tip is for people who prefer to stay on Burp 1.7. @eur0pa_ shows how to make it work with all the latest extensions.

2. Writeups of the week

Coordinated disclosure of XML round-trip vulnerabilities in Go’s standard library
LogRhythm Zero Days
This is how I was able to view anyone’s private email and birthday on Instagram (Facebook, $13,125)

This week’s writeups are about authentication bypass in Go’s XML parser, a critical chain of WebSocket-related vulnerabilities in LogRhythm (a popular SIEM solution!) and a simple but impactful information disclosure on Instagram.

3. Video of the week

STOK Interviewed Me! 😱😱😱
I hacked Outlook and could’ve read all of your EMAILS!

Fans of @NahamSec’s interviews with hackers will love this special edition. He is the one being interviewed and answering all the usual questions on his hacker journey, life/time balance, time management, bug bounty collaboration, etc.
The second video by @ngalongc is a cool writeup of a $20k JWT bug he found in Outlook.

4. Tutorial of the week

Subdomain Takeover: Going for High Impact

@0xpatrik noticed that subdomain takeovers are harder to find nowadays and considered less dangerous because of new mitigations by cloud providers. But they’re not dead yet! If you find a subdomain takeover, make sure to increase its impact using the escalation methods he is sharing (or if you know of other ones, the community would love to hear them).

5. Resource of the week

OAuth 2.0 authentication vulnerabilities

PortSwigger just released this new Web Security Academy course on OAuth and OpenID Connect vulnerabilities. With their usual clear explanations and many labs, this is the perfect opportunity to practice or learn about OAuth hacking!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • WhiteChocolateMacademiaNut & Intro: Interact with Chromium-based browsers’ debug port to view open tabs, installed extensions, and cookies

  • Python2Intruder: Pythonize Intruder Payload

  • JupyterPen: A Repository dedicated to creating modular and automated penetration testing frameworks utilizing Jupyter Notebooks

  • Lazy-FuzzZ: Wrapper around ffuf

  • Fast security scanners/checks: Dockerized tools for various Web security tests

  • fridroid-unpacker: Defeat Java packers via Frida instrumentation

  • js-x-ray: JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns.

  • dmut: A tool to perform permutations, mutations and alteration of subdomains in golang

  • Emba: Analyzer for Linux-based firmware of embedded devices

  • Fortiscan: A high performance FortiGate SSL-VPN vulnerability scanning and exploitation tool.

  • GRecon: Python tool that automates the process of Google Based Recon AKA Google Dorking

  • deepce: Docker Enumeration, Escalation of Privileges and Container Escapes

  • Go365: An Office365 User Attack Tool

  • PrettyRECON & Intro: Commercial recon tool with GUI

Tools updates

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/13/2020 to 12/20/2020.

You may also like