Bug Bytes #107 – Go for HTTP smuggling, Open source frameworks vs Cache poisoning & Practicing RCE in NodeJS apps

By Anna Hammond

January 27, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 18 to 25 of January.

Intigriti News

January XSS Challenge

A slew of Cisco bugs, Risks of DoH & DNSpooq (aka new proof that it’s always DNS!)

Our favorite 5 hacking items

1. Videos of the week

Insecure Deserialization Attack Explained
Live Recon on Snapchat with @ITSecurityGuard (amass, FFUF, SecurityTrails Demo)

@PwnFunction is back with an awesome video tutorial on deserialization. It is concise and maybe the best explanation I’ve seen on this rather complex vulnerability class.

The other video is the first of a new series by @NahamSec where he hacks live with a fellow bug hunter (@ITSecurityGuard this time). This is a fantastic idea, like a practical interview or walkthrough to see how other hackers work.

2. Writeup of the week

The Secret Parameter, LFR, and Potential RCE in NodeJS Apps

This is an informative writeup by @0xCaptainFreak on Local File Read in NodeJS apps, when ExpressJS is used with hbs (view engine for Handlebars). Without spoiling it more, can you find the issue in this code that reproduces the bug?

3. Article of the week

Cache poisoning in popular open source packages

@snyksec dived into Web cache poisoning in open source packages and found several well known frameworks vulnerable. For example, Botlle, Tornado and Rack all use “parse_qsl” an insecure method in Python’s source code that makes them vulnerable to cache poisoning attacks.

4. Tip of the week

Another way to do HTTP smuggling

@BitK_ shared a new HTTP smuggling technique that @albinowax interprets as “Golang’s network stack attempting to “parse HTTP headers as ~UTF-8 even though everyone else treats them as ASCII”. It is yet to be confirmed but looks like a very interesting area to explore.

5. Tool of the week

BurpSuiteSharpener

New week, new Burp customizer extension! This one from @irsdl adds cool features like the ability to change Burp’s title and icon, to change the style of tabs and use pretty Gradient icons.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Tips

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

Nice beanie there @xsstnv!

We love hearing from you and celebrating your wins. Tag us if you also want to share your swag and bug hunting joys with other Bug Bytes readers.

You may also like