By Anna Hammond
January 27, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 18 to 25 of January.
A slew of Cisco bugs, Risks of DoH & DNSpooq (aka new proof that it’s always DNS!)
Insecure Deserialization Attack Explained
Live Recon on Snapchat with @ITSecurityGuard (amass, FFUF, SecurityTrails Demo)
@PwnFunction is back with an awesome video tutorial on deserialization. It is concise and maybe the best explanation I’ve seen on this rather complex vulnerability class.
The other video is the first of a new series by @NahamSec where he hacks live with a fellow bug hunter (@ITSecurityGuard this time). This is a fantastic idea, like a practical interview or walkthrough to see how other hackers work.
The Secret Parameter, LFR, and Potential RCE in NodeJS Apps
This is an informative writeup by @0xCaptainFreak on Local File Read in NodeJS apps, when ExpressJS is used with hbs (view engine for Handlebars). Without spoiling it more, can you find the issue in this code that reproduces the bug?
Cache poisoning in popular open source packages
@snyksec dived into Web cache poisoning in open source packages and found several well known frameworks vulnerable. For example, Botlle, Tornado and Rack all use “parse_qsl” an insecure method in Python’s source code that makes them vulnerable to cache poisoning attacks.
Another way to do HTTP smuggling
@BitK_ shared a new HTTP smuggling technique that @albinowax interprets as “Golang’s network stack attempting to “parse HTTP headers as ~UTF-8 even though everyone else treats them as ASCII”. It is yet to be confirmed but looks like a very interesting area to explore.
New week, new Burp customizer extension! This one from @irsdl adds cool features like the ability to change Burp’s title and icon, to change the style of tabs and use pretty Gradient icons.
Intro to CSRF (Cross-Site Request Forgery) – Security Simplified
$15,000 Playstation Now RCE via insecure WebSocket connection – Bug Bounty Reports Explained
Unauthenticated XSS to Remote Code Execution Chain in Mautic < 3.2.4 #Web
Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678) #NTLM #Network
Microsoft Teams and Skype Logging Privacy Issue #DesktopApp
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) #Linux
The State of State Machines #WebRTC
CVE-2020-5144 – SonicWall Global VPN New Elevation of Privileges Vulnerability #LPE #Windows
$10,000 for automatic email confirmation bug in Microsoft’s Edge browser (Microsoft, $10,000)
KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card (Amazon, $18,000)
Let’s know How I have explored the buried secrets in React Native application
BitLocker Lockscreen bypass (Microsoft)
ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792 (Apple, Google)
Possible RCE through Windows Custom Protocol on Windows client (NordVPN, $500)
See more writeups on The list of bug bounty writeups.
EIP Fishing: Go fish on AWS EIPs
jwtXploiter: A tool to test security of json web token
SAP_EEM_CVE-2020-6207: PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)
Executable XSS cheat sheets for popular web frameworks #CodeReview
OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep #CodeReview
Credentials hiding in plain sight or how I pwned your http auth & httpcreds
Nice beanie there @xsstnv!
We love hearing from you and celebrating your wins. Tag us if you also want to share your swag and bug hunting joys with other Bug Bytes readers.