Bug Bytes #109 – Hacking big tech companies with Dependency Confusion, Using crypto to forge JWTs & XSS that works in 2021

By Anna Hammond

February 10, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from February 1st to February 8.

Intigriti News

SolarWinds RCE, NAT Slipstream v2 & Accellion under attack

Our favorite 5 hacking items

1. Writeup of the week

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Wow, this is such a great writeup! If you don’t have time to check out anything else, just read this for a dose of mindblowing Web security research. Alex Birsan (@alxbrsn) explains an attack he calls “dependency confusion” that affected big companies.

In a nutshell: If a company uses a private package to install Python, Ruby or Node dependencies and a public repository is created with the same name and a latest version, the package manager will give preference to the public package. It makes it possible to run code on the target’s internal servers and developers’ PCs. That’s how Alex pwned Paypal, Shopify, Apple, Microsoft and many more.

2. Article of the week

Abusing JWT Public Keys Without The Public Key & rsa_sig2n

Silent Signal researchers had to test an RSA implementation but did not have the public keys used to verify signatures. So, they came up with a new technique to derive public keys from just two signatures. The most interesting bit for bug hunters is that it helps forge JWT tokens as shown in the PoC exploiting CVE-2017-11424 (a key confusion vulnerability in pyJWT).

3. Tools of the week

UDdup
dwn & dwn – a docker pwn tool manager experiment

UDdup is a handy Python tool that detects similar endpoints (e.g. /product/123?is_prod=false and /product/222?is_debug=true) in a list and removes them. This is helpful for removing redundant URLs from the output of recon tools like gau or waybackurls.

dwn is a “docker-compose for hackers”. @leonjza created it to solve some limitations of docker-compose. It allows you to run dockerized tools from any folder with the ability to make on-the-fly configuration changes, dynamic port maps and volume mounts (all of which aren’t possible with docker-compose).

4. Videos of the week

Recon and Corporate OSINT with DNSGrep and Rapid7 Open Data
Live Recon and Google Dorking on the Department of Defenses Vuln Disclosure Program with @thedawgyg

These videos will be very informative if you want to improve your recon. @codingo_ shares why using sources directly (as opposed to running multiple subdomain enumeration tools) can be benefial and how to do it, with a focus on the Rapid7 Open data project.

In the second video, @thedawgyg does some live recon on the Department of Defense’s Vulneability Disclosure Program and shows @NahamSec his approach and tips.

5. Resource of the week

Cheatsheet: XSS that works in 2021

This is a new cool cheatsheet full of XSS payloads, filter bypasses and tips that work in modern browsers.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

Cool tower there @holme_sec!

We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.

You may also like