Bug Bytes #109 – Hacking big tech companies with Dependency Confusion, Using crypto to forge JWTs & XSS that works in 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from February 1st to February 8.

Intigriti News

SolarWinds RCE, NAT Slipstream v2 & Accellion under attack

Our favorite 5 hacking items

1. Writeup of the week

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Wow, this is such a great writeup! If you don’t have time to check out anything else, just read this for a dose of mindblowing Web security research. Alex Birsan (@alxbrsn) explains an attack he calls “dependency confusion” that affected big companies.

In a nutshell: If a company uses a private package to install Python, Ruby or Node dependencies and a public repository is created with the same name and a latest version, the package manager will give preference to the public package. It makes it possible to run code on the target’s internal servers and developers’ PCs. That’s how Alex pwned Paypal, Shopify, Apple, Microsoft and many more.

2. Article of the week

Abusing JWT Public Keys Without The Public Key & rsa_sig2n

Silent Signal researchers had to test an RSA implementation but did not have the public keys used to verify signatures. So, they came up with a new technique to derive public keys from just two signatures. The most interesting bit for bug hunters is that it helps forge JWT tokens as shown in the PoC exploiting CVE-2017-11424 (a key confusion vulnerability in pyJWT).

3. Tools of the week

UDdup
dwn & dwn – a docker pwn tool manager experiment

UDdup is a handy Python tool that detects similar endpoints (e.g. /product/123?is_prod=false and /product/222?is_debug=true) in a list and removes them. This is helpful for removing redundant URLs from the output of recon tools like gau or waybackurls.

dwn is a “docker-compose for hackers”. @leonjza created it to solve some limitations of docker-compose. It allows you to run dockerized tools from any folder with the ability to make on-the-fly configuration changes, dynamic port maps and volume mounts (all of which aren’t possible with docker-compose).

4. Videos of the week

Recon and Corporate OSINT with DNSGrep and Rapid7 Open Data
Live Recon and Google Dorking on the Department of Defenses Vuln Disclosure Program with @thedawgyg

These videos will be very informative if you want to improve your recon. @codingo_ shares why using sources directly (as opposed to running multiple subdomain enumeration tools) can be benefial and how to do it, with a focus on the Rapid7 Open data project.

In the second video, @thedawgyg does some live recon on the Department of Defense’s Vulneability Disclosure Program and shows @NahamSec his approach and tips.

5. Resource of the week

Cheatsheet: XSS that works in 2021

This is a new cool cheatsheet full of XSS payloads, filter bypasses and tips that work in modern browsers.

Other amazing things we stumbled upon this week

Videos

• WhatsApp – a malicious GIF that could execute code on your smartphone – Bug Bounty Reports Explained

• Does Hacking Require Programming Skills?

• @Busra Demir Talks About Pentesting, Content Discovery, Getting Started With OSCP, Creating Content🔥

• Android Pentesting | Insecure Logging & Storage + Setup Genymotion & pidcat – Pt. 02

• $2 Rubber Ducky – Steal WiFi Passwords in Seconds

• Hack From Anywhere! – ZeroTier Remote Access

Podcasts

• DAY[0] Episode 63 – MediaTek BootROM Broken, Free Coffee, and an iOS Kernel Exploit

• SCADA Scandal – Defender Thinks Chrome is Malware, Plex Media Servers in DDoS Attacks

Webinars & Webcasts

• The Curious Case of Copy and Paste

• Enumerating Azure AD and ARM | Leron Gray

Conferences

• BSides København 2020, especially:

  • Organizational Asset Discovery & Recon with OWASP Amass)

  • Skirting the Edge: A novel Out of Band technique for data exfiltration

Tutorials

Medium to advanced

• Testing and exploiting Java Deserialization in 2021

• Tailoring Cobalt Strike On Target

Beginners corner

• Recon with Me !!!

• bash aliases: command-line tools #3

• A Pentester’s Guide to WebSocket Pentesting

• Skeletons in the IT Closet: Seven Common Microsoft Active Directory Misconfigurations that Adversaries Abuse

• Relaying 101

Writeups

Pentest writeups

• Bypassing WAFs (Web Application Filters)

• RCE using Path Traversal

• Customising an existing evilginx phishlet to work with modern Citrix

Responsible(ish) disclosure writeups

• Automatic Vulnerability ApacheDruid Remote Code Execute Detection and Exploitation & Nuclei template #RCE #Web

• Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities #RCE

• Unauthenticated SQL injection Time-based user enumeration #Web #CodeReview

Bug bounty writeups

• How I was able to Turn a XSS into a Account Takeover

• Facebook Messenger Desktop App Arbitrary File Read (Facebook, $2,000)

• Escalating SSRF to RCE

• XXE To AWS Metadata Disclosure

• How I Gain Access to the Server Administration of a Million-Dollar Company ($5,000)

• Microsoft Remote Desktop Web Access Authentication Timing Attack (Microsoft)

• Reflected XSS on a Public Program

• SSRF Exploitation in Libreoffice Spreadsheet File Converter

• Spoofing and Attacking With Skype (Microsoft)

• Github Account hijack through broken link in developer.twitter.com (Twitter)

See more writeups on The list of bug bounty writeups.

Tools

• Ditto: A Go tool for IDN homograph attacks and detection

• Doldrums & Reverse engineering Flutter for Android: A Flutter/Dart reverse engineering tool

• WebDork: A Python tool to automate Google dorking

• Thumbscr-EWS & Intro: A wrapper around the amazing exchangelib to do some common EWS operations

Tips & Tweets

• _method swapping on Rails & Symfony apps

• Subdomain takeover edge cases on can-i-take-over-xyz

• UUID bypass for IDOR

• Bash alias to proxy curl traffic though Burp

Misc. pentest & bug bounty resources

• @sec_r0’s WebAuthZine

• Top 25 Vulnerability Parameters based on frequency

• Awesome Azure Penetration Testing

• 18 Inclusive Communities Worth Joining

Articles

• The 10 Most Common Bugs Of 2021 So Far, And How To Find Them!

• Google: Data Driven Security Hardening in Android

• Wave 2 – Analysis of Internet Wide Web Servers

• Hunting Azure Blobs Exposes Millions of Sensitive Files

• Relay Attacks via Cobalt Strike Beacons

Bug bounty & Pentest news

• Project Discovery: We are going fulltime

• Announcing The Hacker Of The Hill (February 20)

• Google: Vulnerability Reward Program: 2020 Year in Review

Non technical

• Working with others hackers on the same targets/bounty

• Mortgage with Bug Bounties — Week 1

• Hacker Spotlight: Interview With Hazimaslam

Community pick of the week

Cool tower there @holme_sec!

We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.