By Anna Hammond
February 10, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 1st to February 8.
SolarWinds RCE, NAT Slipstream v2 & Accellion under attack
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Wow, this is such a great writeup! If you don’t have time to check out anything else, just read this for a dose of mindblowing Web security research. Alex Birsan (@alxbrsn) explains an attack he calls “dependency confusion” that affected big companies.
In a nutshell: If a company uses a private package to install Python, Ruby or Node dependencies and a public repository is created with the same name and a latest version, the package manager will give preference to the public package. It makes it possible to run code on the target’s internal servers and developers’ PCs. That’s how Alex pwned Paypal, Shopify, Apple, Microsoft and many more.
Abusing JWT Public Keys Without The Public Key & rsa_sig2n
Silent Signal researchers had to test an RSA implementation but did not have the public keys used to verify signatures. So, they came up with a new technique to derive public keys from just two signatures. The most interesting bit for bug hunters is that it helps forge JWT tokens as shown in the PoC exploiting CVE-2017-11424 (a key confusion vulnerability in pyJWT).
UDdup
dwn & dwn – a docker pwn tool manager experiment
UDdup is a handy Python tool that detects similar endpoints (e.g. /product/123?is_prod=false and /product/222?is_debug=true) in a list and removes them. This is helpful for removing redundant URLs from the output of recon tools like gau or waybackurls.
dwn is a “docker-compose for hackers”. @leonjza created it to solve some limitations of docker-compose. It allows you to run dockerized tools from any folder with the ability to make on-the-fly configuration changes, dynamic port maps and volume mounts (all of which aren’t possible with docker-compose).
Recon and Corporate OSINT with DNSGrep and Rapid7 Open Data
Live Recon and Google Dorking on the Department of Defenses Vuln Disclosure Program with @thedawgyg
These videos will be very informative if you want to improve your recon. @codingo_ shares why using sources directly (as opposed to running multiple subdomain enumeration tools) can be benefial and how to do it, with a focus on the Rapid7 Open data project.
In the second video, @thedawgyg does some live recon on the Department of Defense’s Vulneability Disclosure Program and shows @NahamSec his approach and tips.
Cheatsheet: XSS that works in 2021
This is a new cool cheatsheet full of XSS payloads, filter bypasses and tips that work in modern browsers.
WhatsApp – a malicious GIF that could execute code on your smartphone – Bug Bounty Reports Explained
@Busra Demir Talks About Pentesting, Content Discovery, Getting Started With OSCP, Creating Content🔥
Android Pentesting | Insecure Logging & Storage + Setup Genymotion & pidcat – Pt. 02
DAY[0] Episode 63 – MediaTek BootROM Broken, Free Coffee, and an iOS Kernel Exploit
SCADA Scandal – Defender Thinks Chrome is Malware, Plex Media Servers in DDoS Attacks
BSides København 2020, especially:
Automatic Vulnerability ApacheDruid Remote Code Execute Detection and Exploitation & Nuclei template #RCE #Web
Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities #RCE
Unauthenticated SQL injection Time-based user enumeration #Web #CodeReview
Facebook Messenger Desktop App Arbitrary File Read (Facebook, $2,000)
How I Gain Access to the Server Administration of a Million-Dollar Company ($5,000)
Microsoft Remote Desktop Web Access Authentication Timing Attack (Microsoft)
Spoofing and Attacking With Skype (Microsoft)
Github Account hijack through broken link in developer.twitter.com (Twitter)
See more writeups on The list of bug bounty writeups.
Ditto: A Go tool for IDN homograph attacks and detection
Doldrums & Reverse engineering Flutter for Android: A Flutter/Dart reverse engineering tool
WebDork: A Python tool to automate Google dorking
Thumbscr-EWS & Intro: A wrapper around the amazing exchangelib to do some common EWS operations
Announcing The Hacker Of The Hill (February 20)
Cool tower there @holme_sec!
We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.