Bug Bytes #111 – Finding your first bug, Middleware misconfigurations & Breaking Java XML parsers

By Anna Hammond

February 24, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from February 15 to February 22.

Intigriti News

Our favorite 5 hacking items

1. Video of the week

How to Find Your First Bug & TL;DR

Struggling to find your first bug? @InsiderPhD has some sensible tips that might help, including technical skills to learn and what to focus on. Make sure to watch the whole video, the note-taking tip at the end will help you maximize learning when reading writeups.

2. Writeup of the week

Enumerate internal cached URLs which lead to data exposure (Facebook, $4,800)

This writeup is about an issue in server-side caching on Facebook. @Samm0uda discovered an endpoint on developers.facebook.com that returned whether a URL (or partial URL) was present in the cache or not. The bug looks so obvious after reading about it! It sounds like a feature, I’m not sure I would’ve considered it a weakness leading to serious information disclosure (e.g. disclosure of URLs containing access tokens).

So, this is a great example that shows why it is important to always keep in mind business and technical impacts when assessing the security of a Web app.

3. Articles of the week

Misconfigurations in Java XML Parsers
Middleware, middleware everywhere – and lots of misconfigurations to fix

The first article is an amazing read if you’re interested in XXE or SSRF (via XXE). It goes over different scenarios that make Java XML parsers vulnerable. For instance, if HTTP(S) and FTP are blacklisted, you can still find a blind XXE by making an FTP request with a file:// URL!

The second article sums up some new misconfigurations in middleware for Nginx (for example HTTP splitting against misconfigured proxies that use cloud storage solutions). This type of misconfigurations are very interesting to learn and test for! They bypass current mitigations and can still be found even on hardened targets.

4. Tutorials of the week

Top 10 Tips for Burp Suite
Client Side Encryption Bypass Part-2 & Part-3

The first tutorial presents ten really practical Burp tips. Power users might already know them, but it takes only a minute to go through them and maybe learn a new useful feature that’ll change your Burp experience.

The other tutorials are about bypassing client-side encryption. You might’ve seen part 1 in a previous Bug Bytes. With these follow-ups, @sameer_bhatt5 plunges us deeper into the world of encrypted JavaScript, tools that help save time when debugging it, and how to automate decryption.

5. Tool of the week

Mubeng

Mubeng is a fast proxy IP rotator that will help bypass any type of IP ban (WAF, rate-limiting, bruteforce protection, etc). It’s in Go, supports HTTP and SOCKSv5 protocols, supports all HTTP(S) methods, and includes a proxy checker to make sure your proxy IP is still alive.

What I like the most about it is its ease of use. You just give it a list of proxy IPs, it randomly rotates between them after a certain number of requests. It can also be chained with Burp and ZAP as an upstream proxy.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • iframe-broker: Chrome / Firefox extension to log iframe and cross window communications

  • MoneyScope: A Simple Tool to Pull Paid Bounty Scopes for Wide Recon Actvities

  • MacHound & Intro: An extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts

  • AzureC2Relay & Intro: Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Community pick of the week

Well done @Kuromatae666!

We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.

You may also like