By Anna Hammond
February 24, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 15 to February 22.
How to Find Your First Bug & TL;DR
Struggling to find your first bug? @InsiderPhD has some sensible tips that might help, including technical skills to learn and what to focus on. Make sure to watch the whole video, the note-taking tip at the end will help you maximize learning when reading writeups.
Enumerate internal cached URLs which lead to data exposure (Facebook, $4,800)
This writeup is about an issue in server-side caching on Facebook. @Samm0uda discovered an endpoint on developers.facebook.com that returned whether a URL (or partial URL) was present in the cache or not. The bug looks so obvious after reading about it! It sounds like a feature, I’m not sure I would’ve considered it a weakness leading to serious information disclosure (e.g. disclosure of URLs containing access tokens).
So, this is a great example that shows why it is important to always keep in mind business and technical impacts when assessing the security of a Web app.
Misconfigurations in Java XML Parsers
Middleware, middleware everywhere – and lots of misconfigurations to fix
The first article is an amazing read if you’re interested in XXE or SSRF (via XXE). It goes over different scenarios that make Java XML parsers vulnerable. For instance, if HTTP(S) and FTP are blacklisted, you can still find a blind XXE by making an FTP request with a file:// URL!
The second article sums up some new misconfigurations in middleware for Nginx (for example HTTP splitting against misconfigured proxies that use cloud storage solutions). This type of misconfigurations are very interesting to learn and test for! They bypass current mitigations and can still be found even on hardened targets.
Top 10 Tips for Burp Suite
Client Side Encryption Bypass Part-2 & Part-3
The first tutorial presents ten really practical Burp tips. Power users might already know them, but it takes only a minute to go through them and maybe learn a new useful feature that’ll change your Burp experience.
The other tutorials are about bypassing client-side encryption. You might’ve seen part 1 in a previous Bug Bytes. With these follow-ups, @sameer_bhatt5 plunges us deeper into the world of encrypted JavaScript, tools that help save time when debugging it, and how to automate decryption.
Mubeng is a fast proxy IP rotator that will help bypass any type of IP ban (WAF, rate-limiting, bruteforce protection, etc). It’s in Go, supports HTTP and SOCKSv5 protocols, supports all HTTP(S) methods, and includes a proxy checker to make sure your proxy IP is still alive.
What I like the most about it is its ease of use. You just give it a list of proxy IPs, it randomly rotates between them after a certain number of requests. It can also be chained with Burp and ZAP as an upstream proxy.
Creating a Recon Database For Recon At Scale & recon_db_scripts
$130,000+ Learn New Hacking Technique in 2021 – Dependency Confusion – Bug Bounty Reports Explained
How to intercept traffic from Android apps with Objection and Burp
Axiom Demo – Resolving 6 million domains in 5 minutes with 100 instances!
DAY[0] Episode 65 – PDF Exploits, GPGME Making Mistakes EZ and Favicon Tracking
Dependency Confusion – SHAREit’s Security Update, Solorigate, Brave’s “Private Window With Tor”
Smarty Template Engine Multiple Sandbox Escape PHP Code Injection Vulnerabilities #Web
RCE in NPM VSCode Extention #Web #RCE
Into the rabbit hole: Exploitation process of Redis and RabbitMQ #RCE #Redis
Exploiting crash handlers: LPE on Ubuntu #Linux #LPE
ZDI-21-171: Getting Information Disclosure In Adobe Reader Through The ID Tag #MemoryCorruptionBug #PDF
Hunting for bugs in Telegram’s animated stickers remote attack surface
Is Math.random() Safe? from missing rate limit to bypass 2fa and possible sqli
Leaking Facebook user information to external websites / Setting some cookies values (Facebook, $2,000)
CVE-2021-23827: Sakura Samurai discover cleartext pictures in Keybase Desktop Client; Windows, macOS, Linux (Keybase, $1,000)
Dangling DNS Records leading to Sub-domain Takeover on api.techprep.fb.com! (Facebook, $500)
See more writeups on The list of bug bounty writeups.
iframe-broker: Chrome / Firefox extension to log iframe and cross window communications
MoneyScope: A Simple Tool to Pull Paid Bounty Scopes for Wide Recon Actvities
MacHound & Intro: An extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts
AzureC2Relay & Intro: Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile
We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.