By Anna Hammond
March 3, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 22 to March 1.
How to get hacked with Nginx or VMWare vCenter & A look at 2020’s Top 10 Web hacking techniques
An Exploration of JSON Interoperability Vulnerabilities & Labs
@theBumbleSec dropped excellent research on JSON parsing inconsistencies that can lead to serious business logic vulnerabilities. This is gold for bug hunters, a highly recommended read!
SSRF: Bypassing hostname restrictions with fuzzing
How I Might Have Hacked Any Microsoft Account (Microsoft, $50,000)
Unauthorized RCE in VMware vCenter & CVE-2021-21972 checker for Nmap NSE
What amazing findings!
@dee__see found inconsistencies in two NodeJS URL parsers that led to SSRF. The attack was discovered by fuzzing with radamsa and leverages parser differentials (parsers again). Though the impact was low, the techniques used are so interesting!
@ptswarm disclosed an unauthenticated RCE in VMware vCenter that’s probably keeping some bug hunters busy.
@laxmanmuthiyah found an account takeover on Microsoft’s Forgot password page. It involves decrypting a security code, bruteforcing it and leveraging a race condition to bypass anti-bruteforce protections.
Black Hat USA 2020 videos were just released and there is no less than 91! There’s a lot to watch on all kinds of hacking topics. To easily navigate this, check the briefings for descriptions of each talk and links to slides.
How to Break Your JAR in 2021 – Decompilation Guide for JARs and APKs
DOM XSS is Dead*, Long Live DOM XSS
Don’t worry, DOM XSS isn’t really dead! @InfoSecP4nda did some research on DOM XSS automation with Burp and shares the results. It’s interesting to know the limits of Burp when testing for these vulnerabiilities.
The second tutorial is about decompiling JARs and APKs using including different decompilation approaches and tools. If like me you’ve only heard of JD-GUI and jadx, I highly recommend reading this. Next time these two tools fail to decompile obfuscated code for instance, you’ll know of other decompilation options!
SQL Injection | Complete Guide
This is a nice introduction to SQL injection by @ rana__khalil. A great resource if you’re interested in the topic and prefer videos for learning.
How I Found My First Bug (and earned $1k!) – Business Logic Tips
JavaScript Is A Goldmine For Bug Bounty Hunters & How To Test For Reflected XSS
Commonly Misunderstood Bugs: Authorization Based Vulnerabilities
Abusing unicode characters to PWN Intigriti XSS challenge [I WON!]
MyLittleAdmin PreAuth RCE Vulnerability Analysis – Deep Dive – Exploitation
null Ahmedabad Meet 28 February 2021 Monthly Meet: Automating reflected XSS using GXSS
Got Cookies? Exploring Cookie Based Authentication Vulnerabilities in the Wild
Graphql Exploitation – Part 1- Understanding Graphql & Enumeration Of Graphql Schema
Intro to Bug Bounty Automation (pt.2): Port Scanning with Slack & slackexec.py
Build Pipeline Security (Amazon)
SSRF to fetch AWS credentials with full access to multiple services
Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state (Grammarly, $3,000)
Big Bugs: Bitbucket Pipelines Kata Containers Build Container Escape
config files with vpn pre-shared-key and other credentials in them (Tesla, $10,000)
DNS Setup allows sending mail on behalf of other customers (Basecamp, $700)
See more writeups on The list of bug bounty writeups.
4-ZERO-3: 403/401 Bypass Methods
pyndiff: Generate human-readable ndiff output when comparing 2 Nmap XML scan files
posta: Cross-document Messaging security research tool
1u.ms: DNS utilities in Go to detect and exploit of SSRF & DNS Rebinding (existed as an online utility and was just open sourced)
Endgame: AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account’s resources with a rogue AWS account
How to enumerate a database (if you have breached creds) with sqlmap
Have a possible XSS on AEM target, but app renders it in JSON?
@TomNomNom’s biggest bounty & oneliner to grep Git repos for patterns
Intro to Bug Bounty Hunting and Web Application Hacking (@NahamSec’s new paid Udemy course)
Cybersecurity conferences 2021: A schedule of virtual, and potentially in-person or ‘hybrid’, events
ZAPCon: March 9
ffuf’s moving to a sponsorware model & is partnering up with Kali Linux