Bug Bytes #112 – JSON parsers inconsistencies, Fuzzing for SSRF & Microsoft $50k account takeover

By Anna Hammond

March 3, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from February 22 to March 1.

Intigriti News

How to get hacked with Nginx or VMWare vCenter & A look at 2020’s Top 10 Web hacking techniques

Our favorite 5 hacking items

1. Article of the week

An Exploration of JSON Interoperability Vulnerabilities & Labs

@theBumbleSec dropped excellent research on JSON parsing inconsistencies that can lead to serious business logic vulnerabilities. This is gold for bug hunters, a highly recommended read!

2. Writeups of the week

SSRF: Bypassing hostname restrictions with fuzzing
How I Might Have Hacked Any Microsoft Account (Microsoft, $50,000)
Unauthorized RCE in VMware vCenter & CVE-2021-21972 checker for Nmap NSE

What amazing findings!

@dee__see found inconsistencies in two NodeJS URL parsers that led to SSRF. The attack was discovered by fuzzing with radamsa and leverages parser differentials (parsers again). Though the impact was low, the techniques used are so interesting!

@ptswarm disclosed an unauthenticated RCE in VMware vCenter that’s probably keeping some bug hunters busy.

@laxmanmuthiyah found an account takeover on Microsoft’s Forgot password page. It involves decrypting a security code, bruteforcing it and leveraging a race condition to bypass anti-bruteforce protections.

3. Conference of the week

Black Hat USA 2020

Black Hat USA 2020 videos were just released and there is no less than 91! There’s a lot to watch on all kinds of hacking topics. To easily navigate this, check the briefings for descriptions of each talk and links to slides.

4. Tutorials of the week

How to Break Your JAR in 2021 – Decompilation Guide for JARs and APKs
DOM XSS is Dead*, Long Live DOM XSS

Don’t worry, DOM XSS isn’t really dead! @InfoSecP4nda did some research on DOM XSS automation with Burp and shares the results. It’s interesting to know the limits of Burp when testing for these vulnerabiilities.

The second tutorial is about decompiling JARs and APKs using including different decompilation approaches and tools. If like me you’ve only heard of JD-GUI and jadx, I highly recommend reading this. Next time these two tools fail to decompile obfuscated code for instance, you’ll know of other decompilation options!

5. Video of the week

SQL Injection | Complete Guide

This is a nice introduction to SQL injection by @ rana__khalil. A great resource if you’re interested in the topic and prefer videos for learning.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • 4-ZERO-3: 403/401 Bypass Methods

  • pyndiff: Generate human-readable ndiff output when comparing 2 Nmap XML scan files

  • posta: Cross-document Messaging security research tool

  • 1u.ms: DNS utilities in Go to detect and exploit of SSRF & DNS Rebinding (existed as an online utility and was just open sourced)

  • Endgame: AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account’s resources with a rogue AWS account

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty news

Non technical

You may also like