By Anna Hammond
March 17, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 8 to 15.
Channeling the Wisdom of the Crowd: Talking with Intigriti’s Stijn Jans and Inti De Ceukelaire
Finding Issues In Regular Expression Logic Using Differential Fuzzing
I think some of the most interesting attacks and research are at the intersection of different fields of offensive security. This is a good example by @defparam. He shows how to use differential fuzzing to find logic flaws in web-related regular expressions.
Obtaining .NET Assemblies from Android Full AOT Compiled Applications
CVE-2020-29653: Stealing Froxlor login credentials using dangling markup
Messing with GitHub’s fork collaboration for fun and profit (GitHub, $30,000)
The first writeup shows a method for extracting assemblies from Android applications compiled with AOT. It might be useful to know for a future mobile engagement.
The second writeup shows a useful technique to remember when you find a HTML injection and want to increase its impact because XSS just isn’t possible.
Lastly, @not_an_aardvark found some pretty serious broken access control issues on GitHub. It’s a very interesting writeup on GitHub’s fork collaboration feature.
leaky.page & A Spectre proof-of-concept for a Spectre-proof web
This is worrying research on Spectre by Google’s Security Team. They showed that it is a pratical attack with a Proof of Concept site that can leak information from victims’ browser memory!
Regexploit is a Python tool that helps find regular expressions vulnerable to ReDoS. Judging from the list of vulnerabilities @doyensec discovered using it, it seems very effective and worth a try.
Wl is @s0md3v‘s latest tool. It’s a Go utility that converts strings to different casing styles, which is so handy for credentials bruteforce and content discovery.
Main track
Recon Village
NahamCON 2021: Red Team Village & Slides:
Wasn’t NahamCon fantastic? I love a good offensive security conference! Since the main track and villages were happenning at the same time, you might’ve missed interesting talks. So, here’s the list of all NahamCon talks and slides I found public if you want to catch up.
[PYTHON] Differential Fuzzing to find logic bugs inside Python email validators (Atheris)
Alfred WebApp Payloads Demo (XSS & Reverse Shell Payloads!) (cool idea for MacOS users)
SQL Injection – Lab #2 SQL injection vulnerability allowing login bypass
Browser Security – Part one : My Interview with Abdulrahman Alqabandi @qab @microsoft & Part two
DAY[0] Episode 68 – Hacking Cameras, Stealing Logins, and Breaking Git
ProxyLogon – New Chrome 0-Day, Patch Tuesday Redux, Spectre Comes to Chrome
Exploiting HTTP Request Smuggling (TE.CL)— XSS to website takeover #Web
CVE-2020-5377: Dell OpenManage Server Administrator File Read #Web
SSD Advisory – GNU GRUB Command Injection #Linux #LPE
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518) #Windows #LPE
Malicious repositories can execute remote code while cloning (GitHub)
[Google VRP] How I Get Blind XSS At Google With Dork (First Bounty and HOF ) (Google, $3,133.70)
Facebook Group Members Disclosure. (Facebook, $9,000)
Finding keys under the door (Paytm)
Voice Confusion When Commenting On Watch Party (Facebook, $1,000)
See more writeups on The list of bug bounty writeups.
ZAP Automation Framework: ZAP add-on that provides a framework for automation
go-dork & Dorking on Steroids: Fast dork scanner written in Go
jsmonitor.py: JavaScript files monitor
SerialDetector & Intro: A proof-of-concept tool for detection and exploitation Object Injection Vulnerabilities in .NET applications
Vajra & Intro: A highly customizable target and scope based automated web hacking framework (with GUI @ a CouchDB database)
XSS WAF bypass by adding JS comments between a function name and its arguments
Pentest tales by @plaverty9 and @ippsec
Burp extensions keep being disabled? Quitting Burp using ⌘+q might be the cause!
@defparam’s JSON/Structure aware fuzzer for turbo intruder & Turbo Intruder Cluster Bomb with Smart Filtering
The Best Ethical Hacking Tools of 2021 (and their basic usage)
Uncle Rat’s ultimate bug bounty guide (50% off until March 20)
PancakesCon 2 (March 21)
null Ahmedabad Meet 21 March 2021 Monthly Meet Cancel Registration (March 21)
FuzzCon Europe (March 24)
Bitcoin exchange Sovryn launches record $1.25m bug bounty program
Nice rig there, @plenumlab! We love it and hope it’ll help you find more cool bugs.
Want to share your bug bounty wins, swag and joys with other Bug Bytes readers? Tag us on social media, we’d love to hear from you too!