Bug Bytes #116 – New OAuth attacks, Hacking Shopify with a single dot & Netmask SSRF

By Anna Hammond

March 31, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from March 22 to 29.

Our favorite 5 hacking items

1. Articles of the week

Hidden OAuth attack vectors
Recovering A Full PEM Private Key When Half Of It Is Redacted

OAuth and SSRF are the gifts that keep on giving! @artsploit revealed three entirely new OAuth2 and OpenID Connect vulnerabilities: “Dynamic Client Registration: SSRF by design”, “redirect_uri Session Poisoning”, and “/.well-known/webfinger User Enumeration”. This is fantastic research, simply a must-read!
Also worth noting, ActiveScan++ was updated to detect and report these bugs.

The second article is the reason why you should never include a partially redacted PEM in a pentest report (or share it on social media). @CryptoHack__ was challenged to recover a full private key from a partially redacted private RSA key, and shows exactly how they did it.

2. Writeups of the week

From 500 to Account Takeover
[h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) (Shopify, $3,100)
Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forgery, remote file inclusion, local file inclusion, and more (CVE-2021-28918) & Serious Netmask vulnerability found to affect three Perl IP modules

Pentesters @skeltavik and @KoenClaes_ started with a goal, to steal users Session IDs that they noticed accessible in a JavaScript function. They detail in an excellent writeup how they managed to do it using an XSS on an HTTP 500 error page, a Cloudflare bypass, a CSP bypass and Google Analytics.

The second writeup is a cool FQDN takeover on Shopify that @securinti found during a live hacking event. The impact is similar to subdomain takeover except that it didn’t require access to DNS records. It only took adding a single dot… but it’s better explained with video!

The third writeup is about a vunerability affecting the Netmask NPM package used in almost 279k projects. If you like SSRF and IP validation bypasses, it’s worth a read.

3. Resource of the week

MindAPI (online version) & Repo

dsopas published this cool mindmap of API hacking resources and methodology for all types of APIs. If you’re into API hacking, this is a nice way to organize a lot of information on the topic (not only steps and tools, but also videos, writeups, labs, tutorials, etc).

4. Tutorials of the week

Poking At Elasticsearch: Beyond Just Dumping Data
SAML XML Injection

Elasticsearch is often associated with data dumps and information disclosure, but there is so much more to Elasticsearch security. The first tutorial shows how to bruteforce credentials when an Elasticsearch instance is using authentication and what to next after obtaining credentials (discovering user accounts and post-exploitation recon techniques).

The second article is about a vulnerability NCC Group pentesters detected in several assessments of SSO services. It is a great read about SSO / SAML hacking.

5. Tool of the week

masher & From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts)

Masher stands for “multiple password ‘asher“. It helps break password hashes when non obvious combinations of hashing algorithms are used.

Identifying the type of a hash is something I always struggle with. So, I find this very helpful. Since it’s just a script using Python’s hashlib, it’s also easy to modify to add more combinations.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • S3 Account Search & Intro: Python tool that finds the AWS account ID of any public S3 object/bucket

  • SQLMap DNS Collaborator: Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed

  • gitrecon: OSINT tool to get information from a Github and Gitlab profile and find user’s email addresses leaked on commits

  • nsdp-discover: Nmap NSE script to discover NSDP service and retrieve basic information

  • harlogger: Simple utlity for sniffing decrypted HTTP/HTTPS traffic on a jailbroken iOS device into an HAR format

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

So happy for you @sumgr0! Keep it up 💪

Want to share your bug bounty wins, swag and joys with other Bug Bytes readers? Tag us on social media, we’d love to hear from you too!

You may also like