By Anna Hammond
March 31, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 22 to 29.
Hidden OAuth attack vectors
Recovering A Full PEM Private Key When Half Of It Is Redacted
OAuth and SSRF are the gifts that keep on giving! @artsploit revealed three entirely new OAuth2 and OpenID Connect vulnerabilities: “Dynamic Client Registration: SSRF by design”, “redirect_uri Session Poisoning”, and “/.well-known/webfinger User Enumeration”. This is fantastic research, simply a must-read!
Also worth noting, ActiveScan++ was updated to detect and report these bugs.
The second article is the reason why you should never include a partially redacted PEM in a pentest report (or share it on social media). @CryptoHack__ was challenged to recover a full private key from a partially redacted private RSA key, and shows exactly how they did it.
From 500 to Account Takeover
[h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) (Shopify, $3,100)
Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forgery, remote file inclusion, local file inclusion, and more (CVE-2021-28918) & Serious Netmask vulnerability found to affect three Perl IP modules
Pentesters @skeltavik and @KoenClaes_ started with a goal, to steal users Session IDs that they noticed accessible in a JavaScript function. They detail in an excellent writeup how they managed to do it using an XSS on an HTTP 500 error page, a Cloudflare bypass, a CSP bypass and Google Analytics.
The second writeup is a cool FQDN takeover on Shopify that @securinti found during a live hacking event. The impact is similar to subdomain takeover except that it didn’t require access to DNS records. It only took adding a single dot… but it’s better explained with video!
The third writeup is about a vunerability affecting the Netmask NPM package used in almost 279k projects. If you like SSRF and IP validation bypasses, it’s worth a read.
MindAPI (online version) & Repo
dsopas published this cool mindmap of API hacking resources and methodology for all types of APIs. If you’re into API hacking, this is a nice way to organize a lot of information on the topic (not only steps and tools, but also videos, writeups, labs, tutorials, etc).
Poking At Elasticsearch: Beyond Just Dumping Data
SAML XML Injection
Elasticsearch is often associated with data dumps and information disclosure, but there is so much more to Elasticsearch security. The first tutorial shows how to bruteforce credentials when an Elasticsearch instance is using authentication and what to next after obtaining credentials (discovering user accounts and post-exploitation recon techniques).
The second article is about a vulnerability NCC Group pentesters detected in several assessments of SSO services. It is a great read about SSO / SAML hacking.
masher & From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts)
Masher stands for “multiple password ‘asher“. It helps break password hashes when non obvious combinations of hashing algorithms are used.
Identifying the type of a hash is something I always struggle with. So, I find this very helpful. Since it’s just a script using Python’s hashlib, it’s also easy to modify to add more combinations.
DAY[0] Episode 70 – Google exposes an APT campaign, PHP owned, and Several Auth Issues
GIT Me Some PHP – Spectre Returns to Linux, API Security, OpenSSL Flaws, SolarWinds
The InfoSec & OSINT Show 50 – pdp (Petko Petkov) & Automating Pownage with PownJS
Bypassing VPN MFA During a Pentest via Duo Inline Self-Enrollment
Second independent audit of SecureDrop Workstation completed #PentestReport
Pentester’s tricks: Local privilege escalation in OpenVAS #LPE #Linux
CVE-2021-23888 – McAfee ePolicy Orchestrator HTML Injection #Web
CVE-2020-27199 (Magic Home Pro – Authentication Bypass) #Web
Multiple Authorization bypass issues in Google’s Richmedia Studio (Google, $6,000)
Google Chrome Bug Bounty: $5,000 – File System Access API – vulnerabilities (Google, $5,000)
HTML Injection in Swing can disclose netNTLM hash or cause DoS (PortSwigger Web Security, $1,000)
Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application (PlayStation, $1,000)
See more writeups on The list of bug bounty writeups.
S3 Account Search & Intro: Python tool that finds the AWS account ID of any public S3 object/bucket
SQLMap DNS Collaborator: Burp Extension that lets you perform DNS exfiltration with Sqlmap with zero configuration needed
gitrecon: OSINT tool to get information from a Github and Gitlab profile and find user’s email addresses leaked on commits
nsdp-discover: Nmap NSE script to discover NSDP service and retrieve basic information
harlogger: Simple utlity for sniffing decrypted HTTP/HTTPS traffic on a jailbroken iOS device into an HAR format
If you like XSS, and do not know where to start WAF Bypassing…
Techniques @nnwakelam uses to bypass admin interface authentication
Ever find a phpMyAdmin login portal and default creds won’t work?
Why Hackvertor JavaScript custom tags are broken in newer Burp versions & A temporary fix
No NTB-NS/ARP/LLMNR? Use DHCP.py in Responder’s tools/ folder
More Options For Response Modification -with Responsetinker & ResponseTinker
Eliminating XSS from WebUI with Trusted Types & Trusted Types bypass challenge solutions
Restricted Environment IoT Hacking: All You Need Is a Remote Shell
Microsoft: Introducing Bounty Awards for Teams Desktop Client Security Research
Hack Alongside Hackers: AWS and HackerOne CTF (April 5-12)
Hackers Who Paint (May 15)
Security researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosure
Tool updates:
Bug hunters sharing stats on their reports in terms of severity (check out the “Quote Tweets”)
So happy for you @sumgr0! Keep it up 💪
Want to share your bug bounty wins, swag and joys with other Bug Bytes readers? Tag us on social media, we’d love to hear from you too!