Bug Bytes #118 – Kiterunner, Server-side XSS & Abusing payment systems for free money

By Anna Hammond

April 14, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from April 5 to 12.

Intigriti News

Get to know iQimpz, one of Intigriti’s top hackers

Our favorite 5 hacking items

1. Article of the week

Contextual Content Discovery: You’ve forgotten about the API endpoints & Kiterunner

This is about Kiterunner, a groundbreaking content discovery tool that Assetnote released at BSides Canberra 2021. Its premise is that existing tools are mostly based on file/folder bruteforcing with wordlists. They miss routes in modern apps and APIs that expect specific HTTP methods, headers or parameters.

Kiterunner solves these limitations by performing context-aware bruteforce, based on Swagger files collected from different datasources and by scanning the Internet.

Note that in addition to the tool itself, the article presenting the whole research is a gem. It also links to the Swagger dataset used and slides.

2. Writeups of the week

What if you could deposit money into your Betting account for free? Oh wait where has this 25k came from…
Unexpected Journey #7 – GravCMS Unauthenticated Arbitrary YAML Write/Update leads to Code Execution (CVE-2021-21425)

@mikey96_bh shares interesting research on abusing payment systems of UK online gambling companies. Leveraging logic bugs and bruteforce, it was possible to deposit money ($25k!) for free on his betting account.

The second writeup is a detailed account of a remote code execution @mdisec found in GravCMS. It is an excellent read and a good example of RCE found with PHP code review.

3. Video of the week

XSS to LFI to RCE – Search for LFI everywhere!

Did you know that XSS can be server-side and lead to RCE? That’s what this video by @PinkDraconian is all about. It’s short but so well-explained!

4. Tool of the week

Autowasp

Autowasp is a Burp suite extension for Web penetration testers. It creates a tab where you can load the OWASP Web Security Testing Guide (WSTG) checklist or your own custom checklist.

Since pentesters often have to follow this type of checklist, the extension streamlines the process. It allows you to keep track of your progress, add comments, note requests related to each check (via a “Logger tab”), etc. All in all, a pretty handy extension!

5. Conferences of the week

NahamCon2021
Exploiting Misconfigured JIRA Instances for $$ with Harsh Bothra & Slides

All NahamCon2021 talks are now public. If you’re into bug bounty, recon or Web app security, make sure to check them out! Also for slides and villages talks that were previously released, take a look at Bug Bytes 114.

Another interesting talk by @harshbothra_ is about exploiting misconfigured Jira instances. If you’re new to the topic, this is a nice introduction to Jira hacking.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • PD Actions & Intro : Continuous recon and vulnerability assessment using Github Actions

  • burpsuite-copy-as-xmlhttprequest: Burp extension that allows you to copy multiple requests as Javascript’s XmlHttpRequest, which simplifies PoC development when exploiting XSS

  • Kubesploit & Intro : A cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments

  • goop: Yet another tool to dump a git repository from a website

  • GodSpeed: Fast and intuitive manager for multiple reverse shells

  • protoscan: Prototype Pollution Scanner in Golang, based on @TomNomNom’s NahamCon2021 talk

  • Bloodhound for Linux & Intro: Ingest openldap data into bloodhound

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

Thank you for the compliment @iambouali, you are too kind!

Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!

You may also like