By Anna Hammond
April 14, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from April 5 to 12.
Get to know iQimpz, one of Intigriti’s top hackers
Contextual Content Discovery: You’ve forgotten about the API endpoints & Kiterunner
This is about Kiterunner, a groundbreaking content discovery tool that Assetnote released at BSides Canberra 2021. Its premise is that existing tools are mostly based on file/folder bruteforcing with wordlists. They miss routes in modern apps and APIs that expect specific HTTP methods, headers or parameters.
Kiterunner solves these limitations by performing context-aware bruteforce, based on Swagger files collected from different datasources and by scanning the Internet.
Note that in addition to the tool itself, the article presenting the whole research is a gem. It also links to the Swagger dataset used and slides.
What if you could deposit money into your Betting account for free? Oh wait where has this 25k came from…
Unexpected Journey #7 – GravCMS Unauthenticated Arbitrary YAML Write/Update leads to Code Execution (CVE-2021-21425)
@mikey96_bh shares interesting research on abusing payment systems of UK online gambling companies. Leveraging logic bugs and bruteforce, it was possible to deposit money ($25k!) for free on his betting account.
The second writeup is a detailed account of a remote code execution @mdisec found in GravCMS. It is an excellent read and a good example of RCE found with PHP code review.
XSS to LFI to RCE – Search for LFI everywhere!
Did you know that XSS can be server-side and lead to RCE? That’s what this video by @PinkDraconian is all about. It’s short but so well-explained!
Autowasp is a Burp suite extension for Web penetration testers. It creates a tab where you can load the OWASP Web Security Testing Guide (WSTG) checklist or your own custom checklist.
Since pentesters often have to follow this type of checklist, the extension streamlines the process. It allows you to keep track of your progress, add comments, note requests related to each check (via a “Logger tab”), etc. All in all, a pretty handy extension!
NahamCon2021
Exploiting Misconfigured JIRA Instances for $$ with Harsh Bothra & Slides
All NahamCon2021 talks are now public. If you’re into bug bounty, recon or Web app security, make sure to check them out! Also for slides and villages talks that were previously released, take a look at Bug Bytes 114.
Another interesting talk by @harshbothra_ is about exploiting misconfigured Jira instances. If you’re new to the topic, this is a nice introduction to Jira hacking.
DAY[0] Episode 72 – Pwn2own, Linux Kernel Exploits, and Malicious Mail
PwnIt And OwnIt – Port 10080 Blocked, FLoC Rollout, PHP GIT Hack Revisited, CISCO Router Problems
Azure Storage Security: Attacking & Auditing & Az-Blob-Attacker
Exploit cross-site request forgery (CSRF) – Lab & Exploit a misconfigured CORS – Lab
Royal Flush: Privilege Escalation Vulnerability in Azure Functions #Cloud
[BugHunt] Authenticated RCE found in HorizontCMS — Part 1 (Malicious Plugins) & Part 2 (PHP Filetype Bypass) #Web
Time for an upgrade #Network #MiTM
Path traversal in Ruby’s Tempfile and mktmpdir on Windows (Ruby, $500)
Stored XSS on the DuckDuckGo search results page (DuckDuckGo)
XSS at https://www.glassdoor.com/Salary/* via filter.jobTitleExact (Glassdoor, $900)
Intro to Open-source Bug Bounty (Mailtrain)
See more writeups on The list of bug bounty writeups.
PD Actions & Intro : Continuous recon and vulnerability assessment using Github Actions
burpsuite-copy-as-xmlhttprequest: Burp extension that allows you to copy multiple requests as Javascript’s XmlHttpRequest, which simplifies PoC development when exploiting XSS
Kubesploit & Intro : A cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments
goop: Yet another tool to dump a git repository from a website
GodSpeed: Fast and intuitive manager for multiple reverse shells
protoscan: Prototype Pollution Scanner in Golang, based on @TomNomNom’s NahamCon2021 talk
Bloodhound for Linux & Intro: Ingest openldap data into bloodhound
Using glow to search repos like PayloadsAllTheThings & HackTricks
Escaping out of a double-quoted string when a"
is reflected as a\"
BBRF allows you to run advanced jq queries on your data, like list urls that you haven’t scanned yet
Lessons learned from using k8s clusters for bug bounty recon
XSS filter bypass: using DOM APIs to generate characters that aren’t allowed
A closer look at the security of React Native biometric libraries
Pwn2Own 2021: Zero-click Zoom exploit among winners as payout record smashed
A security researcher has dropped a Chrome and Edge zero-day on Twitter
PlaidCTF 2021: Plaid+ (April 16)
Beginners Bug Bounty – what bug classes should you start with?
The Power of Being a Misfit: Speaking with Fredrik Alexandersson STÖK
Thank you for the compliment @iambouali, you are too kind!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!