By Anna Hammond
May 5, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from April 26 to May 3.
Congratulations to @p4fg, @0xkasper and @sumgr0 for joining Intigriti’s 1337 gang!
Hacksplained joins Intigriti to further enable community of 35.000 ethical hackers
Interactsh, Intro & Nuclei + Interactsh Integration for Automating OOB Testing
It can be a pain to perform Out-of-Band testing without Burp Collaborator. If you can’t or don’t want to pay for it, there is now a free open source alternative thanks to @pdiscoveryio.
Interactsh provides a client/server infrastructure, with the possiblity to use a self-hosted server for privacy. It has a beautiful Web interface and can be integrated with Nuclei. Such amazing work by the Project Discovery team!
DEFCON 29 CTF Qualifier: 3FACTOOORX Write-up
Facebook account takeover due to unsafe redirects after the OAuth flow (Facebook, $28,800)
The first writeup is @bbuerhaus‘s walthrough of the DEFCON 29 CTF Qualifier 3factooorx challenge. It involves analyzing a Chrome browser extension and navigating through obfuscated JavaScript with Chrome Dev Tools.
If you’re learning about this topic, this is a helpful resource especially if combined with the “Tutorial of the week” below.
The second writeup is about open redirect in a Facebook app’s OAuth flow that lead to account takeover. A pretty impressive finding and informative writeup by @Samm0uda!
Live Recon and Distributed Recon Automation Using Axiom with @pry0cc
Curious to know how Axiom’s author uses it to hunt for bugs on real targets? This is the video to watch!
In this unique type of hacker interviews by @NahamSec, @pry0cc show how he performs distributed recon with Axiom and tools like meg, nmap, httpx, ffuf, etc.
Testing Extensions in Chromium Browsers – Nordpass
This is the ultimate guide to get into testing Chromium browser extensions. @CryptoGangsta shares an incredibly detailed tutorial with the Nordpass Chrome extension as an example.
Topics taught include how to debug extensions, reverse engineer obfuscated JavaScript, perform JavaScript dynamic analysis with Browser DevTools, decrypt AES-GCM encypted messages, and log/instrument extensions.
@TinkerSec’s alarming burnout story
Redefining What it Means to be a Hacker with Eric Head aka todayisnew
@TinkerSec‘s burnout story is a cautionary tale for all of us hackers. It’s important to read and keep in mind for those times when our bodies are telling us to stop working/hacking and we want to keep pushing.
Another very interesting read is an interview with @codecancare. He is a successful full-time bug hunter who is known for his kindness, for automating everything and advocating for empathy and mindfulness.
It’s cool to hear from him about these topics, including a very practical mindfulness technique to which he attributes his success.
iOS Hacking – Application Basics, Filesystem Basics & Inter-App Communication
Interview With @mr_hacker | Top 20 On Intigriti | Methodology, Tips & Tricks, Etc.
CRLF + XSS + cache poisoning = Access to Github private pages for $35k bounty
The InfoSec & OSINT Show 54 – Jeff Foley & Asset Discovery with Amass
DAY[0] Episode 75 – Defcon Quals, Dead μops, BadAllocs, WordPress XXE
The Ransomware Task Force – Scripps Health, REvil Hacks Quanta Computer, Emotet Botnet, QNAP
Hacker Days: Understanding AWS cloud attacks using CloudGoat
An Azure Sphere Security Breakdown | Lilith Wyatt | Nullcon Conference March 2021
Decrypting Mobile App Traffic using AES Killer and Frida & AES Killer – Usage Guide
Utilizing a Common Windows Binary to Escalate to System Privileges
Discovering Null Byte Injection Vulnerability in GoAhead #Web
Don’t Share Your $HOME with Untrusted Guests #VM-Escape
Bundler is Still Vulnerable to Dependency Confusion Attacks (CVE-2020-36327) #Web
Dependency Confusion Vulnerabilities in Unity Game Development
WordPress 5.7 XXE Vulnerability (WordPress)
Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol (Microsoft)
Exploiting the Source Engine (Part 2) – Full-Chain Client RCE in Source using Frida & Exploiting the Source Engine (Part 1) (Valve, $7,500)
Exploiting memory corruption vulnerabilities on Android (Paypal, $1,100)
How did I earn €€€€ by breaking the back-end logic of the server
How I was able to Retrieve your Personal Documents using the Wayback Machine!
See more writeups on The list of bug bounty writeups.
SRePlay (Strict RePlay) & Intro: Burp extension to bypass strict RePlay protection
Nginxpwner: Python tool to look for common Nginx misconfigurations and vulnerabilities
gdn / Get Domain Name: A GO module to get domain name from SSL certificates when an IP address is provided
x8: Hidden parameters discovery suite written in Rust
Running multiple FFUF jobs with RUSH (alternative to Parallel)
Did you know tar could run lolbins and base64 encode/decode?
Slayer Labs (free for 7 days)
Abusing Replication: Stealing AD FS Secrets Over the Network
Virtual Namespacing: A Robust Approach to Avoiding Dependency Confusion Attacks
Risks of Microsoft Teams and Microsoft 365 Groups & m365_groups_enum
GitHub: A call for feedback on our policies around exploits and malware
Upcoming talks:
3kCTF-2021 (May 15-16)
Tools updates:
Burp Professional / Community 2021.5: Intruder attacks can now be saved to project files!
The thin line between the cloud provider and the customer applications
Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario
Thank you @Th4nu_0x0 for participating in our “draw our logo” competition! Enjoy your swag!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!