By Anna Hammond
May 12, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from May 3 to 10.
Meet the hacker: Get to know sumgr0, The King of subdomain takeovers
HopLa is a Burp extension that adds payloads to Burp with autocompletion. By default, payloads used are from PayloadAllTheThings but you can customize them. This makes it so easy to create your own custom payload library inside Burp.
Versionshaker is a handy Python tool for fingerprinting the exact version of open source software used on a site. Let’s say for instance that you have trouble identifying the version of WordPress used on a site. Versionshaker takes the site’s URL, the WordPress GitHub repo’s URL and paths of static files to compares (e.g. JS or CSS files). It does its magic and returns which releases of WordPress have these exact files.
How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit (Google)
Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens (Facebook, $18,000)
The first writeup is about an RCE in Google App Engine that the author found in a week during their internship at Google.
To be honest, I did not understand any of it but maybe you will! In any case, it is interesting to see what other hackers are working on and different areas to explore (in this case hacking with low level Java byte code).
The second writeup is much easier to digest but also impactful. @Samm0uda noticed that an Instagram OAuth flaw returned an access token with more permissions that it should. This allowed for taking over Instagram accounts.
Simple, but the difficulty lies in detecting the change in the access token’s permissions.
Regular Expression DOS FOR BEGINNERS!
If you want to learn about RegEx and ReDoS, this is the best introduction to these complex topics. @Farah_Hawaa explains just what you need to understand their basics and a practical example of detection and exploitation.
This is a hacktivity for vulnerabilities found in open source software. More and more hackers are looking for bugs in 3rd-party software to leverage in bug bounties/pentest. So this is an interesting vulnerability database and collection of writeups on which to keep an eye.
DNS Based Out of Band Blind SQL injection in Oracle — Dumping data
The first tutorial is all about DNS-based Out-of-Band SQL Injection. It explains techniques that are good to know in case you encounter this type of injection: How to ensure it is not a false positive, the type of backend database, how to dump data from the database and bypass limitations of exfiltrating via DNS (no spaces, max 253 characters, DNS cache…).
iOS Hacking – Inter-App Communication, App Transport Basics & Webviews
What is Insecure Deserialization? | Security Engineering Interview Questions
ARE CTF CREATORS EVIL?! – A Conversation around realworld CTF’s with Adam Langley.
The InfoSec & OSINT Show 55 – Charlie Belmer & NoSQL Injection
DAY[0] Episode 76 – Fake Vulns, More Valve, and an AWS Cognito Issue
News From the Darkside – Exim Email Server, Tor’s Exit Nodes, TsuNAME, Project Hail Mary
Doggo CTF Walkthrough (in Partnership with Amazon & BugPOC) #video
SQL Injection – Lab #9 SQL injection attack, listing the database contents on non Oracle databases & SQL Injection – Lab #10 SQL injection attack, listing the database contents on Oracle #video
Domain Hijacking Via Logic Error – Gandi And Route 53 Vulnerability #DNS
Mouse Trap #RCE #Android #Windows
CVE-2021-32030: ASUS GT-AC2900 Authentication Bypass #Router #RCE
21Nails: Multiple Critical Vulnerabilities in Exim Mail Server #Web
Password reset code brute-force vulnerability in AWS Cognito #Web
Workplace by Facebook | Unauthorized access to companies environment — $27,5k (Facebook, $27,500)
The False Oracle — Azure Functions Padding Oracle Issue (Microsoft)
CVE-2021-1815 – MacOS Local Privilege Escalation Via Preferences (Apple)
See more writeups on The list of bug bounty writeups.
Baserunner & Intro: A tool for exploring and exploiting Firebase datastores
PyOracle2: A python-based padding oracle tool
GDir-Thief & Intro: Red Team tool for exfiltrating the target organization’s Google People Directory that you have access to, via Google’s API
Google and Mozilla will bake HTML sanitization into their browsers
Upcoming events
SSTIC 2021 (June 2-4)
Awww such a cutie, well done @_sebd!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!