Bug Bytes #125 – Nuclei for mobile, ImageTragick like it’s 2016 & Intro to HTTP/2 and HTTP/3

By Anna Hammond

June 2, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from May 24 to 31.

Intigriti News

Intigriti’s 0521 XSS challenge – by @GrumpinouT

Meet the hacker: p4fg, the Swedish master of Automation

Our favorite 5 hacking items

1. Tutorial of the week

Adventures into HTTP2 and HTTP3

This is an excellent introduction to the different HTTP specifications. @JCoertze took a look at HTTP/1.x, HTTP/2 and HTTP/3, their differences and what they mean in terms of security. With the increasing adoption of HTTP/2 and HTTP/3, it is essential for Web app testers to learn how they work and their risks.

2. Writeups of the week

AppCache’s forgotten tales (Google, $10,000)
CVE-2021-33564 Argument Injection in Ruby Dragonfly

@lbherrera_ delved into the security of Chrome’s AppCache before its deprecation and found two ways to leak sensitive information cross-origin. This is a great example of building on existing research to come up with new attacks.

ZX Security researchers discovered an argument injection vulnerability in the Ruby Gem Dragonfly, an image handling library used by multiple CMSs. Though it was possible to inject arguments, the library had filters against LFI and the usual command injection payloads. Remote code execution was achieved by exploiting ImageMagick’s convert utility.
This writeup is full of details on techniques tried that both worked and didn’t work, and interesting ImageMagick hacks.

3. Article of the week

Playing With Imagetragick Like It’s 2016

While we’re on the subject of ImageMagick, this article by @loadlow and @alexisdanizan covers interesting techniques to exploit it and obtain arbitrary file read and write. It focuses on the latest version available on Debian Buster repositories which is a legacy version.
The exploitation vectors mentioned are worth remembering the next time you’re testing a file upload functionality.

4. Conference of the week

NorthSec 2021 Conference Day 1, Day 2, Schedule & Introduction to fuzzing, especially: You are not an idiot & Slides

There are so many interesting talks in this NorthSec edition, on all kinds of topics: GraphQL hacking, repo jacking, request smuggling, burnout, crypto best practices and many more.
@angealbertini‘s keynote in particular is of high relevance to hackers. It touches on difficulties a lot of us in InfoSec face including failure, burnout, imposter syndrome, manipulation, suicide… and how to protect ourselves.

5. Resource of the week

Mobile Nuclei Templates

Did you know Nuclei can also be used for mobile app tests? Its File requests feature allows you to check local files using matching/extracting. This makes it possible to use for finding dangerous patterns in mobile apps.
This repository provides good examples to get started with this type of scans.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Tutorials

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • ReServ: A set of simple servers (currently HTTP/HTTPS and DNS) which allow configurable and scriptable responses to network requests

  • bnew: A more performant implementation of @TomNomNom’s anew utility

  • getAllParams.py: Burp extension that parses an already crawled sitemap to build a custom parameter list

  • macOCR: Get any text on your screen into your clipboard

  • UserWritableLocations.ps1 & Intro: A PowerShell script for finding writable folders and hijackable DLLs

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

A warm welcome to @hacksplained who joined Intigriti this week! 🎉

Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!

You may also like