By Anna Hammond
June 2, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from May 24 to 31.
Intigriti’s 0521 XSS challenge – by @GrumpinouT
Meet the hacker: p4fg, the Swedish master of Automation
Adventures into HTTP2 and HTTP3
This is an excellent introduction to the different HTTP specifications. @JCoertze took a look at HTTP/1.x, HTTP/2 and HTTP/3, their differences and what they mean in terms of security. With the increasing adoption of HTTP/2 and HTTP/3, it is essential for Web app testers to learn how they work and their risks.
AppCache’s forgotten tales (Google, $10,000)
CVE-2021-33564 Argument Injection in Ruby Dragonfly
@lbherrera_ delved into the security of Chrome’s AppCache before its deprecation and found two ways to leak sensitive information cross-origin. This is a great example of building on existing research to come up with new attacks.
ZX Security researchers discovered an argument injection vulnerability in the Ruby Gem Dragonfly, an image handling library used by multiple CMSs. Though it was possible to inject arguments, the library had filters against LFI and the usual command injection payloads. Remote code execution was achieved by exploiting ImageMagick’s convert utility.
This writeup is full of details on techniques tried that both worked and didn’t work, and interesting ImageMagick hacks.
Playing With Imagetragick Like It’s 2016
While we’re on the subject of ImageMagick, this article by @loadlow and @alexisdanizan covers interesting techniques to exploit it and obtain arbitrary file read and write. It focuses on the latest version available on Debian Buster repositories which is a legacy version.
The exploitation vectors mentioned are worth remembering the next time you’re testing a file upload functionality.
NorthSec 2021 Conference Day 1, Day 2, Schedule & Introduction to fuzzing, especially: You are not an idiot & Slides
There are so many interesting talks in this NorthSec edition, on all kinds of topics: GraphQL hacking, repo jacking, request smuggling, burnout, crypto best practices and many more.
@angealbertini‘s keynote in particular is of high relevance to hackers. It touches on difficulties a lot of us in InfoSec face including failure, burnout, imposter syndrome, manipulation, suicide… and how to protect ourselves.
Did you know Nuclei can also be used for mobile app tests? Its File requests feature allows you to check local files using matching/extracting. This makes it possible to use for finding dangerous patterns in mobile apps.
This repository provides good examples to get started with this type of scans.
SecuriTEA & Crumpets – Episode 7 – Dr.-Ing. Mario Heiderich – DOMPurify
Security Shorts EP01 with Harsh Bothra, EP03 with Somdev Sangwan & EP05 with Chloé Messdaghi
Interview With H13- : #1 Bug Bounty Hunter On Shopify | Methodology, Mistakes, Tips & More…
HITBSecConf2021 – Amsterdam: MAIN TRACK 1 – Day 2, MAIN TRACK 2 – Day 2, COMMSEC TRACK – Day 2, Agenda & Slides
Overwolf 1-Click Remote Code Execution – CVE-2021-33501 #Web
My RCE PoC walkthrough for (CVE-2021–21974) VMware ESXi OpenSLP heap-overflow vulnerability #MemoryCorruption
CVE-2021-21985 #RCE #VMware
Fuzzing HTTP Proxies: Privoxy, Part 1 #MemoryCorruption #Fuzzing
Path Traversal in MobileSafari (Apple)
Security: leak cross-site response size – countermeasure bypass (Google Chromium, $3,000)
Bypass apiserver proxy filter (Kubernetes, $1,000)
See more writeups on The list of bug bounty writeups.
ReServ: A set of simple servers (currently HTTP/HTTPS and DNS) which allow configurable and scriptable responses to network requests
bnew: A more performant implementation of @TomNomNom’s anew utility
getAllParams.py: Burp extension that parses an already crawled sitemap to build a custom parameter list
macOCR: Get any text on your screen into your clipboard
UserWritableLocations.ps1 & Intro: A PowerShell script for finding writable folders and hijackable DLLs
InsecureShop: An Intentionally designed Vulnerable Android Application built in Kotlin
Method Invocation in Go’s builtin template modules lead to file read and RCE. #Web
Abusing and Detecting LOLBIN Usage of .NET Development Mode Features #RedTeam
The Attack Path Management Manifesto #RedTeam
Saving Your Access #RedTeam
How Bugcrowd Sees Vulnerability Disclosure Programs And Points
Upcoming events:
Tools updates
Burp Professional / Community 2021.6 (brings back the hex view in the message editor)
httpx v1.0.7 (new follow-redirects flag to see destination URLs in the CLI output)
A warm welcome to @hacksplained who joined Intigriti this week! 🎉
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!