Bug Bytes #128 – GraphQL Autocorrect, Dangerous Dynamic code loading & How to audit Salesforce Lightning Components

By Anna Hammond

June 23, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from June 14 to 17.

Intigriti News

Intigriti’s 0621 XSS challenge – by Physuru (@cffaedfe)

Our favorite 5 hacking items

1. Webinar of the week

Attacking GraphQL’s Autocorrect – null Ahmedabad Meet

As part of the null Ahmedabad June Meet, @s0md3v presented a new attack vector against GraphQL. It leverages GraphQL’s Autocorrect to reverse engineer GraphQL schemas when introspection is disabled.
The tool that automates the attack, Tide, isn’t public yet but will be soon hopefully.

2. Writeups of the week

Why dynamic code loading could be dangerous for your apps: a Google example (Google)
How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It (Apple, $18,000)

The first writeup demonstrates why it is a bad idea for Android apps to load code dynamically: it enables escalating Intent Redirection vulnerabilities into arbitrary code execution, with the example of a vulnerable Google app. This prompted Google to issue a warning for developers about apps that contain Intent Redirection.

Another interesting writeup this week is an iCloud account takeover by @LaxmanMuthiyah. Using a combination of race condition, 2FA bypass and rate-limiting bypass, it was possible to change the password of any Apple ID with just their phone number.

3. Resource of the week

Lightning Components: A Treatise on Apex Security from an External Perspective & AppOmni Labs learning environment

@ConspiracyProof dives deep into the security of Apex (Salesforce’s proprietary programming language), how to audit Lightning Components and find common vulnerabilities like SOQL injection. Interestingly, the outlined methodology allowed him to find most of his bug bounty findings.

4. Tutorial of the week

iOS App Testing Through Burp on Corellium

This is one of the most comprehensive tutorials I’ve seen on the topic. It answers questions like why you need a physical device if you’re a bug hunter, how to set up Burp, jailbreak, bypass certificate pinning, decrypt apps, set up a Corellium instance, etc. Great work by @defparam!

5. Video of the week

Understand Security Risk vs. Security Vulnerability!

This is a must-watch for bug hunters. @LiveOverflow explains the difference between a security risk and a security vulnerability. This will clear up why open redirects are not accepted by many bug bounty programs, and why some reported “vulnerabilities” are fixed despite being rejected.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • goverview: Get overview about list of URLs

  • ZDNS: Fast CLI DNS Lookup Tool

  • hakrevshell: A tool for easily generating reverse/bind shells via tcp/udp on your system

  • namemash.py: Creating a user name list for brute force attacks

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

Beautiful, well done @iqimpz!

See this cool poster @Zwoltopia makes only for our 1337 hackers? If you want one too, you have 7 days left to try and get into our quarterly leaderboard!

Also if you have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love to hear from you!

You may also like