By Anna Hammond
June 23, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from June 14 to 17.
Intigriti’s 0621 XSS challenge – by Physuru (@cffaedfe)
Attacking GraphQL’s Autocorrect – null Ahmedabad Meet
As part of the null Ahmedabad June Meet, @s0md3v presented a new attack vector against GraphQL. It leverages GraphQL’s Autocorrect to reverse engineer GraphQL schemas when introspection is disabled.
The tool that automates the attack, Tide, isn’t public yet but will be soon hopefully.
Why dynamic code loading could be dangerous for your apps: a Google example (Google)
How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It (Apple, $18,000)
The first writeup demonstrates why it is a bad idea for Android apps to load code dynamically: it enables escalating Intent Redirection vulnerabilities into arbitrary code execution, with the example of a vulnerable Google app. This prompted Google to issue a warning for developers about apps that contain Intent Redirection.
Another interesting writeup this week is an iCloud account takeover by @LaxmanMuthiyah. Using a combination of race condition, 2FA bypass and rate-limiting bypass, it was possible to change the password of any Apple ID with just their phone number.
Lightning Components: A Treatise on Apex Security from an External Perspective & AppOmni Labs learning environment
@ConspiracyProof dives deep into the security of Apex (Salesforce’s proprietary programming language), how to audit Lightning Components and find common vulnerabilities like SOQL injection. Interestingly, the outlined methodology allowed him to find most of his bug bounty findings.
iOS App Testing Through Burp on Corellium
This is one of the most comprehensive tutorials I’ve seen on the topic. It answers questions like why you need a physical device if you’re a bug hunter, how to set up Burp, jailbreak, bypass certificate pinning, decrypt apps, set up a Corellium instance, etc. Great work by @defparam!
Understand Security Risk vs. Security Vulnerability!
This is a must-watch for bug hunters. @LiveOverflow explains the difference between a security risk and a security vulnerability. This will clear up why open redirects are not accepted by many bug bounty programs, and why some reported “vulnerabilities” are fixed despite being rejected.
codingo_ Shares His Recon Approach Using SecurityTrails, FDNS, Whoxy and more!
Live GitLab Ask a Hacker with Bug Bounty Hunter (vakzz) William Bowling (Public)
Bug Bounties Using only Burp & Browser – 30 DAY RESULTS (UNEXPECTED)[CLICKBAIT]
Hacking Android Deeplink Issues | Insecure URL Validation | Android Pentesting
The InfoSec & OSINT Show 61 – Robert Graham & Large Scale Port Scanning w/Masscan
Cybr Podcast: How to get started and breakthrough in Bug Bounty Hunting with Hakluke
Avaddon Ransonomics – Chrome 0-Day, Big Spinrite Update, iOS Wi-Fi Bug, Economics of Ransomware
THCon 2k21 & Agenda (French & English)
in simple words: Pen-Testing Salesforce SAAS Application (Part 1 – The Essentials) & Part 2 – Fuzz & Exploit
CVE-2021-31585: Accellion kiteworks – Web administrator to remote code execution #Web
Research Shows Over 100,000 Libraries Affected By Maven Vulnerability CVE-2021-26291 #Web
RetroArch for Windows – Versions 1.9.0 – 1.9.4 #RCE #Windows
CiviCRM 5.22.0 – Code Execution Vulnerability Chain Explained #Web
Unauthenticated Gitlab SSRF (GitLab)
Part-1 Dive into Zoom Applications (Zoom, $22,000)
Sanitizer bypass if the sanitized markup is assigned to srcdoc (Mozilla)
CSP bypass via wrong inheritance (Chromium) & CSP bypass: How one Chrome XSS bug took 2.5 years and an HTML spec change to fix
Brave Browser Tor Window leaks user’s real IP to the external DNS server (Brave Software, $1,000)
Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission (HackerOne)
See more writeups on The list of bug bounty writeups.
goverview: Get overview about list of URLs
ZDNS: Fast CLI DNS Lookup Tool
hakrevshell: A tool for easily generating reverse/bind shells via tcp/udp on your system
namemash.py: Creating a user name list for brute force attacks
Nightmare: Intro to binary exploitation / reverse engineering course based around CTF challenges
WiFi Adapter for Kali Linux – The Best WiFi Adapter for Hacking in 2021
Get ready for the 2021 Google CTF (July 17-18)
Microsoft ADCS – Abusing PKI In Active Directory Environment
Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover & Whisker
Okta (virtual) Bug Bash: 2021! & Bug Bash 2021 Mentorship Application
Upcoming events:
VSACC 2K21 (June 28 – July 1)
Updates:
Being Okay With Not Being Okay: Getting Candid with Ben Sadeghipour — NahamSec
Infosec Bugbounty AMA with Akita, Arif Khan & Castilho, Harsh Bothra & Mikey
Beautiful, well done @iqimpz!
See this cool poster @Zwoltopia makes only for our 1337 hackers? If you want one too, you have 7 days left to try and get into our quarterly leaderboard!
Also if you have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love to hear from you!