By Anna Hammond
July 7, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from June 28 to July 5.
Trusted Types – mid 2021 report
alert() is dead, long live print()
Google is waging war against XSS with Trusted Types and soon disabling alert for cross-domain iframes in Chrome. If you’re wondering whether XSS (especially DOM XSS) and alert() are dead, these resources will provide some insightful answers.
Introducing DOM Invader: DOM XSS just got a whole lot easier to find
DOM Invader is a new Burp tool implemented as an extension to the embedded browser. Until Trusted Types are adopted everywhere, DOM XSS is still an issue and this extension will make it much easier to test for it.
Taking over Uber accounts through voicemail
Kaspersky Password Manager: All your passwords are belong to us
Fail2exploit: a security audit of Fail2ban
@assetnote disclosed a creative Uber account takeover. Basically when signing into the app, they force the OTP to be sent to voicemail which can be hacked in different ways to retrieve the OTP. Even though the report was closed as informative, it is a cool finding and informative writeup.
The second writeup is about Kaspersky Password Manager using a weak password generator. Jean-Baptiste Bédrune found several issues in it, mostly that its PRNG used the current time as a single source of entropy. This meant all passwords could be bruteforced in seconds!
The third writeup isn’t about a successful hack, rather about pentesting an open source project and not finding anything. Despite the lack of vulnerabilities, it is an insightful dive into fail2ban’s security, and how to approach such a pentest.
@kevin_backhouse shows his methodology from identifying the attack surface to auditing the code and testing for different vulnerabilities.
Live Recon on Rockstar Games With @zseano
In this Live Recon session, @zseano shares with @NahamSec his bug hunting workflow and many tips including how he uses Burp.
If you are into Web application security testing, this is a goldmine of information. It’s like watching over a bug hunter’s shoulder to see how they do their magic.
The extended BApp store & Intro
The BApp Store is great for finding Burp extensions but it lacks some features like a search functionality or knowing when an extension’s original repo has updates not yet merged into the BApp Store.
To solve these issues, @BurpSuiteGuide came up with this brilliant site. It allows you to quickly search extensions (including the open source ones that are not yet on the BApp Store), supports tags, and tells you which extensions are deprecated or have updates.
Fuzzer Crash Root Cause Analysis With ASAN (AddressSanitizer)
20yrs Old Girl Found Bugs In Facebook && Google 😳 | Bug Bounty Hunter
PimpMyBurp #5 – Intruder: Use the tool to its full advantage
Navigating the impact of Wi-Fi FragAttacks: users, developers and asset owners
A (not so) Gentle Intro to Active Directory: ØxOPOSɆC [0xF09F8EA3] Challenge
SQL Injection – Lab #14 Blind SQL injection with time delays and information retrieval
Multiple vulnerabilities in Cisco Identity Services Engine (XSS to RCE as root) & Video PoC #Web
An EPYC escape: Case-study of a KVM breakout #KVM #Virtualization
Shared License or Crack? Access to 1000+ servers #Web #Binary
PrintNightmare / CVE-2021-34527 (originally considered as CVE-2021-1675):
New attack vectors found by @cube0x0 and @gentilkiwi
How We Are Able To Hack Any Company By Sending Message – $20,000 Bounty [CVE-2021–34506] (Microsoft, $20,000)
See more writeups on The list of bug bounty writeups.
Fleex: Go tool that allows you to create multiple VPS on cloud providers (Linode & DigitalOcean) and use them to distribute your workload
hashit: Small bash script for encoding piped input to then pass on
Gotator: A Go tool to generate DNS wordlists through permutations
Trello_dorker: Google dorker via Serpapi to find exposed Trello boards
Script to create a MacOS App from Burp Jar file for Macbook M1 users
A quick hack to modify your font/fontsize settings of Turbo Intruder
Docker image to route all Burp traffic through a VPN via a local proxy
Build target-based custom wordlists using Turbo Intruder’s “observedWords”
@0xAwali’s methodologies for testing Sign Up, ATO: Reset Password & OAuth: Sign Up and Log In
TyphoonCon 2021 CTF (July 12-15)
Hack The Box Business CTF 2021 (for companies only, registration closes on July 16)
Grammarly $50K CTF (ongoing)
redpwnCTF 2021 (July 9-12)
Towards Systematic Black-Box Testing for Exploitable Race Conditions in Web Apps
Hunting for Windows “Features” with Frida: DLL Sideloading & Windows Feature Hunter (WFH)
How a Docker footgun led to a vandal deleting NewsBlur’s MongoDB database (TL;DR: Docker edits iptables rules to bypass the firewall, in this case exposing MongoDB to the world)
REvil ransomware attackers demand $70m following Kaseya VSA supply chain attack & ‘Apex predators’: Why the Kaseya ransomware attack has experts worried
Introducing the new OWASP Amass Information Sharing Feature (and contest)
Upcoming events
Tool updates
That’s how you do it! Congratulations @bug_dutch, we’re happy for you too 👏
If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!