By Anna Hammond
August 6, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from July 26 to August 2.
Securing XML implementations across the web
Zimbra 8.8.15 – Webmail Compromise via Email
Mattermost researcher @jupenur disclosed round-trip vulnerabilities found in four XML parsers. Interestingly, they lead to authentication bypass in major SAML implementations.
The other writeup by @scannell_simon is about DOM-based stored XSS and authenticated SSRF. Chaining them increased their impact and would’ve allowed unauthenticated attackers to compromise Zimbra webmail servers.
XXE Case Studies
Potential remote code execution in PyPI (pypi.org, $3,000)
The first writeup by @cinzinga_ has some interesting attack vectors for XXE, e.g. XXE via KML, proprietary, PDF and Excel files. They’re worth knowing if you like to test for XXE.
The second writeup is the continuation of @ryotkak‘s work on supply-chain attacks. Static analysis of PyPI’s source code revealed three vulnerabilities including RCE on pypi.org.
Hallucinate allows you to inspect and manipulate TLS traffic using dynamic instrumentation. The difference with a Web proxy like Burp is that it does not replace certificates, so it is particularly useful when you want to analyze an app’s encrypted traffic without bypassing certificate pinning.
DO NOT USE alert(1) for XSS & Blog post
If you use alert(1) when looking for XSS, you’ll find this very informative. @LiveOverflow demonstrates why it can lead to false positives (e.g. if the XSS payload runs in a sandbox domain/iframe) and what other Proofs of Concept are generally better to use.
Last Week in Security (LWiS) – 2021-08-02
Last Week in Security (LWiS) is @badsectorlabs‘s weekly summary of offensive security news, techniques and tools. It is similar to Bug Bytes but focuses more on the red team / internal pentest / Active Directory side. So if these are the topics you’re most interested in, it is a great newsletter to follow.
I usually also include these topics in Bug Bytes but this week in particular, there have been too many noteworthy new tools and attacks. So exceptionally, this Bug Bytes will be almost only focused on Web / API / mobile hacking and for all the new AD and red teaming fun, please refer to LWiS.
Hacker Tools: NoSQLMap – No SQL, Yes exploitation & Blog post
Learn with Rohit: Attacks and Defenses to Docker & Kubernetes!!.
$50k bug bounty on Shopify explained (GitHub access token leaked via electron application)
The Malicious Office 365 Application Experiment.. that went bad.. real bad..
Radio Hack Ep2: Secure Code Review – Fady Othman (in Arabic)
The BlackMatter Interview – Bad News for Firefox, DarkSide Return, Tailscale, Google to Assume HTTPS
Hack’n Speak 0x09 – topotam | Une belle histoire, du TII et PetitPotam (Interview in French with PetitPotam’s author)
Stealing Bitcoin with Cross-Site Request Forgery (Ride the Lightning + Umbrel) #Web
Multiple Open Source Web App Vulnerabilities Fixed #CodeReview #Web
Rotten Apples: Macos Codesigning Translocation Vulnerability #MacOS
CVE-2021-27077: Selecting Bitmaps Into Mismatched Device Contexts #Windows #LPE
How to be popular (OkCupid)
Gaining Access To GCP Of Google Stadia — 500$ Bounty (Google, $500)
Facebook Email/phone disclosure using Binary search (Facebook)
CVE-2020–15823: Server-Side Request Forgery (SSRF) in JetBrains YouTrack (JetBrains)
Stealing SSO Login Tokens (snappublisher.snapchat.com) (Snapchat, $7,500)
See more writeups on The list of bug bounty writeups.
dnsline: Tool for making it easy to collect dns results from the CLI
Sanity: MXSS Fuzzer
SaveBrowsingImages: Burp extension to save all browsed images to disk
Revealin: Uncover the full name of a target on Linkedin
Key-Checker: Go scripts for checking API key / access token validity
reverse-apk: Quickly analyze and reverse engineer Android applications
plution: Prototype pollution scanner using headless chrome
If you could search through every subdomain on the internet what are some stuff you’d look for?
Command to detect if a system is Windows or Linux (post-exploitation)
@0xAwali’s Online Shopping testing Checklist & Search engines queries
Attack AI systems in Machine Learning Evasion Competition (Aug 06 – Sep 17)
Hacking naked Akamai ARL at scale, Weaponizing Apify for mass bug bounty $$$, Script to test open Akamai ARL vulnerability & V1/V2 ARL Change – Starting Aug 10, 2021
How I Lost the SecurityTrails #ReconMaster Contest, and How You Can Win: Edge-Case Recon Ideas
Bug bounty
Cybersecurity
Upcoming events
Tool updates:
This is so inspiring! Make sure to check out @zseano’s free methodology to see how these guys did it 😎
Also tag us on social media to share your own bug hunting wins and joys, we love hearing from you!