By Anna Hammond
September 1, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from August 23 to 30.
Dan Miessler Talks About Recon/Automation, Seclists, Certifications, Mental Health & More!
This interview with @DanielMiessler is a must watch if you are into hacking and personal growth. One of @NahamSec’s best interviews or like he says: “If you’re going to watch only one of my videos, this should be it”.
Vulnerability in Bumble dating app reveals any user’s exact location
@RobJHeaton discovered a way to disclose the exact location of Bumble users using trilateration. It is a nice read if you like creative findings and fun writeups (it’s written like a detective story).
Python context free payloads in Mako templates & Python vulnerabilities : Code execution in jinja templates
How to set up Docker for Varnish HTTP/2 request smuggling & Repo
SSTI payloads for RCE can be complex and look like magic to beginners. If you wonder how they are constructed, the first couple of tutorials will be helpful. @podalirius_ created several new payloads for Mako and Jinja, and explains the methodology used to construct them.
The second tutorial and accompanying repository will be useful if you want to practice finding HTTP/2 request smuggling vulnerabilities. The dockerized lab deploys a local environment that is vulnerable to CVE-2021-36740 (HTTP/2 request smuggling in Varnish).
You may have heard of OAuth 2.0, JWT, PASETO and Protobuf Tokens, but have you heard of Macaroons, Biscuits and Facebook CATS? This article compares these different types of API tokens from a security standpoint. It is addressing developers but knowing the weaknesses of each type of token provides good insights for anyone who has to test API security.
uro
graphw00f
Interactsh Collaborator
There is a common problem bug hunters face when fuzzing a list of URLs: How to avoid testing similar/duplicate or uninteresting URLs? @s0md3v released uro, a handy Python script that solves this issue using pattern matching (e.g. to remove blog pages) and extensions (to remove js/pdf/png… files).
@dftrace‘s graphw00f is a Python tool that takes a GraphQL endpoint as input and tries to fingerprint the server engine behind it. It doesn’t just return the detected engine’s name, but also its default defense mechanisms (useful to know when you’re trying to attack it!).
If you use Project Discovery’s Interactsh and Burp, you might love @wdahlenb‘s interactsh-collaborator. It is a Burp extension that acts as an Interactsh client. So, you get free out-of-band testing directly from Burp.
“You Changed My Life” with @John Hammond (Hacker Heroes #11)
Creating a YouTube TV that could steal your private videos – $6,000 CSRF
Finding bugs in Google VRP without recon – David Schütz – BBRD #01
Radio Hack Ep4: Client-Side Bugs – Youssef Sammouda (in Arabic)
Kubernetes Security: Attacking and Defending K8s Clusters & Kubernetes Gotchas – Hacking and Defending Kubernetes
SiegeCast “The Way of the Spray” with Security Consultant Jason Downey & Slides
BSides LV 2021 Day 1 Stream 1, Day 1 Stream 2, Day 2 Stream 1 & Day 2 Stream 2, especially:
Python context free payloads in Mako templates & Python vulnerabilities : Code execution in jinja templates
How to set up Docker for Varnish HTTP/2 request smuggling & Repo
Hacker Tools: ReNgine – Automatic recon & Hacker Tools: WPScan – Your WordPress isn’t safe!
Burp Suite and Beyond: Exploring non-HTTP protocols using MITM_RELAY
Exploration of Native Modules on Android with Frida & Getting started with Frida on Android Apps
Stored XSS to RCE Chain as SYSTEM in ManageEngine ServiceDesk Plus #Web
Finding Insecure JWT Signature Validation with CodeQL #Web #CodeReview
Tampering with arbitrary packages in @types scope of npm #Web
McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump #IoT
ChaosDB: Critical Vulnerability in Microsoft Azure Cosmos DB (Microsoft, $40,000)
By Design: How Default Permissions on Microsoft Power Apps Exposed Millions (Microsoft)
Pwn2Own Vancouver 2021 :: Microsoft Exchange Server Remote Code Execution (Microsoft)
Proxytoken: An Authentication Bypass In Microsoft Exchange Server (Microsoft)
The Nomulus rift (Google)
Cache Poisoning (Squid Cache (IBB), $6,000)
See more writeups on The list of bug bounty writeups.
BatchQL & Intro: GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations
hakluke/dumpcn: Get all the CNs and SANs from a list of domains
deeplink-fuzz.sh: A Bash wrapper for radamsa that can be used to fuzz exported activities and deep links
wmkick & Intro: MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes
Parameter Pollution #2 & PHP drops any header if it finds nullbyte value in the header
How to download Windows legally for pentesting or malware analysis
Blast Radius: Mapping, Controlling, and Exploiting Dynamic Self-Registration Services
AWS privilege escalation: exploring odd features of the Trust Policy
Bug bounty
Cybersecurity
Upcoming events
GrabCON 2021 (September 2)
Pwn2own Austin 2021: Phones, Printers, NAS, And More! (November 2-4)
Tool updates
Nuclei v2.4.3 (Added support for using environment variables directly in templates)
Notify v1.0.0 (New flags & new providers supported)