Intigriti

Bug Bytes #140 – The Great leak, Sandwich Attacks & Better InfoSec resumes

By Anna Hammond

September 29, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from September 20 to 27.

Intigriti news

5 insights into the recruitment & hiring process at Intigriti

Our favorite 5 hacking items

1. Tutorial of the week

How Secure Are Your Universally Unique IDentifiers (UUIDs)? & extract-uuid-infos

UUIDv1 Sandwich Attacks aren’t new but I’m just discovering them thanks to @0xLupin. This led me to discover an excellent article by @VerSprite on UUID versions and their security implications. Also, @righettod has a PIPER script to automate the detection of UUIDs and extract info based on their version (all within Burp).

2. Writeups of the week

Autodiscovering the Great Leak (Microsoft)
“A tale of making internet pollution free” – Exploiting Client-Side Prototype Pollution in the wild (Apple, Atlassian, Mozilla, HubSpot, Segment Analytics & others)

@0xAmit discovered that the Microsoft Autodiscover protocol used by Exchange leaks Windows domain credentials to autodiscover.[tld] domains. Some of these domains were available to purchase. By registering them, Amit received hundreds of thousands of domain credentials…

Another amazing piece of research is about prototype pollution at scale. A team of researchers scanned vulnerability disclosure programs looking for prototype pollution vulnerabilities, trying to find script gadgets for XSS. They found 18 vulnerable libraries, 80 bugs reported, and share lots of details on the methodology and tools they used.

3. Videos of the week

How To Search For DOM-Based XSS!
How to Create a Better Infosec Resume (with @jhaddix)!

@PascalSec‘s explanation of DOM XSS is just amazing. Everything is broken down including the basics of DOM XSS, sources and sinks, and how to track data flows from source to sink using the browser DevTools and JavaScript debugger.
If you struggle with this vulnerability type, this will clarify all the steps you need to detect and exploit it.

The second video is for anyone in InfoSec who wants to create or improve their resume. @NahamSec and @Jhaddix talk about the dos and don’ts, demonstrate the creation of a resume for a fake persona, then review some resumes sent by viewers.

4. Article / Tools of the week

SecurityTrails x Amass ReconMaster contest

@yougina came ninth in SecurityTrails’s Recon Master contest and share how they did it. It is interesting to see that no intricate or obscure recon tools or techniques were used. It’s all about how well-known tools were chained together, with custom scripts to overcome memory and storage space limitations.

5. Tip of the week

How to send remote VPS requests to your local BURP using SSH

Some of you may already know how to do this. For those who don’t, this is good to know in case you need to run tools on your VPS and proxy the traffic through your local Burp.
The solution shared by @bsysop is simply to run ssh -R 8080:127.0.0.1:8080 root@VPS_IP -f -N locally, then use http://127.0.0.1:8080 as a proxy when running tools on the VPS (e.g. curl -k https://example.com -x http://127.0.0.1:8080).

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • fullhunt.io & Intro

  • Chronos: Extract pieces of info from a web page’s Wayback Machine history

  • ssh-key-confirmer: Test if a public key would theoretically be allowed on a SSH target if you had the private key

  • crawlergo: A powerful browser crawler for web vulnerability scanners

  • Mitra: A generator of weird files (binary polyglots, near polyglots…)

  • Cariddi: Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more…

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

You may also like