By Anna Hammond
September 29, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 20 to 27.
5 insights into the recruitment & hiring process at Intigriti
How Secure Are Your Universally Unique IDentifiers (UUIDs)? & extract-uuid-infos
UUIDv1 Sandwich Attacks aren’t new but I’m just discovering them thanks to @0xLupin. This led me to discover an excellent article by @VerSprite on UUID versions and their security implications. Also, @righettod has a PIPER script to automate the detection of UUIDs and extract info based on their version (all within Burp).
Autodiscovering the Great Leak (Microsoft)
“A tale of making internet pollution free” – Exploiting Client-Side Prototype Pollution in the wild (Apple, Atlassian, Mozilla, HubSpot, Segment Analytics & others)
@0xAmit discovered that the Microsoft Autodiscover protocol used by Exchange leaks Windows domain credentials to autodiscover.[tld] domains. Some of these domains were available to purchase. By registering them, Amit received hundreds of thousands of domain credentials…
Another amazing piece of research is about prototype pollution at scale. A team of researchers scanned vulnerability disclosure programs looking for prototype pollution vulnerabilities, trying to find script gadgets for XSS. They found 18 vulnerable libraries, 80 bugs reported, and share lots of details on the methodology and tools they used.
How To Search For DOM-Based XSS!
How to Create a Better Infosec Resume (with @jhaddix)!
@PascalSec‘s explanation of DOM XSS is just amazing. Everything is broken down including the basics of DOM XSS, sources and sinks, and how to track data flows from source to sink using the browser DevTools and JavaScript debugger.
If you struggle with this vulnerability type, this will clarify all the steps you need to detect and exploit it.
The second video is for anyone in InfoSec who wants to create or improve their resume. @NahamSec and @Jhaddix talk about the dos and don’ts, demonstrate the creation of a resume for a fake persona, then review some resumes sent by viewers.
SecurityTrails x Amass ReconMaster contest
@yougina came ninth in SecurityTrails’s Recon Master contest and share how they did it. It is interesting to see that no intricate or obscure recon tools or techniques were used. It’s all about how well-known tools were chained together, with custom scripts to overcome memory and storage space limitations.
How to send remote VPS requests to your local BURP using SSH
Some of you may already know how to do this. For those who don’t, this is good to know in case you need to run tools on your VPS and proxy the traffic through your local Burp.
The solution shared by @bsysop is simply to run ssh -R 8080:127.0.0.1:8080 root@VPS_IP -f -N
locally, then use http://127.0.0.1:8080
as a proxy when running tools on the VPS (e.g. curl -k https://example.com -x http://127.0.0.1:8080
).
$50,000 Shopify access to source code via leaking GitHub token – Hackerone bug bounty
Did you really find a vulnerability in Google? – ft. @PwnFunction
Day[0]: iOS 0days, Apache Dubbo RCEs, and NPM bugs [Bounty Hunting]
Day[0]: A Curl UAF, iPhone FORCEDENTRY, and a Crazy HP OMEN Driver [Binary Exploitation Podcast]
How Secure Are Your Universally Unique IDentifiers (UUIDs)? & UUIDv1 Sandwich Attack example
Linux X86 Assembly – How To Test Custom Shellcode Using A C Payload Tester
Waybackurls – Hacker Tools: Time-traveling for bounties 👩💻 & Video
nmapAutomator: Automating your Nmap Enumeration and Reconnaissance
CVE-2021-38112: AWS Workspaces Remote Code Execution #Desktop
Cachet 2.4: Code Execution via Laravel Configuration Injection
The Ultimate Guide to Crashing Your Friend’s Wedding – The Knot, Business Logic Flaw #Web
iOS 15 iCloud Private Relay Vulnerability Identified #Privacy #iOS
New Azure Active Directory password brute-forcing flaw has no fix
VMware CVE-2021-22005 Technical analyses by Censys, by Randori, by @testanull & Nuclei template for detection
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program (Apple)
CVE-2021-26084: Details On The Recently Exploited Atlassian Confluence OGNL Injection Bug
Remote Command Execution in Visual Studio Code Remote Development Extension (Microsoft)
Attack Surface Analysis – Part 3 – Resurrected Code Execution ($8,500)
$8,000 Bug Bounty Highlight: XSS to RCE in the Opera Browser (Opera, $8,000)
Facebook Messenger for MacOS contained valid hardcoded FB access token (employee’s token?) (Facebook, $625)
RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through (Citrix Systems)
Pwn2Own 2021: Parallels Desktop Guest To Host Escape (Parallels)
mXSS in support.mozilla.org (Mozilla)
See more writeups on The list of bug bounty writeups.
Chronos: Extract pieces of info from a web page’s Wayback Machine history
ssh-key-confirmer: Test if a public key would theoretically be allowed on a SSH target if you had the private key
crawlergo: A powerful browser crawler for web vulnerability scanners
Mitra: A generator of weird files (binary polyglots, near polyglots…)
Cariddi: Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more…
With iOS 15 supporting Safari extensions, you can use WebInspector extension to hack on iPad
A contrived solution for the “Basic context length limit, arbitrary code” impossible lab
Use this to build a quick GraphQL schema from Facebook Android and iOS apps
PyGoat: Intentionally vuln web Application Security in django
HTB Retired Machines free for two weeks, the current one is Jarmis
Using CodeQL to detect client-side vulnerabilities in web applications
Bug Bounty Cloud Automation at Scale & AWS Step Functions to accelerate bug bounty recon workflows (follow-ups to @ryanelkins’s DEFCON 29 talk)
Bug bounty
Cybersecurity
Tech
Upcoming events
Tool updates