By Anna Hammond
October 20, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 11 to 18.
How Artificial Intelligence is being used to match researchers with bug bounty programs
Bachelor’s thesis on HTTP Request Smuggling
Mattias Grenfeldt (@mgrenfeldt) and Asta Olofsson published their Bachelor’s thesis on HTTP Request Smuggling. After it was published, they also discovered a new technique that uses chunk extensions and affected Node.js.
There is a lot to unpack here but if you can’t get enough of this vulnerability, they also have a writeup on HRS in Gunicorn.
Bypassing required reviews using GitHub Actions (GitHub)
Stored XSS in markdown via the DesignReferenceFilter (GitLab, $16,000)
@omer_gil discovered a creative way to bypass required reviews on GitHub. Users with “write” permissions on a repo could create a GitHub Action that approves their pull request, allowing them to bypass required reviews.
The second writeup is an interesting bug chain on GitLab. @wcbowling found a stored XSS with CSP bypass that could ne escalated to Arbitrary file read / SSRF.
Building a POC for CVE-2021-40438, one-liner PoC & Nuclei template
CVE-2021-40438 is an SSRF in Apache HTTP Server 2.4.48 and earlier. It’s was discovered by the Apache HTTP security team and patched back in September, but there wasn’t any public proof of concept until now.
@Firzen14 details in an excellent article how they reverse engineered the patch and constructed the exploit.
How to make Turbo Intruder attacks go as fast as possible
PortSwigger shared tips for making Turbo Intruder go as fast as possible. These can make all the difference when you are testing a vulnerability and speed is an important factor (e.g. race conditions).
The first step to hack anything is understanding how it works, right? If you are interested in client-side vulnerabilities or browser security, you might enjoy this introduction to CORS. It is full of information on this fundamental Web mechanism, its history, how it works, with a playground for practice.
$2,500 Leaking parts of private Hackerone reports – timeless cross-site leaks
How to conduct a basic security code review | Security Simplified
GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117 #Crypto #CodeReview
Check Point Research Prevents Theft of Crypto Wallets on OpenSea, the World’s Largest NFT Marketplace #Web #Ethereum
Abusing Slack’s file-sharing functionality to de-anonymise fellow workspace members (Slack)
Auth Bypass in Google Assistant (Google, $8,133.70)
Stored XSS in Mermaid when viewing Markdown files (GitLab, $3,000)
See more writeups on The list of bug bounty writeups.
RIO & Guide: A handy plugin for copying requests/responses or generating reports directly from Burp
gh-dork: Github dorking tool
Gorgo: A multi-threaded password sprayer based on Medusa, built for distributed spraying
LDAP Monitor: Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration
SAML2Spray: Python Script for SAML2 Authentication Passwordspray
Cloudflare bypass for RCE via Unrestricted file upload & Stored XSS
If you find a S3 subdomain takeover, you need to set up the S3 bucket in the correct region
Interactsh server can be used to query cloud metadata services
Learn Burp Suite Plugin Development from Scratch. ($5 pre-launch, $8 post-launch)
Cybersecurity
Upcoming events
Ekoparty 2021 (November 2-6)
Tool updates