Intigriti

Bug Bytes #143 – Building an Apache SSRF exploit, Thesis on HTTP Request Smuggling & Turbo Intruder go brrr

By Anna Hammond

October 20, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from October 11 to 18.

Intigriti News

How Artificial Intelligence is being used to match researchers with bug bounty programs

Our favorite 5 hacking items

1. Resource of the week

Bachelor’s thesis on HTTP Request Smuggling

Mattias Grenfeldt (@mgrenfeldt) and Asta Olofsson published their Bachelor’s thesis on HTTP Request Smuggling. After it was published, they also discovered a new technique that uses chunk extensions and affected Node.js.
There is a lot to unpack here but if you can’t get enough of this vulnerability, they also have a writeup on HRS in Gunicorn.

2. Writeups of the week

Bypassing required reviews using GitHub Actions (GitHub)
Stored XSS in markdown via the DesignReferenceFilter (GitLab, $16,000)

@omer_gil discovered a creative way to bypass required reviews on GitHub. Users with “write” permissions on a repo could create a GitHub Action that approves their pull request, allowing them to bypass required reviews.

The second writeup is an interesting bug chain on GitLab. @wcbowling found a stored XSS with CSP bypass that could ne escalated to Arbitrary file read / SSRF.

3. Vulnerability of the week

Building a POC for CVE-2021-40438, one-liner PoC & Nuclei template

CVE-2021-40438 is an SSRF in Apache HTTP Server 2.4.48 and earlier. It’s was discovered by the Apache HTTP security team and patched back in September, but there wasn’t any public proof of concept until now.
@Firzen14 details in an excellent article how they reverse engineered the patch and constructed the exploit.

4. Tip of the week

How to make Turbo Intruder attacks go as fast as possible

PortSwigger shared tips for making Turbo Intruder go as fast as possible. These can make all the difference when you are testing a vulnerability and speed is an important factor (e.g. race conditions).

5. Tutorial of the week

How to win at CORS

The first step to hack anything is understanding how it works, right? If you are interested in client-side vulnerabilities or browser security, you might enjoy this introduction to CORS. It is full of information on this fundamental Web mechanism, its history, how it works, with a playground for practice.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Webinars

Conferences

Tutorials

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • RIO & Guide: A handy plugin for copying requests/responses or generating reports directly from Burp

  • gh-dork: Github dorking tool

  • Snowcat & Intro: A Go tool to audit the Istio Service Mesh

  • Gorgo: A multi-threaded password sprayer based on Medusa, built for distributed spraying

  • LDAP Monitor: Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration

  • SAML2Spray: Python Script for SAML2 Authentication Passwordspray

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

You may also like