By Anna Hammond
November 3, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 25 to November 1.
Common Threat Matrix for CI/CD Pipeline & Attacking and Securing CI/CD Pipeline
We’ve seen some amazing writeups involving CI/DC pipelines recently. Their attack surface is large, they are trendy, and they can lead to serious suppy chain attacks which makes them a good target for attackers.
So, if you want to learn about CI/DC security (from both a defender and attacker standpoints), this new threat matrix by @rung is a great resource.
While testing Web apps, you might encounter strings that seem to be base64 encoded but can’t be decoded properly because they’re actually Protobuf serialized data that is encoded in Base64. Not knowing about this serialization format can make you miss critical vulnerabilities.
That’s what this writeup is all about: An excellent introduction to Protobuf, how to decode and deserialize Protobuf data, exploit this entry point for SQL injection and how to create a SQLmap tamper script to automate the process.
CookieMonster & Intro
jolokia-exploitation-toolkit (JET) & Tutorial
CookieMonster is a Go tool/API that automates testing for vulnerabilities in stateless authentication. It supports several frameworks and helped @iangcarroll find bugs in many large bug bounty programs.
If you want to automate your testing even further and mass-scan targets, @naglinagli suggests combining it with his Cookies-extractor.
@TheLaluka released Jolokia Exploitation Toolkit, a Python tool that helps exploit exposed Jolokia endpoints. The accompanying article goes over detail on how to use it to get RCE on a Tomcat/Catalina server. This can be handy if you want to escalate an SSRF that allows to reach an internal Jolokia endpoint, to RCE.
Android security checklist: WebView
This is a great tutorial on how to attack and protext WebView on Android. It includes different exploitation techniques, ways to increase the impact of attacks, and lots of details.
How to Start Bug Bounties 101 & How to Make a Million in 4 Years
Creativity, Self-Doubt & Doing Remarkable Work
If you wonder how hackers like @ozgur_bbh and @s0md3v do their magic, I recommend reading these articles they wrote.
The TL;DR is there is no magic, “Just work.”. However, it is still interesting to hear what they have to say on the topic, the mindset and steps they took that made all the difference.
Hack The Box Hacking Battlegrounds Streamed Tournament #2 – Commentated by IppSec and John Hammond
HackerSploit: Red Team Security Series Part 1: Caldera, Reconnaissance, Luckystrike & PowerShell Empire & Part 2
Browser, what are you doing?! Solution to October ’21 XSS Challenge
This bug doesn’t exist on x86: Exploiting an ARM-only race condition
Sitecore Experience Platform Pre-Auth RCE #Web #CodeReview
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD #CI/CD #Web
Finding An Unauthenticated RCE Vulnerability In MovableType :: CVE-2021-20837/JVN#41119755 #Web #Perl #CodeReview
50 Shades of SolarWinds Orion (Patch Manager) Deserialization (Final Part: CVE-2021–35218) #Web
1,000,000 Sites Affected by OptinMonster Vulnerabilities #Web #CodeReview
Zimbra “nginx” Local Root Exploit & Zimbra “zmslapd” Local Root Exploit. #Linux #LPE
CVE-2021-22205: Rapid7 analysis & Nuclei template #Web (the Gitlab / Exiftool RCE thought to be unauthenticated is actually a pre-auth RCE)
NGINX Custom Snippets CVE-2021-25742 #Kubernetes
Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260) & Nuclei template #IoT
Write Up – XSS Stored In api.media.atlassian.com Via Doc File (iOS) (Atlassian)
Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection (Apple)
This is how i was able to Permanently Crash all Mapillary users within minutes
Use-After-Free in Voice Control: CVE-2021-30902 Write-up (Apple)
Image queue default key of ‘None’ and GraphQL unhandled type exception (Reddit, $500)
See more writeups on The list of bug bounty writeups.
Web Cache Vulnerability Scanner (WCVS) & Intro: Go tool for testing for web cache poisoning
Quiet Riot & Intro: A Scalable AWS Enumeration and Footprinting Tool
Frogy: Subdomain enum tool
How to load an openapi.json file (based on v3 specification) into Burp & Useful converters
Did you know you can do WHOIS lookups on IP addresses and ASN numbers, not just domain names?
Mobile Application Penetration Testing (TCM Academy course) ($29.99)
Privilege Escalation Techniques: Learn the art of exploiting Windows and Linux systems & Introductory video (Starting at $31.19)
DUNGEON – BSides Ahmedabad CTF 2021 (November 6-7)
Bug bounty
Upcoming events
Tool updates