By Anna Hammond
November 17, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from November 8 to 15.
Intigriti’s November XSS challenge By @IvarsVids
Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond & Slides + Whitepaper
Daniel Thatcher presented a new technique called “HTTP header smuggling” at Black Hat Europe 2021.
Basically, it is about attacking chains of servers and smuggling headers that will be hidden to some servers in the chain and visible to others.
This can lead to HTTP request smuggling, cache poisoning or IP restriction bypass (by leveraging a weakness in the AWS API Gateway).
As part of this research, Daniel released a Param Miner fork. However note that it was merged into the master branch.
T-Reqs: HTTP Request Smuggling with Differential Fuzzing & T-Reqs HTTP Fuzzer
This is a different take on HTTP Request Smuggling. It focuses on creating a generic framework and infrastructure to fully automate detecting HRS at scale using grammar-based fuzzing.
This is a neat paper/research that explores new areas, for instance finding web server and proxy pairs that are vulnerable even though each one individually is not.
ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough (Microsoft, $40,000)
Exploiting CSP in Webkit to Break Authentication & Authorization (Apple, $100k+)
Multiple Concrete CMS Vulnerabilities ( Part1 – RCE )
Remember ChaosDB from a few weeks ago? It allowed @sagitz_ and @nirohfeld to gain unrestricted access to the databases of Microsoft Azure customers. The researchers finally released technical details on the chain of misconfigurations that made this impressive attack possible.
The second writeup is about a vulnerability in Safari’s browser engine, Webkit. It did not adhere to the W3C specification when handling CSP violation reports, but Apple deemed this not severe enough to fix quickly. So, @sachinnthakuri and @1lastBr3ath found a way to use this and exploit multiple OAuth/SSO implementations, earning more than $100k bounties. Not bad for a won’t fix quickly bug!
In the third writeup, FORTBRIDGE researchers combine file upload with two race conditions to get RCE. This is really worth reading, both creative and very informative.
Let’s say you need to use several VPNs simultaneously (e.g. corporate VPN + training platform VPN + bug bounty platform VPN).
What bugbounty-openvpn-socks allows you to do is expose each VPN via a local SOCKS proxy. So, when you run any tool, you can choose which VPN it should go through (e.g. curl -x socks5://localhost:1000
).
This is a very useful tool by @honoki, that also integrates well with BBRF if you use it.
Android App Hacking Workshop
@0xAwali’s methodology for testing Secondary Contexts
The first resource is a slide deck by Google on Android app hacking for bug hunters. It is accompanied with two APKs that include challenges/flags, and a PDF for solutions.
If you want to dive into Android app security and like hands-on learning, this is fantastic. It is beginner friendly but also covers advanced topics, not just the basics.
Another amazing resource is @0xAwali‘s compilation of 110+ things to try when hacking secondary contexts. So many good tips, each one with its reference(s) if you want to find out more about it.
BountyTraining [2] – Getting a feel for your target with BugBountyHunter
Scanning for hardcoded secrets in source code | Security Simplified
#MentorshipMondays | Featuring @Achillean, Creator of Shodan
Retrospective (and some new tricks) for cross-site browsing history leaks
Black Hat Europe 2021, especially:
JavaScript type confusion: Bypassed input validation (and how to remediate) #Web
Multiple Vulnerabilities in ResourceSpace #Web #CodeReview
Unboxing BusyBox – 14 new vulnerabilities uncovered by Claroty and JFrog #Linux #MemoryCorruption
Independently Secure, Together Not So Much – A Story Of 2 WP Plugins #Web #CodeReview
Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over (Google)
Write Up – Google VRP Bug Bounty: /etc/environment Local Variables Exfiltrated On Linux Google Earth Pro Desktop App – $1,337 USD (Google, $1,337)
Pre-Auth POST Based Reflected XSS in Microsoft Exchange (CVE-2021-41349) & Microsoft fixes reflected XSS in Exchange Server (Microsoft)
From URL dumps digging to IDOR , BAC, Massive Phishing in Udemy (Udemy, $1,300)
Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows (Elastic, $584)
See more writeups on The list of bug bounty writeups.
GrepAddr: Python script that extracts different kinds of addresses (URLs, IPs, e-mail addresses, MAC addresses, etc) from stdin
lsarelayx: NTLM relaying for Windows made easy
dnsline: Tool for making it easy to collect dns results from the CLI
Lateral SQL Injection Revisited – Exploiting NUMBERs & More whitepapers by the same author
Pre-auth XXE on software using Apache XML-RPC versions prior to 3.1.3
Deleted S3 objects with versioning enabled and public access can still be accessed
Example pentest reports (by finalists of the Collegiate Penetration Testing Competition) & CPTC – Better Pentest Reports w/ Examples!
The Invisible JavaScript Backdoor & Smuggling hidden backdoors into JavaScript with homoglyphs and invisible Unicode characters
The Kerberos Key List Attack: The return of the Read Only Domain Controllers
CVE-2021-22205: It Was A GitLab Smash (includes a method for fingerprinting GitLab versions by looking at the names of publicly available CSS files)
Cybersecurity
Upcoming events
DAMNCON 2021 (November 20)
Digital Meetup — “Report Medley — What Makes a Bug Report Great?” (December 8)
Tool updates