By Anna Hammond
November 24, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from November 15 to 22.
Why join Intigriti? Here’s 16 reasons why you’ll love working here
Increase in the Intigriti program’s bounty table
Reacting to myself finding an SSRF vulnerability in Google Cloud & Blog post (Google, $10,401.1)
@xdavidhu discovered an SSRF on Google Cloud and filmed the entire process from the bug’s discovery, to exploiting it for RCE, creating the PoC, reporting it, then bypassing the fix.
If you’ve ever dreamed of peeking over the shoulder of a bug hunter while they are finding a critical bug (not just doing recon or practicing in a lab), this is a truly rare opportunity.
Finding Zero-Day Vulnerabilities in the Supply Chain
How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud (Atlassian, $15,000)
The first writeup is about CSTI, bypassing signed requests (with a JavaScript breakpoint), and exploiting an SSRF with the SMB scheme to steal NTLM hashes. The techniques are not new but @0xLupin does an amazing job of explaining these critical pentest findings, and showing how to escalate the bugs’ impact as much as possible.
The second writeup by @Krevetk0Valeriy is about issues in the Atlassian Cloud’s registration flow. This is an interesting read if you like authentication bugs, or an example of digging deep into strange behaviors so that an N/A turns into a $15k finding.
FirstBloodv2 disclosed reports
BugBountyHunter disclosed writeups submitted by members during their last Hackevent, FirstBlood v2. If you can’t get enough of bug bounty writeups, this is a nice collection to explore whether you are interested in server-side, client-side or logic vulnerabilities.
ChronoRace is a Python tool for fine-tuning race condition attacks. @itscachemoney used it to execute carefully timed race condition attacks that circumvent application business logic, such as this email confirmation bypass on Shopify.
If HTTP request smuggling is more your thing, you might be interested in h2rs. This Python tool by @ricardo_iramar can detect request smuggling via HTTP/2 downgrades.
Swiss Cyber Storm 2021 & Slides, especially:
Impact of Frameworks on Security of JavaScript applications By Ksenia Peguero
Bug Bounty Switzerland: Tales and Vulnerabilities from our Bug Bounty Adventures
Patterns and anti-patterns in software development By Philippe de Ryck
I haven’t heard of Swiss Cyber Storm before, but wish I did. These talks are excellent and particularly relevant to Web app testers. Make sure to give them a watch for the state-of-the art of mutation XSS, JavaScript apps security or interesting bug bounty tales.
Using binary search algorithms for blind SQL injection by Juan Pablo Quiñe Paz
Ekoparty 2021: Main Track & Bug Bounty Space, especially:
XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers & XSinator.com (XS-Leak browser test suite)
DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale, DoubleX tool repo & Tutorial
Out of Sight, Out of Mind: Detecting Orphaned Web Pages at Internet-Scale
Ceterum censeo: Visited esse delendam & Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks
A simple Data Exfiltration! (Blind XXE via Excel file upload)
Pentest tale – Dumping cleartext credentials from antivirus #Windows #PostExploitation
Finding a 0 Day Race Condition #ThickClient
All Roads Lead To OpenVPN: Pwning Industrial Remote Access Clients #VPN #Web
PoC of CVE-2021-42321, Exchange Post-Auth RCE & Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321) #Web
CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable #Kubernetes
Diving into Open-source LMS Codebases #Web #CodeReview
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory (Microsoft)
The tale of CVE-2021–34479 (VSCode XSS) (Microsoft)
See more writeups on The list of bug bounty writeups.
TProxer: A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF
hakfindinternaldomains: Go tool that takes a list of subdomains, resolves them and tells you which ones are internal
Jira-Lens: Fast and customizable vulnerability scanner For JIRA written in Python
HackTheBox Secret CTF 2021 (December 1-5)
TryHackMe’s Advent of Cyber 3 (2021) (December 1-25)
2021 Metasploit Community CTF (December 3-6)
New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk
GitHub Apps – How to avoid leaking your customer’s source code with GitHub apps
Black Friday
Bug bounty
Upcoming events
YASCON 2021 (November 28)
Tool updates