Bug Bytes #148 – Google SSRF filmed, A 1 N/A bug to $15k & Tuning raced conditions

By Anna Hammond

November 24, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from November 15 to 22.

Intigriti news

Why join Intigriti? Here’s 16 reasons why you’ll love working here

Increase in the Intigriti program’s bounty table

Our favorite 5 hacking items

1. Video of the week

Reacting to myself finding an SSRF vulnerability in Google Cloud & Blog post (Google, $10,401.1)

@xdavidhu discovered an SSRF on Google Cloud and filmed the entire process from the bug’s discovery, to exploiting it for RCE, creating the PoC, reporting it, then bypassing the fix.
If you’ve ever dreamed of peeking over the shoulder of a bug hunter while they are finding a critical bug (not just doing recon or practicing in a lab), this is a truly rare opportunity.

2. Writeups of the week

Finding Zero-Day Vulnerabilities in the Supply Chain
How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud (Atlassian, $15,000)

The first writeup is about CSTI, bypassing signed requests (with a JavaScript breakpoint), and exploiting an SSRF with the SMB scheme to steal NTLM hashes. The techniques are not new but @0xLupin does an amazing job of explaining these critical pentest findings, and showing how to escalate the bugs’ impact as much as possible.

The second writeup by @Krevetk0Valeriy is about issues in the Atlassian Cloud’s registration flow. This is an interesting read if you like authentication bugs, or an example of digging deep into strange behaviors so that an N/A turns into a $15k finding.

3. Resource of the week

FirstBloodv2 disclosed reports

BugBountyHunter disclosed writeups submitted by members during their last Hackevent, FirstBlood v2. If you can’t get enough of bug bounty writeups, this is a nice collection to explore whether you are interested in server-side, client-side or logic vulnerabilities.

4. Tools of the week

ChronoRace
h2rs

ChronoRace is a Python tool for fine-tuning race condition attacks. @itscachemoney used it to execute carefully timed race condition attacks that circumvent application business logic, such as this email confirmation bypass on Shopify.

If HTTP request smuggling is more your thing, you might be interested in h2rs. This Python tool by @ricardo_iramar can detect request smuggling via HTTP/2 downgrades.

5. Conference of the week

Swiss Cyber Storm 2021 & Slides, especially:

I haven’t heard of Swiss Cyber Storm before, but wish I did. These talks are excellent and particularly relevant to Web app testers. Make sure to give them a watch for the state-of-the art of mutation XSS, JavaScript apps security or interesting bug bounty tales.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Conference slides, material & whitepapers

Tutorials

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • TProxer: A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF

  • hakfindinternaldomains: Go tool that takes a list of subdomains, resolves them and tells you which ones are internal

  • Jira-Lens: Fast and customizable vulnerability scanner For JIRA written in Python

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

You may also like