By Anna Hammond
December 1, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from November 22 to 29.
@xvnpw has been sharing interesting research, writeups and tips on path traversal vulnerabilities. The blog is worth a read if you’re interested in this bug class, or in older articles on hacking Azure and SpEL.
WordPress Plugin Confusion: How an update can get you pwned, WordPress Plugin Update Confusion – The full guide how to scan and mitigate the next big Supply Chain Attack & Traffic Factory example
@vavkamil took the idea of dependency confusion and transposed it to WordPress themes and plugins. Then he partenered with @naglinagli to search for this new vulnerability at scale on bug bounty programs.
I love this type of research, both so clever and obvious AFTER you’ve read about it. Who would’ve thought that WordPress and package registries like NPM had anything in common?!
The InfoSecurity Challenge 2021 Full Writeup: Battle Royale for $30k
@spaceraccoonsec solved all 10 levels in The InfoSecurity Challenge that involved web, mobile, cryptography, pwn, forensics, steganography, and more. He wrote a detailed walkthrough of all tasks and it is full of interesting techniques worth knowing.
With all the CTFs running this December, it might help to learn some of these advanced CTF tricks.
These tools both perform common bug bounty taskd but with a twist.
@blegmore‘s cero scrapes domain names from SSL/TLS certificates. This sounds like something that tons of other tools already do, right? What makes cero interesting is that it can scrape certificates from any protocol that uses TLS, not just HTTPS.
Thank you @Six2dez1 for highlighting this awesome tool!
Scavenger by @0xDexter0us is a Burp extension that creates target-specific wordlists from Burp history. The cool part is that it can create a parameter wordlist (based on URL, body, cookie, and JSON parameters), an endpoint wordlist (based on URLs in the sitemap and JavaScript files) or a wordlist of JSON response keys.
Hakluke: Creating the Perfect Bug Bounty Automation
This reads like a short history of automation through the eyes of a bug hunter. @hakluke describes different types of architectures he tried, their limits, and how he plans on solving them.
If you’re thinking of building your first bug bounty automation solution, it can be useful to learn about someone else’s experience and mistakes.
What’s in the pipeline for the Burp Suite message inspector?
$16k Stealing secrets.yaml from GitLab using stored XSS – Hackerone bug bounty
Pentester Diaries Ep10: Journey into Reverse Engineering and Exploit Development
GreHack 2021, especially:
Persistence Through Service Workers-part 3: Easy Javascript Payload Deployment
Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery, and Webshells & Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation
The InfoSecurity Challenge 2021 Full Writeup: Battle Royale for $30k
SSRF – Lab #1 Basic SSRF against the local server | Long Version
Exploiting Vulnerabilities in a TLD Registrar to Takeover Tether, Google, and Amazon
Discovering Full Read SSRF in Jamf (CVE-2021-39303 & CVE-2021-40809) #CodeReview
Insecure default configuration in Redash that leads to authentication bypass
Unlocking the Vault :: Unauthenticated Remote Code Execution against CommVault Command Center #CodeReview
RCE with SSRF and File Write as an exploit chain on Apache Guacamole
Dedecms GetCookie Type Juggling Authentication Bypass Vulnerability
Windows installer LPE 0day (bypasses the incomplete fix for CVE-2021-41379)
Finding XSS on .apple.com and building a proof of concept to leak your PII information (Apple)
GoSecure Investigates Abusing Windows Server Update Services (WSUS) to Enable NTLM Relaying Attacks (Microsoft)
How I Found My First XSS Bug (Atlassian, $600)
See more writeups on The list of bug bounty writeups.
GoMapEnum: User enumeration and password bruteforce on Azure, ADFS, OWA, O365 and gather emails on Linkedin
STEWS: A Security Tool for Enumerating WebSockets
AuRA: Auth. Request Analyser: Chromium extension to to support the analysis of OAuth 2.0 and OpenID Connect 1.0 SSO flows & Custom and flexible OAuth/OIDC SP and IdP implementations
GAP (Get All Params): An evolution of the getAllParams Burp extension for collecting parameters
New cases added to the “Make JDBC Attack Brilliant Again” paper
From unrestricted file upload with no access to the uploaded shell to blind OOB RCE
Outlook attachments can be directly downloaded (useful for phishing engagements)
The Cyber Plumber’s Handbook – The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss (Free) & Practice lab ($9.99)
Bishop Fox: The Pen Testing Tools We’re Thankful for in 2021
A Bit Of A Fixer Upper – Testing Fix-backed Applications & FixerUpper
Is running legacy software with no publicly known exploits safe?
HTB Cyber Santa (December 1-5)
Code Security Advent Calendar 2021 (Starts on December 1)
HITCON CTF 2021 (December 4-5)
Cyber Security Awareness Month Extravaganza! Bug Bounty CTF (Public-009)
OWASP Timisoara #20 – AI, Bug Bounty & Web Fuzzing (Online) (December 9)
Tool updates