By Anna Hammond
February 9, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 31 to February 07, 2022.
Intigriti’s February XSS challenge By @aszx87410
This is worth a read if you’re interested in postMessage XSS. @oliverrickfors shares a methodology to easily find addEventListener in JS files (given a list of hosts as input), then what to do next to test and exploit them for XSS.
Solving DOM XSS Puzzles
CVE-2022-21703: cross-origin request forgery against Grafana
Can’t get enough of postMessage XSS? Check out @spaceraccoonsec‘s writeup on two XSS vulnerabilities he found on bug bounty programs. They involve interesting bypasses and advanced tips worth adding to any DOM XSS methodology.
Another interesting finding is a CSRF found on Grafana by @jub0bs and @theabrahack. It could basically make a Grafana Admin unwittingly send you a user invite to become admin of their instance, demonstrating that CSRF is definitely not dead.
My API Testing Automated Toolbox
Testing a small intentionally vulnerable API is one thing, but where to start when you’re looking for bugs in a large API with thousands of requests on a hardened bug bounty target?
Watch @InsiderPhD explain a sensible approach that combines automation and a manual workflow, with details on the tools she recommends.
A technique to semi-automatically find vulnerabilities in WordPress plugins
What is better than finding a vulnerability in a WordPress plugin? Finding over 100 vulnerabilities in dozens of popular WordPress plugins!
@kazet1234 details a semi-automatic approach used to scan for multiple vulnerability classes including XSS, SQL injection, CSRF, arbitrary file read and more. Amazing research that is interestingly transferable to other CMSes.
fonetic-go
35 bytes PHP backdoor that’s protected by a password & supports arbitrary function calls
@s0md3v just dropped these two beautiful gems. The first one is a Go tool that tells you whether a string is machine-generated or human readable. I’m not sure which use case he has mind, but I’d use this to programatically extract potential secrets from code.
The second tool is a neat PHP webshell that is protected by a password and supports arbitrary function calls despite being very short. From now on, this is my go-to PHP webshell!
100 hours of bug bounty on a public Hackerone program. Bounty vlog #1 – Stripe
Reverse Engineering 101 – Introduction to IDA PRO: Reversing/Patching a Binary from crackmes.one
[SecWed] 26 Jan 22 | Automate Reverse Engineering CTF with Angr & An introduction to container hacking
How to restrict XXE resolving? #BlueTeam
I’m Bringing Relaying Back: A Comprehensive Guide On Relaying Anno 2022
SQLi, SSTI & Docker Escapes / Mounted Folders – HackTheBox University CTF “GoodGame”
H1-CTF Hacky Holidays Writeups by akshansh & w31rd0
Don’t trust comments #Web
Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments #CI/CD
CoronaCheck App TLS certificate vulnerabilities #iOS #Android
Abusing Facebooks Call To Action
To Launch Internal Deeplinks (Facebook, $4,000)
My first bounty, IDOR + Self XSS [€3000] (Intigriti, $3,000)
A wontfix request header injection vulnerability in net/http (Ruby)
CVE-2021-44142: Details On A Samba Code Execution Bug Demonstrated At Pwn2Own Austin ($45,000)
LFIDump: A simple python script to dump remote files through a local file read or local file inclusion web vulnerability
Aerides & Intro: An implementation of infrastructure-as-code scanning using dynamic tooling
SMBSR: Lookup for interesting stuff in SMB shares
SMBeagle: SMB fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written (useful for lateral movement and privilege escalation)
EvilSelenium: A C# tool that weaponizes Selenium to attack Chrome
@mrtuxracer, @equat0rium & @samm0uda‘s inspiring success stories
InsecureProgrammingDB: Insecure programming functions database
Top 25 Browser Extensions for Pentesters and Bugbounty Hunters (2022)
File formats, Techniques and Tools that can be used to execute code in MS Office
wrongsecrets: Examples with how to not use secrets
Bug bounty
Cybersecurity
Upcoming events
Intigriti 1337UP LIVE (March 12)
Hacking Battlegrounds #4: Valentine’s Special – Hacking Will Tear Us Apart! (Live stream on February 18)
Tool updates