By Anna Hammond
February 16, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 07 to 14.
GitBleed – Finding Secrets in Mirrored Git Repositories & GitBleed Tools
@nightwatchcyber noticed that tools that scan for secrets in Git repositories will miss some secrets if they clone repos without the --mirror
option.
They share how to looks for these secrets, some Bash scripts that automate the process and a couple of intentionally vulnerable repos.
BigQuery SQL Injection Cheat Sheet ($50k+)
@ozgur_bbh and @anilyukk discovered and exploited a BigQuery SQL injection on a bug bounty target. They share the syntax and queries they used, which is valuable considering the lack of resources on SQL injections targetting this specific type of DBMS.
Bypassing the AWS WAF protection with an 8KB bullet
@riyazwalikar describes a known limitation of AWS WAF: It only inspects the first 8KB of the web request body. This allows bypassing AWS WAF by placing payloads after 8KB of junk data.
Actually, this issue is not new. @securityfu wrote about it in AWS WAF’s Dangerous Defaults, but this tutorial serves as a good reminder of this interesting behavior.
Salesforce Recon and Exploitation Toolkit (SRET) & Intro
While learning about Salesforce vulnerabilities, @uraniumhacker created this tool to automate testing for and exploiting misconfigurations in Salesforce instances.
He used it to report multiple Critical and High impact information disclosure bugs.
Being stuck on a challenge for too long can result in loosing interest or unnecessarily wasting time in one’s learning journey. So, if you are struggling with Hack The Box machines/challenges or certifications like the OSCP, make sure to read and apply this advice by @ippsec and @0xdf_.
It will help you make consistent progress, and know when to try harder and when to look at solutions.
Polkit – 12-year-old Security Vulnerability to Privilege Escalation | PolicyKit | Linux | #Explained
Reverse Engineering 101 – Introduction to IDA Free on Linux: Reversing 2 crackmes
Create Your Own Python DNS ENUMERATION TOOL & Create Your Own Python SUBDOMAIN ENUMERATION TOOL
Improving the impact of a mouse-related XSS with styling and CSS-gadgets
Using Power Automate for Covert Data Exfiltration in Microsoft 365
Extremely Short XSS?! Solution to February ’22 XSS Challenge & Winners
XSS via HTTP Parameter Pollution! & SQL Injection to Retrieve Hidden Data!
HTB: SteamCloud #Kubernetes
impressCMS – unauthenticated code execution #Web #CodeReview
Multiple Vulnerabilities In Concrete CMS – Part2 (PrivEsc/SSRF/etc) #Web
A Zero-Click RCE Exploit for the Peloton Bike (And Also Every Other Unpatched Android Device) #MemoryCorruption
From Stored XSS to Code Execution using SocEng, BeEF and elFinder CVE-2021-45919 #Web
“Zero-Days” Without Incident – Compromising Angular via Expired npm Publisher Email Domains (GitHub) & Related paper
WordPress < 5.8.3 – Object Injection Vulnerability (WordPress)
How i made 15k$ from Remote Code Execution Vulnerability ($15,000)
How Docker Made Me More Capable and the Host Less Secure (Microsoft)
Mindshare: When Mysql Cluster Encounters Taint Analysis (Oracle)
SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022-21999) & SpoolFool (Microsoft)
See more writeups on The list of bug bounty writeups.
Ghostbuster & Introhttps://blog.assetnote.io/2022/02/13/dangling-eips/: Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts
Copy Regex Matches: Burp extension to copy regex matches from selected requests and/or responses to the clipboard
Nuclei – Burp Extension: Simple Burp extension to run Nuclei directly from Burp, transforming JSON results into issues
OAUTHScan: Burp extension useful to verify OAUTHv2 and OpenID security
JWT Editor: A Burp Suite extension and standalone application for creating and editing JSON Web Tokens
hardCIDR: Bash script to discover an organization’s netblocks or ranges (in CIDR notation)
Why you should check the default amass config.ini file regularly
PoC for evading MS default setting and smuggling VBA macros back in
KustomizeGoat: Vulnerable by design Kustomize deployment
Bug bounty
Cybersecurity
Upcoming events
@stokfredrik’s Bounty Thursdays – Live (Thursday 16:00 CET)
IWCon 2022 (February 26-27, $5)
Tool updates