By Anna Hammond
March 9, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 28 to March 7.
🚩 CTF SIGN UP 🚩🗣 Virtual Conference 🗣
The 🟣 1337UP LIVE 🟣 event is nearing! Only 2 more days to go!
On March 11th, we will kick off with the 24-hour long CTF with challenges from web all the way to binary exploitation. Sign up right now at ctf.intigriti.io.
On March 12th, once the CTF ends, we will directly jump into the live bug bounty conference with astonishing talks by amazing speakers. Check out the line-up over here at www.intigriti.com/1337uplive!
We can’t wait to see you there!
We’re inviting you to share your opinions!
As a community-driven platform, your feedback is extremely valuable to us. To get to know you better, we would like to ask you to fill out our five-minute survey. At the end of the survey, you will be able to participate in our raffle to win a €50 Intigriti swag voucher (there are 20 available). Looking forward to hearing from you!
Reading RFCs for bug bounty hunters
The perils of the “real” client IP
@EdOverflow who knows a thing or two about RFCs (as the author of security.txt), shares some tips on reading RFCs for bug hunters.
This is actually part of a new Q&A blog series. This is a fantastic opportunity to have your bug bounty / security questions answered by a seasoned security researcher.
The second article is about how to retrieve the “real client IP address” from HTTP headers, common misconfigurations and the vulnerabilities they lead to. It is a long but excellent read if you want to explore this area of security.
Another good article on the same blog is about bypassing timing attack mitigations.
As pointed out by @albinowax, when you find a good article, make sure to browse the entire site for other gems.
Circumventing Browser Security Mechanisms For SSRF
AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service
The Dirty Pipe Vulnerability & PoC
A few months ago, I saw a very intriguing tweet about a bug bounty finding that involved Web and Pwn. @iamnoooob, @rootxharsh and @S1r1u5_ just dropped the writeup, and it is indeed incredible.
The team chained an SSRF with XSS to bypass some limitations, and with a known headless Chrome RCE that didn’t have any public PoC.
Another equally impressive finding is @Yanir_‘s AutoWarp. He found a way to interact with an internal Azure server, which gave them access to authentication tokens of other customers and the ability to take over their accounts.
The third writeup is about a privilege escalation that Max Kellermann discovered in the Linux kernel since version 5.8. It is similar to Dirty Cow but easier to exploit.
If you are interested in this type of bugs, I highly recommend the writeup. It details everything from the indicators of vulnerability, questions the author asked themselves at each step, what worked and what didn’t… just like an investigation.
Param Miner’s Attack Config options are not officially documented. So, to understand what they mean, @_nikitastupin looked at the tool’s source code and compiled their descriptions in a repo.
@spaceraccoonsec‘s colleague released this new tool to detect and exploit padding oracle vulnerabilities. It is a Burp extension that supports the PKCS#7 and PKCS#1 v1.5 padding schemes.
If you’re not sure where to use this tool, here is a tip on identifying potential entry points.
Finding 0day in Apache APISIX During CTF (CVE-2022-24112)
@LiveOverflow published a new video walkthrough of a Real World CTF challenge. This one is about a 0-day RCE in the default configuration of Apache APISIX. Discovering it involved code review, reading documentation, spoofing the “real” client IP, and much more. As usual, it is incredibly informative.
BOUNTY THURSDAYS – LIVE #2 (NEWS/TOOLS and Community Questions with Jason Haddix)
Bug Bounty 2022 Guide: Where to focus // Money // Get started
TheXSSRat Talks About Hacking, Creating Content, Security Certificates and API Hacking
admin:admin password allowed stealing Teslas around the world & Original report
CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation #CodeReview
More secure Facebook Canvas Part 2: More Account Takeovers (Meta / Facebook, $98,250)
Piercing the Cloud Armor – The 8KB bypass in Google Cloud Platform WAF (Google)
Moodle 2nd Order SQLi (Moodle)
See more writeups on The list of bug bounty writeups.
Uncover: Quickly discover exposed hosts on the internet using multiple search engines
HaxUnit: Python wrapper around Project Discovery tools (combining subdomain enumeration, port scanning and vulnerability discovery tools)
Vajra: GUI tool with multiple techniques for attacking and enumerating in the target’s Azure environment
sdlookup: IP Lookups for Open Ports and Vulnerabilities from internetdb.shodan.io
1337UP LIVE CTF (March 11)
Bug bounty
Cybersecurity
Tool updates
Go 1.17.8 and 1.16.15 are released (fixed CVE-2022-24921)