By Anna Hammond
March 23, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 14 to 21.
Intigriti’s March XSS challenge By @BrunoModificato
Using privacy.com to generate cards with $0 spending limit
Tell the truth, have you ever been charged after signing for a trial then forgetting to cancel the subscription?
It happened to me more times than I’d like to admit, but it won’t anymore thanks to @hacker_ fantastic tip: Using privacy.com‘s free tiers, it is possible to create virtual cards with a $0 spending limit and never get charged for anything.
From XSS to RCE (dompdf 0day)
CVE-2022-0337 System environment variables leak on Google Chrome, Microsoft Edge and Opera (Google, Microsoft & Opera, $10,000)
@positive_sec penetration testers discovered an XSS on a mostly static site. They share how this low impact finding led to RCE because of a functionality to export pages as PDF. A creative tale involving HTML injection in a HTML-to-PDF converter and injecting PHP disguised as a font.
The second writeup is about a system environment variables leak in the Chromium engine, found by @pulik_io and impacting Google Chrome, Microsoft Edge, and Opera.
Basic security for humans in 4 Fridays
This reminds me of a cousin who has trouble remembering all her passwords but refuses to use a paid password manager or anything complex to set up.
This tutorial is the perfect solution to share with her and anyone in our lives who needs a simple solution to manage passwords, MFA and secure their devices using only reputable free software.
Thanks to securibee for sharing this link on your newsletter where I discovered it!
Browser In The Browser (BITB) Attack & Repo
@MrDox demonstrates a simple but terrifyingly effective phishing technique: Using HTML/CSS to create a fake “Login with Google/Microsoft/Apple/etc” popup window. It is just appears like a popup with the right URL, but is actually just an image inside the attacker’s site.
Note that this is not new, similar attacks have been known as “picture-in-picture attack”.
Q: PENTEST VS BUGBOUNTY? (Bounty Thursday’s – ON AIR)
I know I’ve already mentioned this show before, but it just brings me so much joy.
The production is top notch, the bug bounty news part is always informative, and the new Q&A / chat part brings the show to a whole new level.
I am sure y’all already know about it, so this is essentially a shoutout to @stokfredrik for sharing such quality and joyful content for hackers.
Career Conversations with seclilc – Offensive Cybersecurity!
Alissa Knight Talks About API Hacking, Car Hacking, Creating Content for Hackers and More!
$100k Hacking any website in Safari with uXSS – a 0-day chain
iOS + Frida Tutorial, Part I, iOS + Frida Tutorial, Part II & iOS + Frida Tutorial, Part III
Heap Exploitation on Linux 101: The House of Force Technique
CORS – Lab #1 CORS vulnerability with basic origin reflection
Intigriti 1337UP CTF (pwn challenges):
Prototype Pollution in plist v3.0.4 and simple-plist (CVE-2022-22912) #Web #CodeReview
How I Discovered Thousands of Open Databases on AWS #Web #Cloud
How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects #CI/CD
Infinite loop in BN_mod_sqrt() reachable when parsing OpenSSL certificates (CVE-2022-0778), PoC by @Drago1729
CVE-2022-27226: CSRF to RCE in iRZ Mobile Routers through 2022-03-16 #Router #Web
cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)
Securing Developer Tools: Git Integrations (Microsoft, JetBrains, GitHub)
How I Tracked You Around The Globe 🌎 (Google)
CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years (Apple)
Arbitrary file read via the bulk imports UploadsPipeline (GitLab, $29,000)
See more writeups on The list of bug bounty writeups.
Smap: Replica of nmap that uses shodan’s free API for scanning
frequest & How I was able to find 50+ Cross-site scripting (XSS) Security Vulnerabilities on Bugcrowd Public Program?: Quickly test multiple URLs for XSS and SQL injection
DomainAlerting: Get notifications when a new domain name is registered and contains your keywords
redirex: Go tool that generates bypasses for open redirects
mksub: Make subdomains using a wordlist
CrackHound & Intro: Introduce plain text passwords into BloodHound
AWS Scaled Command Bash Script – Run AWS commands for many profiles
Oneliner to find subdomain takeovers using BBRF, nuclei and Axiom
@Jhaddix’s testing environment, #BugBountyDiary & The next innovations in recon frameworks
Cloud Labs AD: Provisioning scripts for an Active Directory lab environment on Azure
AWS RDS does not force clients to connect using a secure transport layer
Abusing Arbitrary File Deletes To Escalate Privilege And Other Great Tricks
Intigriti’s March XSS challenge By @BrunoModificato (March 21 – 27)
Winja CTF – Berlin 2022 (April 9)
Cybersecurity
Researcher uses Dirty Pipe exploit to fully root a Pixel 6 Pro and Samsung S22
Okta ‘identifying and contacting’ customers potentially affected by Lapsus$ breach
NPM maintainer targets Russian users with data-wiping ‘protestware’
Apple Safari empowers developers to mitigate web flaws with WebKit CSP enhancements
Upcoming events
OSINT Summit 2022 (April 7)
Tool updates
Burp Professional / Community 2022.3 (Collaborator now uses oastify.com
instead of burpcollaborator.net
) & New “Fastest” crawl strategy