By Anna Hammond
March 31, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 21 to 28.
Changelog #33 – Collaboration makes you better!
Spring4Shell & CVE-2022-22963 – Java 0-days in Spring
There is a lot of chatter about 0-days in Spring and some confusion because there isn’t one but two vulnerabilities:
Spring4Shell is a severe RCE via insecure deserialization in Spring Core. It is exploited in the wild, was leaked by a Chinese-speaking researcher, does not have a patch nor a CVE yet.
CVE-2022-22963 is a less severe and patchable SPEL Expression Injection in Spring Cloud Function.
Some say it is the new Log4shell and others say there is no need to panic about Spring4Shell as it is only exploitable in certain configurations. Until we know more, here are some good resources to dive into both vulnerabilities:
Spring4Shell analysis by LunaSec, Rapid7, Cyber Kendra & SANS ISC
Ruby Deserialization – Gadget on Rails (Ruby on Rails)
PHP filter_var shenanigans
@httpvoid0x2f‘s latest writeup is a deep dive into insecure deserialization in Ruby/Rails. They go over the current state of ruby deserialization gadget chains, and show how they discovered a new RCE gadget for the latest version of Rails.
The second writeup is about a vulnerability in PHP that allows circumventing filter_var() in some cases. There are some limitations but it is interesting to see @pwningsystems‘s process for finding this, and it is a good research opportunity as @albinowax pointed out.
🎙️ HTB Stories #8: Bug Bounties 101 w/InsiderPhD
rootxharsh Talks About Recon, Finding A $50,000 Remote Command Execution in Apple, and more!
@InsiderPhD and @rootxharsh are two of my favorite hackers.
@rootxharsh is part of HTTPVoid, a crew of bug hunters who have been putting out amazing writeups lately like the Ruby Deserialization bug mentioned above.
And @InsiderPhD juggles between multiple specialties and often shares cool productivity tips in addition to technical content.
So, these interviews are a nice opportunity to get to know them more and pick up some useful insights on how they think and hack.
Bypassing CDN WAF’s with Alternate Domain Routing & CDN Proxy
@Ryan_Jarv shares a really cool attack and tool for bypassing WAFs.
The tool currently supports CloudFlare and CloudFront, with two prerequisites: Knowing the server’s origin IP and that the Web app is accessible from the CDN’s shared IP range.
In these conditions, the “Alternate Domain Routing” attack allows you to completely bypass the CloudFlare or CloudFront WAF, access the server directly and bypass any IP restrictions or rate limiting.
Practical Cryptography for Infosec Noobs & Slides
This is an awesome talk if you want to learn practical cryptography, beyond the easy or unrealistic challenges found in many CTFs.
@mubix demonstrates how to identify and decrypt random data in real life, for example during pentesting or bug hunting when you don’t even know the type of cryptography used.
PHP Type Juggling – Why === is Important – Sponsored Content
Deep dives on David Dombal’s Youtube channel on Traceroute, Nmap, TCP/IP & SSL/TLS
Bishop Fox Tool Talks: Episode 3: Nuclei Episode, Episode 2: Fuzzing & Episode 1: Eyeballer
Insomni’Hack 2022:
Liikt1337 – Hacking the hacker – 1337UP LIVE CTF challenge writeup
Overflows in PHP?! Solution to March ’22 XSS Challenge & Winners
Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router (PSV-2022–0044) #Web #Router
CVE-2022-26318 – Unauthenticated RCE in WatchGuard Firebox and XTM appliances
One company: 262 bugs, 100% acceptance, 2.57 priority, millions of user details saved.
Unauthenticated Remote Code Execution in Cisco Nexus Dashboard Fabric Controller (formerly DCNM)
HTML parser bug triggers Chromium XSS security flaw (Google Chromium, $5,000)
Able to steal bearer token from deep link (Basecamp, $6,337)
0-day Cross Origin Request Forgery vulnerability in Grafana 8.x . (Aiven Ltd, $1,500)
See more writeups on The list of bug bounty writeups.
Go Decrypt Jenkins: Simple tool to decrypt Jenkins encrypted strings
Sourcemapper: Extract JavaScript source trees from Sourcemap files
Spellbook: Framework for rapid development and reusable of security tools
HTTP CL.TE & TE.CL Desync Calculator: Perform TE.CL HTTP Request Smuggling attacks by crafting HTTP Request automatically
Right-To-Left Override POC & Initial Access – Right-To-Left Override [T1036.002]
Git Temporal VSCode extension + @trick3st Inventory = asset timeline tracking
Using Nuclei (with default templates) is a competitive disadvantage
403 bypass by appending unusual characters at the end of file names
RegexPassive: Collection of regexp pattern for security passive scanning
Find-gh-poc: The centerpiece of the trickest/cve project; finds CVE PoCs on Github
Cloud Hacking Playbook ($25)
Bug bounty
Cybersecurity
Upcoming events
Finding bugs with Nuclei with PinkDraconian (Robbe Van Roey) (April 3)
APIsecure (April 6 & 7)
Tool updates