By Anna Hammond
April 6, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 28 to April 4.
Exploiting a double-edged SSRF for server and client-side impact
This is the story of an SSRF that @Yassineaboukir discovered on a private bug bounty program.
It is a beautiful example of mixing several techniques to maximize the impact of a bug, for example GitHub recon to find internal subdomains, exploiting the SSRF to enumerate internal subdomains, exploiting the same bug both server-side (as internal SSRF) and client-side (as information disclosure via CSRF)…
@hacker_’s SSRF story, Bug hunters’ “Oh Sh*t” moments & Ironic vulnerabilities
Fun hacker stories by @infosec_au & @Jhaddix
If you love fun hacker stories, make sure to follow @hacker_. He’s been very active on Twitter, sharing cool stories and mini-writeups, and inspiring other hackers to do the same, for our delight.
ToolTime – FeroxBuster (Content Discovery)
@Jhaddix is another hacker to follow if you are into Web hacking. He’s been very sharing a lot of tips on Twitter lately, co-hosts Bounty Thursdays Live, and started this new show, ToolTime, where he reviews hacking tools.
TruffleHog v3 & Critical Bounties via Leaked API Keys (FT TruffleHug)
@trufflesec released TruffleHog V3 which is way faster that the previous versions, detects 639 key types, automatically validates all secrets it supports with dynamic checks, and supports not only Git but also S3 buckets, STDin, file systems and more.
Recording from Insomni’hack 2022 are out, and they include many great talks on offensive security.
The ones I’m prioritizing watching are @scannell_simon‘s “A Common Bypass Pattern To Exploit Modern Web Apps”, @abhaybhargav‘s “Hook, Line And Sinker: Pillaging API Webhooks”, @sachinnthakuri and @1lastBr3ath‘s “Exploiting WebKit To Break Authentication And Authorization” and @swapgs‘s “Two Bugs To Rule Them All: Taking Over The PHP Supply Chain”.
Q: HOW do you get started in bug bounty?? How do you build your automation?!
Hacking PayPal and TikTok (legally) // Featuring Ben Sadeghipour Nahamsec
100 hours of bug bounty – I made twice more than as a pentester – Bounty vlog #2
Finding bugs with Nuclei with PinkDraconian (Robbe Van Roey)
A Look Into zseano’s Thoughts When Testing a Target – OWASP Nagpur
Remote Code Execution vs. Remote Command Execution vs. Code Injection vs. Command Injection vs. RCE
Exploiting DOM Based XSS via Misconfigured postMessage() Function
PHP Supply Chain Attack on PEAR #Web #Crypto
ABC-Code Execution for Veeam #Windows #LPE
Critical SSRF on Evernote (Evernote, $5,000)
Unauthenticated Remote Code Execution in Cisco Nexus Dashboard Fabric Controller (formerly DCNM) (Cisco)
Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All (Microsoft)
Pwn2Own Austin 2021 : Defeating The Netgear R6700V3 (Netgear)
See more writeups on The list of bug bounty writeups.
Dome: Subdomain enumeration tool in Python
Difftastic: An experimental diff tool that compares files based on their syntax
Docker-OSX: Run macOS VM in a Docker! Run near native OSX-KVM in Docker
s3sec: Check AWS S3 instances for read/write/delete access
Scanmycode (Community Edition): Code scanning/SAST/Static Analysis/Linting using many tools/scanners with one report
IIS – SOAP: How to run shellcode from a webshell with a .soap extension
Remotely Dumping Chrome Cookies…Revisited & Dump-Chrome-Cookies
This busy-loop is not a security issue & My first fuzzy finding: Busyloop in curl
Bug bounty
Cybersecurity
Upcoming events
@NahamSec is resuming Live Recon, with @Jhaddix and @stokfredrik as cohosts (April 10)
ComfyCon AU 2022 & Schedule (April 9 & 10)
Tool updates