Bug Bytes #167 – AWS RDS Local File Read & Are you making these learning mistakes or misusing Burp’s predefined lists?

By Anna Hammond

April 13, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from April 4 to 11.

Our favorite 5 hacking items

1. Conference of the week

How to Get Better at Hacking | Louis Nyffenegger

This isn’t one of @snyff‘s usual technical talks, but I found it is hilarious and eye-opening. He points out many mistakes that (aspiring) hackers make in their learning journey.
If you are struggling with a plateau or just want to grow your hacking skills from good to amazing, there is probably something mentioned in this talk that will help you out.

2. Writeup of the week

AWS RDS Vulnerability Leads to AWS Internal Service Credentials (Amazon)

@LightspinTech‘s director of security research, @gafnitav discovered a Local File Read on AWS RDS. It involves an interesting mix of path traversal and PostgreSQL injection.
A great writeup that details the whole thought process including what did not work.

3. Resource of the week

Recon.Cloud

In addition to the previous writeup, @LightspinTech also released recon.cloud, a free search engine for AWS cloud assets.
It references 220,866 assets, and can be a good addition to your recon.

If you are interested in cloud hacking or Kubernetes security, I also recommend following @LightspinTech’s Twitter account and blog. They have been releasing many cool tools, articles and tips on these areas of security.

4. Video & Tool of the week

Bypassing a WAF by Finding the Origin IP & CF-Bypass

@0xLupin released a new tool and video on bypassing WAFs (specifically Cloudflare) by finding the Origin IP using Security Trails’s historical data.
What I like about CF-Bypass is that it does not just look for the Origin IP but also tries to validate it and reduce false positives. So, even if you already have your own WAF bypass tool or do not want to use Security Trails, reading the code of this tool might give you some cool ideas to add to your own tooling.

5. Tip of the week

Burp Intruder’s predefined lists have placeholders that must be replaced with your custom settings

Are you using Burp Intruder’s predefined payload lists without additional configuration?
If you do, you may have missed vulnerabilities because these lists have placeholders that must be replaced with your own domain, email, nameserver, etc.
A small tweak that may easily cause you to miss out-of-band vulnerabilities!

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts & Audio

Webinars

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • ipcdn: Check which CDN providers an IP list belongs to

  • checkip: Get quick info on an IP address

  • Jeeves: Go tool that looks for time-based blind SQL injection through recon

  • TrashCompactor:

  • spring4shell-scan: A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities

  • bore: A simple CLI tool for making tunnels to localhost

Tips & Tweets

See more tips on this week’s Twitter collection.

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

Non technical

You may also like