Bug Bytes #169 – Psychic signatures, Pwning Cloudflare, Z-winK University & The Bug Hunter’s Methodology for App Analysis

By Anna Hammond

May 11, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the weeks from April 18 to May 9.

Intigriti news

Bug bounty platform Intigriti offers new hourly payment option for vulnerability researchers

Congrats to @YnoofAssiri, @nullb0t and @0xH4rmony for reaching the top of the Intigriti Q1 2022 leaderboard!

Intigriti secures more than €21M in Series B funding

Our favorite 5 hacking items

1. Resource of the week

ThreatDEV & ThreatDEV Discord

You probably know about @hacker_‘s fantastic hacker stories on Twitter, but did you know he also has a newsletter, a blog and a Discord

In the newsletter, you’ll find the same kind of cool stories, tips and tricks. @Jhaddix is also contributing to it.
The blog has many older writeups, a Threads section that embeds all of @hacker_’s Twitter threads, and a roadmap if you want to Learn to Hack Web Apps.

2. Writeups of the week

Security issues with cloudflare/odoh-server-go and the ODoH RFC draft
Cloudflare Pages, part 1: The fellowship of the secret, Part 2: The two privescs, Part 3: The return of the secrets & Cloudflare advisory

@fransrosen researched ODoH (Oblivious DNS Over HTTPS) and found a lack of protections against SSRF in the ODoH RFC draft and in Cloudflare’s implementation, odoh-server-go.

@seanyeoh and @devec0 also hacked Cloudflare, but focused on Cloudflare Pages’s CI/CD build pipeline.
They found a host of issues including command injection, container escape, Bash path injection and information disclosure.

3. Videos of the week

Z-winK University (ZU)
Diving Deeper into Subdomain Takeovers & Mitigations with Shubham Shah

@_zwink started a Youtube channel to teach how to hack and get into bug bounty, starting with the basics. The only prerequisite is to have a computer with an Internet connection.
Even if not new to hacking, I’d keep an eye on his Twitter and Youtube accounts as he shares a lot of tips and tackles more and more advanced technical topics.

Another fantastic video is a deep dive into subdomain takeover by @infosec_au. If you are interested in the topic, you might want to watch this to learn not only about different types of subdomain takeovers, but also how to mitigate them.

4. Conference of the week

NahamCon2022, Web challenges walkthrough & Slides for:
Finding 0days in Enterprise Software
Effectively finding vulnerabilities in web applications by debugging the source code
The Bug Hunters Methodology Application Analysis v1

This NahamCon edition was so-o-o good! I’d recommend watching all the talks, but if you are more into black-box Web testing, start with @Jhaddix‘s first edition of the The Bug Hunter’s Methodology: Application Analysis.

If you read all the cool writeups @assetnote have been publishing lately and wonder how they do it, start with @infosec_au‘s talk on finding 0days in enterprise software, or @seanyeoh and @devec0‘s talk on hacking CI systems.

Also, if you played the CTF, you might be interested in the video walkthrough where @gregxsunday solves all the Web challenges.

5. Vulnerabilities of the week

CVE-2022-21449: Psychic Signatures in Java, A few clarifications about CVE-2022-21449, PoC by @jfrog, Lab by @datadoghq & Lab by @SecCodeWarrior
CVE-2022-1388: F5 iControl REST Endpoint Authentication Bypass, @Horizon3Attack analysis & PoC, Rapid7 analysis, @bishopfox’s BIG-IP Scanner

@neilmaddog discovered a bypass in Java’s implementation of ECDSA signature validation. It made it possible to forge certificates and credentials, breaking JWTs, SAML, etc. Just like Doctor Who’s “psychic paper”, in the world of crypto.

The other vulnerability everyone is talking about is CVE-2022-1388. It is an authentication bypass in F5 iControl REST, that is reminiscent of the research on Abusing HTTP hop-by-hop request headers. The impact is RCE with a single unauthenticated POST request.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts & Audio

Webinars

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • hakoriginfinder & Intro: Tool for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies

  • burpsuite-project-file-parser: A Burp Suite Extension for parsing Project Files from the CLI

  • np: A Go tool to parse multiple Nmap scans

  • str-replace: Simple tools to handle string and generate subdomain permutations

  • MITM_Intercept: A little bit less hackish way to intercept and modify non-HTTP protocols through Burp & others

  • CDNStrip: Striping CDN IPs from a list of IP Addresses

Tips & Tweets

See more tips on this week’s Twitter collection.

Misc. pentest & bug bounty resources

Articles

Reports

Challenges

Bug bounty & Pentest news

Non technical

You may also like