Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
CLICK HERE TO SUBSCRIBE
This issue covers the weeks from April 18 to May 9.
Bug bounty platform Intigriti offers new hourly payment option for vulnerability researchers
Congrats to @YnoofAssiri, @nullb0t and @0xH4rmony for reaching the top of the Intigriti Q1 2022 leaderboard!
Intigriti secures more than €21M in Series B funding
ThreatDEV & ThreatDEV Discord
You probably know about @hacker_‘s fantastic hacker stories on Twitter, but did you know he also has a newsletter, a blog and a Discord
In the newsletter, you’ll find the same kind of cool stories, tips and tricks. @Jhaddix is also contributing to it.
The blog has many older writeups, a Threads section that embeds all of @hacker_’s Twitter threads, and a roadmap if you want to Learn to Hack Web Apps.
Security issues with cloudflare/odoh-server-go and the ODoH RFC draft
Cloudflare Pages, part 1: The fellowship of the secret, Part 2: The two privescs, Part 3: The return of the secrets & Cloudflare advisory
@fransrosen researched ODoH (Oblivious DNS Over HTTPS) and found a lack of protections against SSRF in the ODoH RFC draft and in Cloudflare’s implementation, odoh-server-go.
@seanyeoh and @devec0 also hacked Cloudflare, but focused on Cloudflare Pages’s CI/CD build pipeline.
They found a host of issues including command injection, container escape, Bash path injection and information disclosure.
Z-winK University (ZU)
Diving Deeper into Subdomain Takeovers & Mitigations with Shubham Shah
@_zwink started a Youtube channel to teach how to hack and get into bug bounty, starting with the basics. The only prerequisite is to have a computer with an Internet connection.
Even if not new to hacking, I’d keep an eye on his Twitter and Youtube accounts as he shares a lot of tips and tackles more and more advanced technical topics.
Another fantastic video is a deep dive into subdomain takeover by @infosec_au. If you are interested in the topic, you might want to watch this to learn not only about different types of subdomain takeovers, but also how to mitigate them.
NahamCon2022, Web challenges walkthrough & Slides for:
– Finding 0days in Enterprise Software
– Effectively finding vulnerabilities in web applications by debugging the source code
– The Bug Hunters Methodology Application Analysis v1
This NahamCon edition was so-o-o good! I’d recommend watching all the talks, but if you are more into black-box Web testing, start with @Jhaddix‘s first edition of the The Bug Hunter’s Methodology: Application Analysis.
If you read all the cool writeups @assetnote have been publishing lately and wonder how they do it, start with @infosec_au‘s talk on finding 0days in enterprise software, or @seanyeoh and @devec0‘s talk on hacking CI systems.
Also, if you played the CTF, you might be interested in the video walkthrough where @gregxsunday solves all the Web challenges.
CVE-2022-21449: Psychic Signatures in Java, A few clarifications about CVE-2022-21449, PoC by @jfrog, Lab by @datadoghq & Lab by @SecCodeWarrior
CVE-2022-1388: F5 iControl REST Endpoint Authentication Bypass, @Horizon3Attack analysis & PoC, Rapid7 analysis, @bishopfox’s BIG-IP Scanner
@neilmaddog discovered a bypass in Java’s implementation of ECDSA signature validation. It made it possible to forge certificates and credentials, breaking JWTs, SAML, etc. Just like Doctor Who’s “psychic paper”, in the world of crypto.
The other vulnerability everyone is talking about is CVE-2022-1388. It is an authentication bypass in F5 iControl REST, that is reminiscent of the research on Abusing HTTP hop-by-hop request headers. The impact is RCE with a single unauthenticated POST request.
SHARE ON TWITTER
See more writeups on The list of bug bounty writeups.
hakoriginfinder & Intro: Tool for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies
burpsuite-project-file-parser: A Burp Suite Extension for parsing Project Files from the CLI
np: A Go tool to parse multiple Nmap scans
str-replace: Simple tools to handle string and generate subdomain permutations
MITM_Intercept: A little bit less hackish way to intercept and modify non-HTTP protocols through Burp & others
CDNStrip: Striping CDN IPs from a list of IP Addresses
See more tips on this week’s Twitter collection.
Bug bounty
Cybersecurity
Tech
Upcoming events
Tool updates
