Bug Bytes #171 – New Android Web Views attacks, Arbitrary file theft on Android & Scanning for PII in images

By Anna Hammond

May 25, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the weeks from May 16 to 23.

Our favorite 5 hacking items

1. Tool of the week

Octopii & Intro

Octopii is a Personal Identifiable Information (PII) scanner for images. It uses tesseract-ocr and AI to identify images of passports, photos, signatures, etc. This can be useful for automated recon, when you have access to a lot of images (in a local directory, S3 bucket or via directory listing) and cannot go through all of them manually.

2. Writeup of the week

Variant Cloud Analysis

@jespinhara found a Tomcat Manager that used default credentials on a public bug bounty program. The vulnerable host could only be accessed from a t2.xlarge AWS instance in the us-east-1a region, which probably explains why the bug wasn’t discovered before.
So, a valuable lesson for recon automation and vulnerability scanning is to try different cloud providers, regions and instance types.

3. Video of the week

LevelUpX – Series 1: Salesforce Object Recon with B3nac & AuraIntruder

@B3nac shares how to find data leaks by disclosing Salesforce Objects using different techniques, and a Burp extension to automate the process.

4. Tutorials of the week

Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations
Android security checklist: theft of arbitrary files

@0x00C651E0 three of the most common ways to obtain RCE on Ruby on Rails apps. Although they can be detected with Brakeman, this walkthrough will help go further and construct working exploits.

The second tutorial / cheat sheet by @OversecuredInc is a compilation of multiple techniques to exploit Android apps and access arbitrary files.

5. Articles of the week

The Bridge between Web Applications and Mobile Platforms is Still Broken
Security Code Audit – For Fun and Fails

The first paper presents two new attacks using Android Web Views. One allows leaking user information and the other accessing the user’s camera and microphone.

The second paper is an insightful tale of “failed” code review by @frycos. It is very interesting to read about a code auditor’s methodology whether there is an RCE at the end or not.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts & Audio

Webinars

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Known vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • h2cSmuggler-proxy: Python script that implements a proxy over h2cSmuggler so you can navigate in your browser making requests to the back-end server

  • mx-takeover: Go tool that detects misconfigured MX records using three techniques

  • slipit: Utility for creating ZipSlip archives

  • righettod/toolbox-pentest-web: Docker toolbox for pentest of web based application

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

You may also like