By Anna Hammond
May 25, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 16 to 23.
Octopii is a Personal Identifiable Information (PII) scanner for images. It uses tesseract-ocr and AI to identify images of passports, photos, signatures, etc. This can be useful for automated recon, when you have access to a lot of images (in a local directory, S3 bucket or via directory listing) and cannot go through all of them manually.
@jespinhara found a Tomcat Manager that used default credentials on a public bug bounty program. The vulnerable host could only be accessed from a t2.xlarge AWS instance in the us-east-1a region, which probably explains why the bug wasn’t discovered before.
So, a valuable lesson for recon automation and vulnerability scanning is to try different cloud providers, regions and instance types.
LevelUpX – Series 1: Salesforce Object Recon with B3nac & AuraIntruder
@B3nac shares how to find data leaks by disclosing Salesforce Objects using different techniques, and a Burp extension to automate the process.
Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations
Android security checklist: theft of arbitrary files
@0x00C651E0 three of the most common ways to obtain RCE on Ruby on Rails apps. Although they can be detected with Brakeman, this walkthrough will help go further and construct working exploits.
The second tutorial / cheat sheet by @OversecuredInc is a compilation of multiple techniques to exploit Android apps and access arbitrary files.
The Bridge between Web Applications and Mobile Platforms is Still Broken
Security Code Audit – For Fun and Fails
The first paper presents two new attacks using Android Web Views. One allows leaking user information and the other accessing the user’s camera and microphone.
The second paper is an insightful tale of “failed” code review by @frycos. It is very interesting to read about a code auditor’s methodology whether there is an RCE at the end or not.
Bug Bounty 101: #18 – Approaching a Public Target (Pinterest) & Interview #4: Question and Answer Session #1
INDUSTRY Penetration Testing & Training w/ Jean-François Maes
Hacking networks with Python // Creating malicious packets and breaking TCP/IP rules
401 Access Denied, especially:
Finding Bugs on NFT Websites for Fun & Profit | IWCON-S22 Talk by Zseano
Security Automation, (Re) Defined | IWCON-S22 Talk by Dhiyaneshwaran DK
Yik Yak Vulnerability Exposed Precise GPS Locations: Analysis #iOS
Mailcow RCE and domain admin privilege escalation (CVE-2022-31245) #Web
Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) #Web
Printing Fake Fiscal Receipts – An Italian Job p.2 & p.1 #Printers #Android
“NginxDay2022”: NGINX LDAP reference implementation Zero Day Vulnerability
How I could exploit the CVE-2022-1388, F5 BIG IP iControl Authentication bypass to RCE
Stealing Google Drive OAuth tokens from Dropbox (Dropbox, $1,728)
Finding vulnerabilities in Swiss Post’s future e-voting system – Part 2 (Swiss Post)
Integer overflow vulnerability (Glovo)
See more writeups on The list of bug bounty writeups.
h2cSmuggler-proxy: Python script that implements a proxy over h2cSmuggler so you can navigate in your browser making requests to the back-end server
mx-takeover: Go tool that detects misconfigured MX records using three techniques
slipit: Utility for creating ZipSlip archives
righettod/toolbox-pentest-web: Docker toolbox for pentest of web based application
Dotnet’s Default AES Mode Is Vulnerable To Padding Oracle Attacks
We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere
No-Fix Local Privilege Escalation Using KrbRelay With Shadow Credentials
Bug bounty
Cybersecurity
Upcoming events
“Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling” (@albinowax’s talk at Black Hat USA 2022)
Tool updates