By Anna Hammond
June 1, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 23 to 30.
Intigriti’s May XSS challenge By @PiyushThePal
Bypass CSP Using WordPress By Abusing Same Origin Method Execution
@PaulosYibelo discovered two scenarios in which CSP can be bypassed if WordPress is hosted on the target website.
In a gist: HTML injection on the main domain + WordPress endpoint on a subdomain = XSS with CSP bypass that can be escalated to RCE.
Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web (Dropbox, Meta / Facebook (Instagram), LinkedIn, WordPress & Zoom)
From open redirect to RCE in one week (Mail.ru)
The first link is a research paper by @ajpaverd and @sudoavi. They explored the topic of account hijacking, focused on five types of account pre-hijacking attacks, and discovered that 35 out of 75 services tested (including Instagram, Zoom, LinkedIn and DropBox) were vulnerable to these attacks.
The second writeup is a fantastic tale of persistence by @ByQwert. It reads like a detective story that started with open redirect and ended with RCE, with LFI, SSRF and insecure deserialization in between.
VMware Authentication Bypass Vulnerability (CVE-2022-22972)
Microsoft Windows Support Diagnostic Tool RCE (CVE-2022-30190 / Follina)
Analyses by Rapid7, Huntress & @GossiTheDog
Videos by @_JohnHammond & SANS
PoCs by @_johnhammond & @chvancooten
CVE-2022-22972 is an authentication bypass in some VMware products. Basically, they send authentication requests to the server specified in the Host header. Since this header can be controlled by the user, it is possible to point it to a server that always returns the 200 HTTP response code, validating all authentication requests (without having correct credentials).
The vulnerability is simple to exploit, but it is worth going through the analyses if you are interested in finding this type of bugs with code review and patch analysis.
Follina a.k.a. CVE-2022-30190 is an RCE vector that allows apps like Word to execute code (without macros) by calling MSDT using the URL protocol. It was noticed as a 0-day being exploited in the wild, but was first mentioned in 2020 in a rather interesting thesis on Electron security.
This is my coolest bug bounty report (SSRF ➡ Phishing)
@YassineAboukir Talks About His Recon Flow, Bug Bounty, Mental Health and More!
@gregxsunday explains his coolest exploit, an SSRF chained with phishing. An unusual combination that escalated the SSRF’s impact and doubled his bounty.
@Yassineaboukir‘s interview is one of those where I took a lot of notes. So many good insights shared on recon, content discovery, learning, favorite tools, Burp plugins, etc.
Example of using Turbo Intruder in a “listen and attack” mode
Finding command execution sinks in decompiled JVM languages
Did you know that Turbo Intruder could use Burp’s plugin API? That is what @defparam shows with this example script that listens while you’re browsing, and re-plays requests with different HTTP methods.
The second resource is @dee__see‘s cheatsheet for reverse engineering apps written in Scala, Clojure, Groovy and Kotllin.
Bug Bounty 101: #19 – Android Mobile App Testing with Burpsuite
Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers
Social Engineer Your Way Into Your First InfoSec Job with Volkis
[FR] Sthack 2022 : Tales from a successful bug bounty hunter – Daniel Le Gall
Ben Sadeghipour – Would I even be here if it wasn’t for the Internet?
Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022
Capitalizing on BloodHound’s Data: Cypher, Object Ownerships and Trusts
BloodHound Inner Workings & Limitations – Part 1: User Rights Enumeration Through SAMR & GPOLocalGroup, Part 2: Session Enumeration Through NetWkstaUserEnum & NetSessionEnum & Part 3: Session Enumeration Through Remote Registry & Summary
Approaching CTF OSINT Challenges — Learn by Example (NahamCon CTF)
Solving “Click Me” & “Secure Notes” (mobile) (NahamCon CTF)
Android apps with millions of downloads exposed to high-severity vulnerabilities #Android
Hijacking webcams with Screencastify #BrowserExtension #Web
CVE-2022-25237: Bonitasoft Authorization Bypass and RCE #Web #CodeReview
Analysis of CVE-2022-22978 – Authorization Bypass in Spring Security RegexRequestMatcher
A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation
Zoom: Remote Code Execution with XMPP Stanza Smuggling (Zoom)
Stored XSS in Notes (with CSP bypass for gitlab.com) (GitLab, $13,950)
CVE-2022-21404: Another Story Of Developers Fixing Vulnerabilities Unknowingly Because Of CodeQL (Oracle)
See more writeups on The list of bug bounty writeups.
goodfaith: Stay within program scope
IISRecon: IIS shortname scanner (uses ffuf, sns and arjun)
PyHackTheBox: Unofficial Python library to interact with the Hack The Box API
UPnProxyChain & Intro: A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s)
Max: Maximizing BloodHound with a simple suite of tools
Using URL hash fragments for Reflected XSS without user interaction
How to access photos, videos, and audio on mobile using HTML file inputs
Practical Web Application Security & Testing (New TCM Security Academy course, $29.99)
zap-scripts: OWASP ZAP Scripts for finding CVEs and Secrets
Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms
Exploiting Leaked Handles for LPE & LHF – Leaked Handles Finder
Cybersecurity
Tool updates