Bug Bytes #172 – Pre-hijacking accounts, CSP bypass using WordPress & Unusual SSRF + Phishing chain

By Anna Hammond

June 1, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the weeks from May 23 to 30.

Intigriti news

Intigriti’s May XSS challenge By @PiyushThePal

Our favorite 5 hacking items

1. Article of the week

Bypass CSP Using WordPress By Abusing Same Origin Method Execution

@PaulosYibelo discovered two scenarios in which CSP can be bypassed if WordPress is hosted on the target website.
In a gist: HTML injection on the main domain + WordPress endpoint on a subdomain = XSS with CSP bypass that can be escalated to RCE.

2. Writeups of the week

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web (Dropbox, Meta / Facebook (Instagram), LinkedIn, WordPress & Zoom)
From open redirect to RCE in one week (Mail.ru)

The first link is a research paper by @ajpaverd and @sudoavi. They explored the topic of account hijacking, focused on five types of account pre-hijacking attacks, and discovered that 35 out of 75 services tested (including Instagram, Zoom, LinkedIn and DropBox) were vulnerable to these attacks.

The second writeup is a fantastic tale of persistence by @ByQwert. It reads like a detective story that started with open redirect and ended with RCE, with LFI, SSRF and insecure deserialization in between.

3. Vulnerabilities of the week

VMware Authentication Bypass Vulnerability (CVE-2022-22972)

Microsoft Windows Support Diagnostic Tool RCE (CVE-2022-30190 / Follina)

CVE-2022-22972 is an authentication bypass in some VMware products. Basically, they send authentication requests to the server specified in the Host header. Since this header can be controlled by the user, it is possible to point it to a server that always returns the 200 HTTP response code, validating all authentication requests (without having correct credentials).
The vulnerability is simple to exploit, but it is worth going through the analyses if you are interested in finding this type of bugs with code review and patch analysis.

Follina a.k.a. CVE-2022-30190 is an RCE vector that allows apps like Word to execute code (without macros) by calling MSDT using the URL protocol. It was noticed as a 0-day being exploited in the wild, but was first mentioned in 2020 in a rather interesting thesis on Electron security.

4. Videos of the week

This is my coolest bug bounty report (SSRF ➡ Phishing)
@YassineAboukir Talks About His Recon Flow, Bug Bounty, Mental Health and More!

@gregxsunday explains his coolest exploit, an SSRF chained with phishing. An unusual combination that escalated the SSRF’s impact and doubled his bounty.

@Yassineaboukir‘s interview is one of those where I took a lot of notes. So many good insights shared on recon, content discovery, learning, favorite tools, Burp plugins, etc.

5. Resources of the week

Example of using Turbo Intruder in a “listen and attack” mode
Finding command execution sinks in decompiled JVM languages

Did you know that Turbo Intruder could use Burp’s plugin API? That is what @defparam shows with this example script that listens while you’re browsing, and re-plays requests with different HTTP methods.

The second resource is @dee__see‘s cheatsheet for reverse engineering apps written in Scala, Clojure, Groovy and Kotllin.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Webinars

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Known vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • goodfaith: Stay within program scope

  • IISRecon: IIS shortname scanner (uses ffuf, sns and arjun)

  • PyHackTheBox: Unofficial Python library to interact with the Hack The Box API

  • UPnProxyChain & Intro: A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s)

  • Max: Maximizing BloodHound with a simple suite of tools

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

Non technical

You may also like