By Anna Hammond
June 15, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from June 6 to 13.
Free webinar – The Ethical Hacker Insights Report 2022
Getting (back) together to hack!
Bug Bounty 101: #23 – From $0 to $150,000/mo – Hacking Methodology & Mindset
If you are struggling with finding your first bugs, this videos might give you new ideas to experiment with. @_zwink shares the muti-step formula he used to go from $0 bounties in his first month to $150K in less than a year and a half.
Zimbra Email – Stealing Clear-Text Credentials via Memcache injection
SynLapse – Technical Details for Critical Azure Synapse Vulnerability & TL;DR (Microsoft, $60,000)
Hacking 6.5+ million websites => CVE-2022-29455 (Elementor)
@SonarSource disclosed a cool vulnerability that allowed unauthenticated attackers to steal the login credentials of Zimbra users without interaction, using Memcache injection.
@TzahPahima shared details on a cross-tenant vulnerability in Azure Synapse that made it possible to obtain credentials of Azure Synapse customer accounts, including Microsoft’s!
The third writeup demonstrates a nice strategy for bug hunters: @rotembar, @realgam3 & @naglinagli identified that their target used a specific WordPress plugin, they analyzed one of its patched vulnerabilities, found a new bug, and went over historic recon data to find other vulnerable targets.
Not all “Internet Connections” are Equal
This is a good reminder by @Trustwave that some networking issues and configuration can interfere with your security testing and vulnerability scanning. It is good to learn about them to avoid false negatives.
New technique of stealing data using CSS and Scroll-to-text Fragment feature.
Apache Pinot SQLi & RCE Cheat Sheet
@haqpl demonstrates a new CSS exfiltration technique that leverages the new Scroll-to-Text Fragment feature in Chrome. It has some limits but can be useful for leaking information on an app’s users, and is worth knowing if you are interested in XSleaks attacks and CSS exfiltration.
The second article by @Doyensec provides an excellent resource on hacking Apache Pinot. It covers what Pinot is, how to set up a testing environment, how to exploit Pinot databases for SQL injection, RCE and post-exploitation.
OffSec Live: PEN-200! (Starting June 22)
PNPT Live Training (Starting June 22nd at 12pm EST)
Both @offsectraining and @TCMSecurity announced that they will livestream hacking courses for free on Twitch, starting June 22.
This reminds me that @InsiderPhD also announced two upcoming free courses.
Hacker summer school will soon start, no excuses if you want to upskill!
Bug Bounty 101: #21 – Hacking Pinterest for Two Weeks & Bug Bounty 101: #22 – Testing File Upload Dialogues
100 hours of reviewing the source code – Bounty vlog #3 – Elastic
Deadly OSINT: The Final Hours of Pop Smoke & OSINT TikToker @georainbolt
Managed Identity Attack Paths, Part 1: Automation Accounts, Part 2: Logic Apps & Part 3: Function Apps
Escalating privileges in Google Cloud, from app to cloud access
How to Reverse Engineer and Patch an iOS Application for Beginners: Part I & ios-breakmedaddy Dockerizing A Web Testing Environment: Part 3, Part 2 & Part 1
CA CTF 2022: Exploiting Zip Slip and Pickle Deserialization – Acnologia Portal & Exploiting Redis Lua Sandbox Escape RCE with SSRF – Red Island
Command Injection – Lab #1 OS command injection, simple case
CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability #Web #RCE #CodeReview
Discovering a Dangerous Pattern in a Popular Python Package Manager #Python #RCE
Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection #Web #CodeReview
Exploiting Kaseya Unitrends Backup Appliance – Part 1 & Part 2 #Web #LPE #MemoryCorruption
CVE-2022-26134: A look into bypass isSafeExpression check in Confluence Preauth RCE
Bypassing CSP with dangling iframes (Google & Mozilla)
CVE-2022-1040 Sophos XG Firewall Authentication bypass (Sophos)
Chaining vulnerabilities to criticality in Progress WhatsUp Gold (Progress)
SynLapse – Technical Details for Critical Azure Synapse Vulnerability & TL;DR (Microsoft, $60,000)
Finding vulnerabilities in curl 7.83.0 without reading a single-line of C code (curl)
How I found a Critical Bug in Instagram and Got 49500$ Bounty From Facebook (Meta / Facebook, $49,500)
Extracting Clear-Text Credentials Directly From Chromium’s Memory (Google)
See more writeups on The list of bug bounty writeups.
sourcegraph-scripts: Scripts for Sourcegraph search results (Useful for static analysis)
TLS-Scanner & Features: The TLS-Scanner Module from TLS-Attacker
HTTPLoot & Millions of Secrets Exposed via Web Application Frontend – An Internet-Wide Study: Go tool which can simultaneously crawl, fill forms, trigger error/debug pages and “loot” secrets out of the client-facing code of sites
CRLFsuite: CRLF injection (HTTP Response Splitting) scanner in Python
Ica2Tcp: A SOCKS proxy for Citrix
@_zwink on Testing all URLs at least three times, preferably on separate days, Avoiding distractions while hacking & Things to try when testing for Broken Access Control
@0xConda’s tips after hitting the top 100 of all time leaderboard on Intigriti
Are you making this mistake when you use a reflected XSS scanner?
JWT attacks (New Web Security Academy course & labs)
Cloud Middleware Dataset & The cloud gray zone—secret agents installed by cloud service providers
New UUID Formats (RFC4122 update proposal)
brutas: Wordlists and passwords handcrafted with ♥
New technique of stealing data using CSS and Scroll-to-text Fragment feature.
What I learned from reading 126* Information Disclosure Writeups
Yet another zero-day (sort of) in Windows “search URL” handling
Pentest
Cybersecurity
Upcoming events
Tech
Tool updates
Exegol 4.0.0 (redesigned from scratch)
gowitness v2.4.0 (Major release)
Project Discovery updates: httpx v1.2.2, Subfinder v2.5.2, Proxify v0.0.7, mapCIDR v1.0.0 & Cloudlist v1.0.1 (Added Hetzner Cloud provider support)