Bug Bytes #39 – HTTP Desync Attacks 2.0, Google Sponsors Vulnerability Disclosure & 7 New Tools

By intigriti_inti

October 8, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 27 of September to 04 of October.

Our favorite 5 hacking items

This time, exceptionally, we’re featuring way more items than usual… Why limit ourselves to 5 if both quantity and quality are there?
The following links are all really worth checking out if you are into Web application security.

1. Articles of the week

HTTP Desync Attacks: what happened next
Karim Rahal: Security Features of Firefox
The Top 8 Burp Suite Extensions That I Use to Hack Web Sites
5 Subdomain Takeover ProTips

These articles are, in order, about:

  • New research by @albinowax on HTTP Request Smuggling

  • 3 Firefox security features explained by @KarimPwnz, with good tips on how to use the “Multi-Account Containers” extension for hacking

  • A list of 8 Burp extension worth using, with everything you need to know about them in one page (what they do, installation & usage tips)

  • 5 tips by subdomain takeover master @0xpatrik

2. Writeup of the week

Google Paid Me to Talk About a Security Issue!

Google sponsored @LiveOverflow for making this video. It is a writeup of a bug found by @wtm_offensi on Google’s Cloudshell.
Basically, Git cloning a repo with Cloudshell lead to RCE. But this is not a simple bug and I am not going to try to sum it up in a few words like I usually do. This finding is probably the result of hundreds of hours of work.
This is why I find it so inspiring. The level of persistence and work involved to understand both the technologies behind Cloudshell and its inner workings is amazing.
It is also interesting to hear about @wtm_offensi’s thought process: How he chose the target to focus on based on criticality, how he keeps asking himself questions to really understand the app (almost like an investigation), how he doesn’t look for a technical vulnerability but for an outcome (RCE), and for any conditions that could lead to that outcome…

3. Tools of the week
Cyber.dic & Introduction
Mobexler & Introduction
Dnsgen, Introduction

  • is an all-in-one tool that makes it really easy to monitor a lot of thing for pentest/bug bounty purposes. This includes DNS records, SSL certificates, file changes (e.g. changes to JavaScript files), response headers, status codes, page title, up/down time and more. I’ve never seen all these features on one site, with such ease of use!

  • Cyber.dic is a spellcheck dictionary to add support of 1700+ technical terms to Microsoft Word & LibreOffice Writer. Finally, I can write “pentest” without it being highlighted as a mistake…

  • Mobexler is a customised virtual machine, based on Elementary OS, designed to help in penetration testing of Android & iOS apps. I like the idea of having all (or most) of the tools you need for mobile testing already installed on a VM. It’s like the Kali of mobile testing.

  • Swamp is an OSINT tool for discovering associated sites through Google Analytics Tracking IDs. It’s not a novel idea but being able to automate this is helpful for recon.

  • Syborg is a recursive DNS Domain Enumerator with dead-end avoidance system. It is inspired from a discussion between @tomnomnom and nahamsec on the drawbacks of current subdomain enumeration tools.

  • Fav-up is so creative! It helps you find a server’s origin IP behind Cloudflare by looking up its favicon on Shodan.

  • Dnsgen is like altdns on steroïds. It generates a combination of domain names from provided input. This is useful for finding new subdomains and account takeovers. And apparently, it generates way more combinations than altdns.

4. Non technical item of the week

My baby steps towards Bug Bounty Hunting — an arduous yet exciting journey

@sharathsanketh recounts how he went from knowing nothing in Web hacking to his first bounty.
He doesn’t give any technical advice, but I think his story and advice are so relatable and useful for beginners. He did two things I find noteworthy: He forced himself to focus on learning, not bug hunting without knowing the basics. And he didn’t start with the most recommended books on bug bounty. He started with less known introductory books on how technology and the Web work, because that’s what he needed to understand before going deeper.
This is a great mindset to adopt: “You need to know where you stand and reverse engineer in order to even know what you have to learn”.

5. Tips of the week

What are some endpoints that make you excited when it pops up while performing a directory brute force?
Any way to import a big url list into burpsuite?

It’s always fun to get a peak at what other hackers are using as tools and wordlists. The first link is basically a crowdsourced list of interesting endpoints to add to your directory bruteforce wordlist. The second one is about several ways for importing a list of URLs to Burp: using Burp API, BurpFeed, Burp-Importer…

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


Misc. pentest & bug bounty resources


Articles & Papers


Bug bounty & Pentest news



Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/27/2019 to 10/04/2019.

Curated by Pentester Land & Sponsored by IntigritiDisclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.


You may also like