Bug Bytes #53 – Exploiting a SSRF in WeasyPrint, The Bug That Exposed Your PayPal Password and 12 tricks for Burp Repeater

By Intigriti

January 14, 2020

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 03 to 10 of January.

Our favorite 5 hacking items

1. Videos of the week

Exploiting a Server Side Request Forgery (SSRF) in WeasyPrint for Bug Bounty & HackerOne’s $50M CTF
[[BURP] 12 tricks for Burp Repeater

The first video is about an interesting SSRF that was tricky to exploit. @NahamSec explains why it is important to identify the backend, and how to do it (by requesting an image or iframe).
In this case, the backend was WeasyPrint. Since it is open source, analyzing its code helped find a tag which was not blacklisted and could be used to read internal and external resources.
The second video taught me 3 new helpful tips on Burp Repeater:

  • How to save the entire history of a tab – Useful for reporting

  • You can replay urls by copying them from browser into repeater – Saves times

  • Repeater has an option to “URL-encode as you type” – Encodes values automatically without having to do it manually with Burp Decoder

2. Writeups of the week

The Bug That Exposed Your PayPal Password ($15,300)
Hunting Good Bugs with only html

The first writeup is about an impressive XSSI found on Paypal’s login form. It goes beyond simple detection and proof of concept, to show how this can be exploited to take over user accounts.
This is also a good opportunity to revisit this old but excellent introduction to XSSI: Cross-Site Script Inclusion: A Fameless but Widespread Web Vulnerability Class.
The second writeup shows how multiple bugs (such as open redirest and SSRF) can be chained to significanlty increase the impact.

3. Tutorials of the week

Bypass SameSite Cookies Default to Lax and get CSRF & CSRF challenge by @RenwaX23
Unicode Normalization Vulnerabilities & the Special K Polyglot

SameSite cookies are not yet the end of CSRF. There is a special feature called LAX+POST which basically disables SameSite for 2 minutes. In other words, there is a window of 2 minutes where users are vulnerable to POST CSRF despite the SameSite attribute being used.
@RenwaX23 explains some ways in which this behavior can be exploited in real-life attacks. He also provides a challenge if you want to play with this.
The second tutorial is excellent if you want to start leveraging Unicode for bypassing XSS and SQL injection filters.

4. Non technical item of the week

The need for note making and an organized methodology in Bug Bounty Hunting

@sharathsanketh makes the case for maintaining a written organized methodology. He gives concrete examples of taking notes on CSRF and “Forgot password” bugs.

And most importantly, he explains an essential idea for beginners: No one will give you a ready-to-use complete methodology. You have to read, do deep searches (especially on Twitter) and take notes of anything you learn so that it is not just passive reading.

Nowadays the question is not “Where will I find information?”, but rather “How can I exploit iteffectively?”.”

5. Tools of the week

Burp Share Requests

Burp Share Requests is a Burp Suite extension that allows you to share requests with another Burp user. Useful for collaboration or sharing information with triagers!
To use it, righ click on any request you want to share, click on “create link” and share the link generated. When the other person opens the link (with the same extension installed), it imports the request into their Burp.
ReconNess seems fantastic for bug bounty. It’s an open source Web app that helps organize recon and is easily extensible. You can add targets, notes, and agents to run any commands (for assets enumeration, port scanning, directory bruteforce, etc). Using custom-built Bashs cripts achieves the same results but this GUI tool can make the process much more pleasant.





Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups


If you don’t have time

More tools, if you have time

  • Electric Scan: Electron based screenshot scanner

  • XposedOrNot: A tool is to search an aggregated repository of xposed passwords comprising of ~850 million real time passwords

  • Bucket Flaws (S3 Bucket Mass Scanner): A Simple Lightweight Script to Check for Common S3 Bucket Misconfigurations

  • GIXY: Nginx configuration static analyzer

  • DNSolver: Recon tool that parses a list of domains and returns a list of unique IP adresses

  • VULNRΞPO & Online version: A free project designed to speed up the creation of IT Security vulnerability reports

  • Frida Injector for Android: Inject frida agents on local processes through an Android app

  • Npq: Install packages safely with npm or yarn by auditing them as part of your install process

  • AD Fly Tool: Active directory query tool using LDAP Protocol. Helps red teamer / penetration testers to validate users credentials, retrieve information about AD users, AD groups…

  • RFCpwn: An enumeration and exploitation toolkit using RFC calls to SAP

  • AUTO_RECON.bat: Automated host recon, persistence and exfiltration

  • SharpStat: C# utility that uses WMI to run “cmd.exe /c netstat -n”, save the output to a file, then use SMB to read and delete the file remotely

  • Apache2 mod_backdoor: A backdoor module for Apache2

  • Cobalt_aliases: Tired of typing execute-assembly everytime you use Cobalt Strike? Clone this

Misc. pentest & bug bounty resources




Bug bounty & Pentest news



Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/03/2020 to 01/10/2020.

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti

You may also like