Bug Bytes #54 – Killing Snakes for Fun, Seagate RCE & Finding Bugs in API’s

By intigriti_inti

January 21, 2020

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 10 to 17 of January.

Our favorite 5 hacking items

1. Webinar of the week

SEC642: Killing snakes for fun, Flask SSTIs and RCEs in Python (Free registration required)

This is an excellent course on SSTIs with a focus on Python frameworks.
I love that it does not only explain how SSTIs work and how to escalate them to RCE, but it also mentions a lot of background information to understand the big picture: Why Python frameworks were created, how they work, the history of Python and Flask, etc.

2. Writeup of the week

Advisory | Seagate Central Storage Remote Code Execution 0day

This is a nice example of RCE found using security code review with a bottom-up approach. It also shows how to reverse and analyze the firmware of a NAS.
Both RCE and code review can be intimidating. But the way everything is broken in this writeup makes them seem easy to follow even for beginners.

3. Challenge of the week

SKF labs

There is a plethora of XSS challenges but labs for GraphQL bugs, JWT, SSRF, SSTI, lack of rate limiting, etc, are rarer. So, these labs are perfect if you want to play with these vulnerabilities and many others.
The best part is that detailed walkthroughs are provided for each bug.

4. Video of the week

Finding Your First Bug: Finding Bugs Using APIs

As always, a great tutorial video by @InsiderPhD! I think this is the best introduction to APIs I’ve ever seen. It covers everything you need to start exploiting them ASAP: What APIs are, how to find and enumerate them, types of APIs (REST, SOAP, GraphQL), what is JSON, what bugs to look for, how to take notes, etc.

5. Tutorial of the week

Intruder and CSRF-protected form, without macros

Did you know that macros are not the only way to deal with CSRF tokens in Burp?
@Agarri_FR shows in great detail how to use Intruder Pitchfork to mimick manually replacing the CSRF token with the latest value sent by the server, and the advantages over macros.

Other amazing things we stumbled upon this week



Webinars & Webcasts



Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups


If you don’t have time

  • xpasn: Expands an autonomous system (AS) number into prefixes or individual host IP addresses

  • Velocity: DNS caching library for Python. Helps speed up network connections (applies to everything from sockets to HTTP requests)

  • SWFPFinder: SWF Potential Parameters Finder

  • GDA-android-reversing-Tool & Wiki: GDA is a new decompiler written entirely in c++, so it does not rely on the Java platform, which is succinct, portable and fast, and supports APK, DEX, ODEX, oat.

More tools, if you have time

Misc. pentest & bug bounty resources



Unusual Patch Tuesday


Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/10/2020 to 01/17/2020.

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

Curated by Pentester Land & Sponsored by Intigriti

You may also like