Bug Bytes #59 – Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell, Low Competition Bug Hunting & RCE on Tesla

By intigriti_inti

February 25, 2020

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 14 to 21 of February.

Our favorite 5 hacking items

1. Video of the week

Low Competition Bug Hunting (What to Learn) – ft. #AndroidHackingMonth

If you are discouraged by bug bounty and think all the bugs are gone, watch this. @InsiderPhD gives an awesome explanation of why it is not true, and what you need to do to start finding bugs.
I love her way of thinking. She deconstruct the question into several chunks and tackles one after the other: Which targets/industry to choose? Which assets and bugs to focus on? Which techniques to learn? How to interpret and use bug bounty statistics?

2. Writeups of the week

A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell
RCE on due to CVE-2020-0618 ($10,000)

The first writeup is an excellent breakdown of common vulnerabilities of XML and ZIP parsers. @spaceraccoonsec was able to find an XXE and RCE via ZIP path traversal.
Mastering classic techniques can be as lucrative as monitoring and testing for new ones, which is what @parzel2 did. He got an impressive bounty by reporting CVE-2020-0618 on Tesla only 1 day after it was published!
I am amazed at his monitoring and historic data management that probably allowed for this speed. But I’m also surprised that the bug was accepted since some programs do not reward for CVEs discovered too recently.

3. Podcast of the week

Darknet Diaries – Ep 59: The Courthouse

This episode goes over what happened during the Iowa-Coalfire pentesters debacle.
This is a must for anyone who loves pentest stories, Darknet Diaries, and was concerned over this shocking incident.

4. Tool of the week

Rule-Based Highlighter Plugin for BurpSuite

This Burp extension automatically highlights or add a comment to requests based on user-defined rules.
Use cases suggested are interesting. The tool allows you to highlight specific status codes, differentiate user sessions for authentication and authorization testing, hide requests with specific HTTP methods (e.g. CORS preflight OPTIONS requests), facilitate SOAP services tests by adding comments, and highlight requests containing sensitive information.

5. Non technical item of the week

How to Achieve Your Most Ambitious Goals | Stephen Duneier

Do you know the common point between learning German, crochet world records, knitting, hedge fund management, reading challenges, skydiving, and losing weight by hiking? Stephen Duneier did all that and much much more just by making marginal adjustments to his daily routine.
It is amazing to see these concrete examples of making really ambitious goals and breaking them down into manageable decisions. By making one small good choice after another, the unattainable becomes easily reachable.
I think this is the best approach and mindset whether you’re struggling with bug bounties, some complex hacking techniques, time management, weight loss or anything.



Webinars & Webcasts



Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups


If you don’t have time

More tools, if you have time

Misc. pentest & bug bounty resources




Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/14/2020 to 02/21/2020.

Curated by Pentester Land & Sponsored by IntigritiThe views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like