Bug Bytes #63 – Bruteforce With Selenium, XXE Through Request Smuggling & Bug Bounty Podcast

By Intigriti

March 24, 2020

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 13 to 20 of March.

Our favorite 5 hacking items

1. Tutorials of the week

– Absolute Bruteforce with Selenium– A secret note to Bug hunters about URL structure and its parsers

The first article shows how to bruteforce an OTP when your target is using Web Sockets with encryption. In this scenario, traditional bruteforce with Burp Intruder is not possible so @MilindPurswani uses Selenium instead. I don’t think this is a scenario you will often encounter but if you do, this might be of great help.

The second tutorial is an introduction to URL structure. Understanding these basics helps understand how differences in URL parsers can cause serious vulnerabilities.

2. Writeup of the week

XXE-scape through the front door: circumventing the firewall with HTTP request smuggling

In this writeup, @honoki shows how he leveraged a low impact HTTP request smuggling vulnerability to bypass a firewall and fully exploit an XXE found in a file upload functionality.Each bug taken separately had limited impact: the request smuggling bug only affected port 80, so only HTTP requests could be poisoned. The XXE could be exploited to exfiltrate data via DNS, but it was non-sensitive data. And HTTP requests were blocked by the firewall, except for a few whitelisted domains.By finding a domain that was both whitelisted and vulnerable to HTTP request smuggling, it was possible to chain the two bugs and exfiltrate sensitive data .

3. Podcast of the week

The Bug Bounty Podcast – Episode #3 ft. NahamSec

Yes, it is back! One of my favorite podcasts, with @Regala_ interviewing @NahamSec. They discuss many topics like @NahamSec’s motivation for streaming, why he finds it harder to do bug bounty as someone who works for a bug bounty platform, how he makes most of his money, mass recon, doing deep work, the power of long term collaboration, etc.This episode is an excellent way to spend one hour and a half!

4. Tool of the week

Progress Tracker

Remember Scope Monitor, the Burp extension for keeping track of tested endpoints? His author, @Regala_, discontinued it and started using Progress Tracker by @dariusztytko instead.This new extension offers interesting functionality. You can capture requests, exclude specific extensions and status codes, associate each request with tags and one of 6 different statuses (Ignored, Done, In progress…), etc.

5. Video of the week

@infosec_rohk Talks About Hacking Uber, Working at Synack, and His 120 Reports in 120 Challenge

Great interview of @rohk_infosec. He talks about how he accidentally got into bug bounty, how he taught himself hacking, how he chooses which bugs to focus on, his experience from Computer Science student to bug hunter, to triager, to senior application security engineer, the top 3 things he wished he knew when he started out, and much more.

I loved hearing about the 4 months bug hunting challenge (120 bugs reported in 120 days) he did while having a full-time job, and more importantly the steps he took to deal with stress and burnout despite a crazy schedule.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

Tools

If you don’t have time

  • Dangerzone & Introduction: Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF

  • Catffuf: Alias and function for ffuf to get a cooler output

More tools, if you have time

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Coronavirus

Non technical

Remote work resources

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/13/2020 to 03/20/2020.

You may also like