Bug Bytes #68 – Memory leaks in webapps, @samwcyo’s Rocket League chain & JavaScript for Hackers

By Intigriti

April 28, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 10 to 17 of April.

Intigriti news

Another public bug bounty program launched on Intigriti. Pays bounties up to €10.000!💰 Check it out here: https://go.intigriti.com/napoleongames

 

Our favorite 5 hacking items

1. Paper of the week

Uninitialized Memory Disclosures in Web Applications

This is an excellent paper on memory disclosure vulnerabilities in Web apps. The author focuses on bugs caused by image parsing  errors, such as ImageTragick, but shows how to extrapolate the attacks to libraries other than ImageMagick.

If you want to take a deep dive into this kind of bugs, this is a great opportunity. A lot of resources are provided from tools for automated detection, to a test environment, writeups, and external links on memory leaks.

2. Writeup of the week

Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts

What a great read! @samwcyo chained HTTP cache poisoning with an open redirect that leaks the victim’s OAuth token. He explains each bug separately, how to combine them for maximum impact, what he tried that didn’t work, and also how he approaches hacking video games as a Web app tester without mastering reverse engineering.

3. Videos of the week

Hacker101 – JavaScript for Hackers (Created by @STÖK)

Creating Wordlists for Pentesting & Bug Bounty Hunting Using Seclists, Bigquery, and More!

@Ngalongc Talks About Hacking Uber, Airbnb and Shopify, SAML/OAuth Vulnerabilities, Recon, and More!

If you’re short on time, these 3 videos are what you need to check out from this whole newsletter. @tomnomnom shows how to analyze JavaScript and find bugs in the DOM using Chrome dev tools. @NahamSec shares how to create custom wordlists, and how to know which one you need to use. And @Ngalongc talks about his bug hunting journey, how he went from working in another industry with no security or developer background, to being a bug bounty millionaire, the type of bugs he focuses on, his recon process, etc.

4. Tutorial & tool of the week

Subdomain Enumeration: Filter Wildcard Domains

gwdomains

Detecting and filtering out wildcard subdomains is important during subdomain enumeration, to avoid wasting time on subdomains that don’t exist. @0xpatrik published a cool post on exactly that.

Gwdomains automates this process. But I’m not sure how it works exactly. It would be interesting to figure it out by reading the source code, and to compare it with @0xpatrik’s detection heuristic and all the cases he mentioned.

5. Resource of the week

Public Release of HTML5 attack and Defence course

This is a nice introductory course on HTML5 attacks. It’s a bit outdated but still a good resource to discover HTML5 technologies (CORS, DOM, Local Storage, Webworkers, Websockets, Iframe sandboxing…) and some of their common security issues.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Proxying HTTP2 Through Burp Suite

  • Docker Image Generator & Introduction: Customized docker images generation toolkit for infosec

  • Burp Extension Generator: Generate Burp Suite Extension projects the easy way

  • DalFox (Finder Of XSS): Parameter Analysis and XSS Scanning tool based on golang

  • OpenRedireX: A python Fuzzer for OpenRedirect issues

  • Pown LAU: A library and Pownjs tool for enlisting target web application URLs using several public databases (inspired by getallurls)

  • 2tearsinabucket: Go script to enumerate s3 buckets for a specific target

  • TitleXtractor: Go script for extracting \ tag from HTML pages

  • Linkedin Scraper: A fully configurable Python tool to scrape anything within linkedin

  • ReverseIP.sh: Simple bash script for Reverse IP Lookup, using whoisxmlapi.com

  • Lazyhunter: A framework that provides a web UI to commonly used Bug Hunting/Pentesting tools

  • Socks Over RDP & Slides: A tool that creates a virtual channel over an RDP connection and spins up a SOCKS5 proxy that is tunnelled over the remote host, just like SSH’s –D switch

  • eLdap & Presentation: A Python tool that helps users searching and filtering queries in Ldap environment

  • PCredz & Introduction: Python script that extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Coronavirus

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/17/2020 to 04/24/2020.

Curated by Pentester Land & Sponsored by Intigriti

 

You may also like