By Anna Hammond
June 3, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 22 to 29 of May.
@JobertAbma Talks about HackerOne, Entrepreneurship, Hacking, Bug Bounties and his recon approach!
@JobertAbma’s story is fascinating. As a hacker and entrepreneur myself, I hung on his every word during this deliciously long interview. He tells the backstory of HackerOne, how he started this successful business with @michielprins while being a student and still finding the time to hack, his hacking process, and much much more!
– Zero-day in Sign in with Apple (Apple, $100,000)
– My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft (Lyft)
Read the first writeup if you want to see what a $100,000 bug looks like. It’s surprisingly easier (to understand at least) than one might think: “Sign in with Apple” had a flaw that allowed for generating valid JWTs for any Email ID. This resulted in account takeover on any apps using Apple’s sign-in functionality.
The second writeup’s video is nice to watch if you need inspiration for hacking. The bug is an SSRF affecting the WeasyPrint PDF generator. @NahamSec talked about it before, but it’s lots of fun to watch hackers hacking Lyft while taking Lyft rides!
RandoriSec Mobile Hacking Workshop – iOS & Android
@RandoriSec have a track record of sharing awesome mobile hacking resources. This time, they released slides and material used for BSides Budapest 2020 workshops. This includes intentionally vulnerable apps for practicing, and slides providing theory and steps to solve the challenges.
An excellent opportunity to get into mobile hacking!
Android app vulnerability classes
This is a valuable resource for anyone interested in Android app hacking or in the Google bug bounty program. The document provides an overview of the program’s 19 most commonly reported vulnerabilities, with auditing and remediation tips.
Because this is about bug bounty, the bugs described are the type that will earn you bounties, not just good security practices or low-impact bugs. So, definitely worth a read!
My self-help guide to making sense of a confusing world
How can one avoid being deceived by fake news and disinformation campaigns? This is a question @halvarflake asked himself. His answer comes in the form of a long article detailing 7 habits he came up with to regularly examine his own beliefs.
This piece might seem too theoretical but actually provides an excellent framework for critical thinking and practicing self-critique, which is essential in these turbulent times.
BOUNTY THURSDAYS – Reconless, Axiom, DNSObserver, GF-Patterns, Pimp my terminal
Bug bounty 101: writing a good report with Intigriti tips from community and triage team
Live RECON ft. Neoshaman & neoshaman1105/bug-hunting-toolkit
What is the dark web? Your questions answered, in plain English
Risky Business #585 — UK mulls Huawei ban, NGOs urge COVID-19 hack de-escalation
Layer 8 Podcast Episode 27: TrustedSec Social Engineers Ask Me Anything
The Many Hats Club Ep. 85, Time has no meaning anymore (with Stu and a lot of guests)
Naked Security Podcast S2 Ep 41: Super-sized ransomware, FBI v Apple and AirPods hot or not
SWN #37 – Rogue Drones, Sarwent Malware, Microsoft MFA Attack
Who’s Your Hacker – Episode 8 Breaking Into Your Building: A Hackers Guide to Unauthorized Access
SANS webinars
How to Hide Secrets in Strings— Modern Text hiding in JavaScript
Introducing Proxy Helper – A New WiFi Pineapple Module & Proxy Helper
Hijacking Library Functions and Injecting Code Using the Dynamic Linker
StrandHogg 2.0 – The ‘evil twin’ #Android
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882) #MacOS
Moodle DOM Stored XSS to RCE #Web #RCE
Abusing PackageKit on Fedora/CentOS for fun & profit (from wheel to root). #Linux
Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently #MacOS #PrivEsc
IDOR in session cookie leading to Mass Account Takeover ($2,000)
Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request (HackerOne, $500)
[Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator (U.S. Dept Of Defense)
Pixel flood attack cause the javascript heap out of memory (Node.js third-party modules)
See more writeups on The list of bug bounty writeups.
BurpIntruderDownloader/extract.py & Extracting files from Burp Intruder Output
DNSObserver & Intro: A handy DNS service written in Go to aid in the detection of several types of blind vulnerabilities. It monitors a pentester’s server for out-of-band DNS interactions and sends lookup notifications via Slack
httpx: A fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads
Elevate: Vertical Domain Discovery
Needle: Instant access to you bug bounty submission dashboard on various platforms + publicly disclosed reports + #bugbountytip
Ligolo: Reverse Tunneling made easy for pentesters, by pentesters
EXCELntDonut: XLM (Excel 4.0) Macro Generator for Phishing Campaigns
Cillian-Collins/subscraper: Recon tool which scans JavaScript files for subdomains & then iterates over all JS files hosted on subsequent subdomains to enumerate a list of subdomains for a given URL
ParamCleaner: Removes duplicate entries from a file, resulting in only unique parameter combinations. Useful for parsing waybackurls and making recon more effective
CorsMe: Cross Origin Resource Sharing MisConfiguration Scanner
Kalu: Keeping ArchLinux Up-to-date
RepoPeek: Python script to get details about a repository without cloning it
Kubetap: Kubectl plugin to interactively proxy Kubernetes Services with ease
Waybackcollector & How it differs from existing tools like Waybackurls & GAU: Fetch wayback machine historical content for a given url
imran-parray/paramReplacer.py: ython script which replaces the parameter values in target URL’s with your desired input, for fuzzing & mass testing
S3BucketList: Firefox plugin that lists Amazon S3 Buckets found in requests
go-windapsearch: Utility to enumerate users, groups and computers from a Windows domain through LDAP queries
apkLeaks: Scanning APK file for URIs, endpoints & secrets
Bust-a-Kube: An intentionally-vulnerable Kubernetes cluster
DefCon CTF Quals – uploooadit challenge, Walkthrough video & Written walkthrough
Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution & RMIScout
Bringing VandaTheGod down to Earth: Exposing the person behind a 7-year hacktivism campaign #OSINT
Being Stubborn Pays Off pt. 1 – CVE-2018-19204 & pt. 2 – Tale of two 0days on PRTG Network Monitor
DNS Rebinding: Stealing WiFi credentials through your solar panel inverter
Google launches CTF-style bug bounty challenge for Kubernetes
Bug Bounty 101: How to Choose Your First Bug Bounty Target and Stay Motivated: June 15
The Journey in Data: HackerOne Hits 100 Million Dollars in Bounties
Python and Go Top the Chart of 2019’s Most Popular Hacking Tools
Analysing over 1M leaked passwords from the UK’s biggest companies
Google TAG’s updates about government-backed hacking and disinformation
Android ‘StrandHogg 2.0’ flaw lets malware assume identity of any app
LadderLeak: Side-channel security flaws exploited to break ECDSA cryptography
How iPhone Hackers Got Their Hands on the New iOS Months Before Its Release
GitHub warns Java developers of new malware poisoning NetBeans projects
Discord client turned into a password stealer by updated malware
Thousands of enterprise systems infected by new Blue Mockingbird malware gang
Russian cyberspies use Gmail to control updated ComRAT malware
Qihoo & Baidu disrupt malware botnet with hundreds of thousands of victims
RATicate drops info stealing malware and RATs on industrial targets
Voter info for millions of Indonesians shared on hacker forum
Shodan founder John Matherly on IoT security, dual-purpose hacking tools, and information overload
New fuzzing tool finds 26 USB bugs in Linux, Windows, macOS, and FreeBSD
Twitter places public interest notice on President Trump’s tweet
Vigilante hackers target ‘scammers’ with ransomware, DDoS attacks
Contact-tracing app may become a permanent fixture in major Chinese city
Phone Number Privacy? We don’t do that here: Google Hangout Call!
Series by 4 social engineers on their first on-site social engineering engagement: 1, 2, 3 & 4
Why OPSEC Is For Everyone, Not Just For People With Something To Hide – Part III
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/22/2020 to 05/29/2020.