Bug Bytes #73 – Hacking JWTs for $100k on Apple, @JobertAbma’s founder stories & Chaining bugs for fun and profit

By Anna Hammond

June 3, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 22 to 29 of May.

Our favorite 5 hacking items

1. Video of the week

@JobertAbma Talks about HackerOne, Entrepreneurship, Hacking, Bug Bounties and his recon approach!

@JobertAbma’s story is fascinating. As a hacker and entrepreneur myself, I hung on his every word during this deliciously long interview. He tells the backstory of HackerOne, how he started this successful business with @michielprins while being a student and still finding the time to hack, his hacking process, and much much more!

2. Writeups of the week

Zero-day in Sign in with Apple (Apple, $100,000)

My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft (Lyft)

Read the first writeup if you want to see what a $100,000 bug looks like. It’s surprisingly easier (to understand at least) than one might think: “Sign in with Apple” had a flaw that allowed for generating valid JWTs for any Email ID. This resulted in account takeover on any apps using Apple’s sign-in functionality.

The second writeup’s video is nice to watch if you need inspiration for hacking. The bug is an SSRF affecting the WeasyPrint PDF generator. @NahamSec talked about it before, but it’s lots of fun to watch hackers hacking Lyft while taking Lyft rides!

3. Resource of the week

RandoriSec Mobile Hacking Workshop – iOS & Android

@RandoriSec have a track record of sharing awesome mobile hacking resources. This time, they released slides and material used for BSides Budapest 2020 workshops. This includes intentionally vulnerable apps for practicing, and slides providing theory and steps to solve the challenges.

An excellent opportunity to get into mobile hacking!

4. Slides of the week

Android app vulnerability classes

This is a valuable resource for anyone interested in Android app hacking or in the Google bug bounty program. The document provides an overview of the program’s 19 most commonly reported vulnerabilities, with auditing and remediation tips.

Because this is about bug bounty, the bugs described are the type that will earn you bounties, not just good security practices or low-impact bugs. So, definitely worth a read!

5. Non technical item of the week

My self-help guide to making sense of a confusing world

How can one avoid being deceived by fake news and disinformation campaigns? This is a question @halvarflake asked himself. His answer comes in the form of a long article detailing 7 habits he came up with to regularly examine his own beliefs.

This piece might seem too theoretical but actually provides an excellent framework for critical thinking and practicing self-critique, which is essential in these turbulent times.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • BurpIntruderDownloader/extract.py & Extracting files from Burp Intruder Output

  • DNSObserver & Intro: A handy DNS service written in Go to aid in the detection of several types of blind vulnerabilities. It monitors a pentester’s server for out-of-band DNS interactions and sends lookup notifications via Slack

  • httpx: A fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads

More tools, if you have time

  • Elevate: Vertical Domain Discovery

  • Needle: Instant access to you bug bounty submission dashboard on various platforms + publicly disclosed reports + #bugbountytip

  • Ligolo: Reverse Tunneling made easy for pentesters, by pentesters

  • EXCELntDonut: XLM (Excel 4.0) Macro Generator for Phishing Campaigns

  • Cillian-Collins/subscraper: Recon tool which scans JavaScript files for subdomains & then iterates over all JS files hosted on subsequent subdomains to enumerate a list of subdomains for a given URL

  • ParamCleaner: Removes duplicate entries from a file, resulting in only unique parameter combinations. Useful for parsing waybackurls and making recon more effective

  • CorsMe: Cross Origin Resource Sharing MisConfiguration Scanner

  • Kalu: Keeping ArchLinux Up-to-date

  • RepoPeek: Python script to get details about a repository without cloning it

  • Kubetap: Kubectl plugin to interactively proxy Kubernetes Services with ease

  • Waybackcollector & How it differs from existing tools like Waybackurls & GAU: Fetch wayback machine historical content for a given url

  • imran-parray/paramReplacer.py: ython script which replaces the parameter values in target URL’s with your desired input, for fuzzing & mass testing

  • S3BucketList: Firefox plugin that lists Amazon S3 Buckets found in requests

  • go-windapsearch: Utility to enumerate users, groups and computers from a Windows domain through LDAP queries

  • apkLeaks: Scanning APK file for URIs, endpoints & secrets

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/22/2020 to 05/29/2020.

You may also like