Bug Bytes #74 – Testing for SSTI in Go, SSRF in Facebook and Kubernetes & PwnFox for a better Burp/Firefox experience

By Anna Hammond

June 10, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 29 of May to 05 of June.

Our favorite 5 hacking items

1. Article of the week

[SSTI] Breaking Go’s template engine to get XSS

This is some cool research that will come in handy if you want to test a server written in Go, especially for SSTI. Existing public payloads like {{7*7}} will not work. Thankfully, @0xtakemyhand dissected the documentation and came up with the right syntax and payloads for detecting and exploiting SSTI in Go.

2. Writeups of the week

How I made $31500 by submitting a bug to Facebook & Additional info on the payout (Facebook, $31,500)

When it’s not only about a Kubernetes CVE… (Microsoft, +$40,000)

SSRF is all the rage. These are two detailed writeups of SSRF vulnerabilities found on Facebook and Kubernetes.

They’re worth reading with attention considering the hardened targets, the impressive bounties, the quality of the writeups that include a lot of details on detection, exploitation, and increasing impact.

3. Tools of the week

PwnFox

Hardcodes

PwnFox is THE browser extension I was waiting for. It is similar to Autochrome but for Firefox. The feature I like the most is that when you use Firefox containers, PwnFox can automatically color Burp requests depending on the corresponding container. So helpful for authorization tests! Other cool features are a PostMessage logger, a checkbox to enable/disable Burp proxy, the ability to remove security headers…

Hardcodes is @s0md3v’s latest tool. It extracts hardcoded strings from source code, and can handle any syntax and 20+ languages. It can be used as a library or a CLI program, and returns less noise than existing search tools (like grep or strings). So, it is useful for extracting hardcoded credentials from mobile apps, secrets and endpoints from Github code, etc.

4. Video of the week

@irsdl Talks About Value Behind Certificates, Pentesting vs Bug Bounty, Deserialization and more!

@irsdl / Soroush Dalili’s blog posts are regularly listed in this newsletter. I associate his name with good research, numerous responsible disclosures, and with deserialization bugs in particular. This is an excellent interview where we can get to know the man behind the bugs, his unique journey as a hacker that started way back in 2003, his views on work-life balance, etc. I really appreciate the candor and humility with which he shares his experience and advice.

5. Tutorial of the week

Hacking a GWT application from scratch, Companion blog post & GWTab

This tutorial will be very helpful if you come across Google Web Toolkit requests. It explains what GWT is, how to analyze the requests, how to detect vulnerabilities like IDOR, with a new tool to make the process easier.

Maybe you’ve already seen GWT requests, they look like this: 7|0|8|http://127.0.0.1:8888/helloworld/|0AA7A0C25ADF167CC648926141094922|com.example.test.client.GreetingService|....

GWT is an old technology that may not be often encountered, but I think it worth knowing because it is not dead. Google released an update just a month ago and, at the time of writing this, 41,993 websites are using it.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Shodanfy.py: Get ports,vulnerabilities,informations,banners,..etc for any IP with Shodan (no apikey & no rate-limit)

  • Cf-check: Check an IP is Owned by Cloudflare

More tools, if you have time

  • wwwordlist: Python tool to generate a wordlist from either text or the links in HTML

  • GitMonitor: A Github scanning system to look for leaked sensitive information based on rules

  • ssrf-finder: Pass list of urls with FUZZ in and it will check if it has found a potential SSRF

  • Jecretz: Jira Secret Hunter – Helps you find credentials and sensitive contents in Jira tickets

  • Urldedupe: Pass in a list of URLs with query strings, get back a unique list of URLs and query string combinations

  • AWS_Loot: Pull secrets from an AWS environment by searching for high entropy values, useful for post-exploitation

  • Burp-samesite-reporter: Burp extension that passively reports various SameSite flags

  • URLProbe: Urls status code & content length checker in Go

  • TeaBreak & Intro: A productivity Burp extension which reminds to take break while you are at work!

  • Njsscan: A SAST tool that can find insecure code patterns in node.js apps using simple pattern matcher from libsast & semgrep

  • O365enum: Office 365 User Enumeration Reloaded

  • Go-gtfo: GTFO, now with the speed of Golang

  • Enumy: Linux post exploitation privilege escalation enumeration

  • ADCollector: A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending

Misc. pentest & bug bounty resources

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/29/2020 to 06/05/2020.

You may also like