By Anna Hammond
June 10, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 29 of May to 05 of June.
[SSTI] Breaking Go’s template engine to get XSS
This is some cool research that will come in handy if you want to test a server written in Go, especially for SSTI. Existing public payloads like {{7*7}}
will not work. Thankfully, @0xtakemyhand dissected the documentation and came up with the right syntax and payloads for detecting and exploiting SSTI in Go.
How I made $31500 by submitting a bug to Facebook & Additional info on the payout (Facebook, $31,500)
When it’s not only about a Kubernetes CVE… (Microsoft, +$40,000)
SSRF is all the rage. These are two detailed writeups of SSRF vulnerabilities found on Facebook and Kubernetes.
They’re worth reading with attention considering the hardened targets, the impressive bounties, the quality of the writeups that include a lot of details on detection, exploitation, and increasing impact.
PwnFox is THE browser extension I was waiting for. It is similar to Autochrome but for Firefox. The feature I like the most is that when you use Firefox containers, PwnFox can automatically color Burp requests depending on the corresponding container. So helpful for authorization tests! Other cool features are a PostMessage logger, a checkbox to enable/disable Burp proxy, the ability to remove security headers…
Hardcodes is @s0md3v’s latest tool. It extracts hardcoded strings from source code, and can handle any syntax and 20+ languages. It can be used as a library or a CLI program, and returns less noise than existing search tools (like grep or strings). So, it is useful for extracting hardcoded credentials from mobile apps, secrets and endpoints from Github code, etc.
@irsdl Talks About Value Behind Certificates, Pentesting vs Bug Bounty, Deserialization and more!
@irsdl / Soroush Dalili’s blog posts are regularly listed in this newsletter. I associate his name with good research, numerous responsible disclosures, and with deserialization bugs in particular. This is an excellent interview where we can get to know the man behind the bugs, his unique journey as a hacker that started way back in 2003, his views on work-life balance, etc. I really appreciate the candor and humility with which he shares his experience and advice.
Hacking a GWT application from scratch, Companion blog post & GWTab
This tutorial will be very helpful if you come across Google Web Toolkit requests. It explains what GWT is, how to analyze the requests, how to detect vulnerabilities like IDOR, with a new tool to make the process easier.
Maybe you’ve already seen GWT requests, they look like this: 7|0|8|http://127.0.0.1:8888/helloworld/|0AA7A0C25ADF167CC648926141094922|com.example.test.client.GreetingService|...
.
GWT is an old technology that may not be often encountered, but I think it worth knowing because it is not dead. Google released an update just a month ago and, at the time of writing this, 41,993 websites are using it.
Bounty Thursdays – CHAOS, HTTPX, XSS challenge, H1-2006 CTF, DNSCEWL, NAHAMCON and much more.
Hacking a GWT application from scratch #bugbounty #hacking #pentest & Companion blog post
Bug Bounty Queries: stealth scan, why reverse Whois, finding webservers and much more(+Thebinarybot)
Hack for Fun and Profit – Bug bounty tools for beginners: Recon and subdomain enumeration & Bug bounty tools from enumeration to reporting
Naked Security podcast – S2 Ep42: Apple auth attack, Octopus Scanner, Escobar escapades
The Many Hats Club Ep. 54, Web is all around (with Sean Wright)
The Many Hats Club Ep. 62, From Hacker to CISO and beyond (with Mike Koss)
SWN #40 – Wrap Up – Anonymous Returns, Deep Fakes, & IP in IP Vulns
PSW #654 – Root Cert Chaos, Octopus Scanner, & RobbinHood & the Merry Men
Guide to Harnessing the Power of 360 Virtual Tours for Everyday Investigations.
Offense and Defense – A Tale of Two Sides: (Windows) OS Credential Dumping
Pwn2Win 2020 Challenges, Solutions for Watchers & Scriptless
Full infrastructure takeover of VMware Cloud Director (CVE-2020-3956) #Web
Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution
CVE-2019-16384, 85: Cyblesoft Thinfinity VirtualUI – Path Traversal, HTTP Header Injection #Web
Smart Phishing using Ticket Feature of a Customer Support Software #Web
Pwn2Own or Not2Pwn, Part 2.5: A brief tale of free 0days #Windows #.NET
When it’s not only about a Kubernetes CVE… (Microsoft, +$40,000)
Another image removal vulnerability on Facebook (Facebook, $10,000)
Hunting on ASPX Application For P1’s [Unauthenticated SOAP,RCE, Info Disclosure]
Privilege Escalation in Google Cloud Platform’s OS Login (Google)
Information disclosure and reflected XSS on Tokopedia (Tokopedia)
Analysis of CVE-2020-13693 (WordPress)
Unauthorized access to metadata of undisclosed reports that were retested (HackerOne, $2,500)
Code injection possible with malformed Nextcloud Talk chat commands (Nextcloud, $3,000)
See more writeups on The list of bug bounty writeups.
Shodanfy.py: Get ports,vulnerabilities,informations,banners,..etc for any IP with Shodan (no apikey & no rate-limit)
Cf-check: Check an IP is Owned by Cloudflare
wwwordlist: Python tool to generate a wordlist from either text or the links in HTML
GitMonitor: A Github scanning system to look for leaked sensitive information based on rules
ssrf-finder: Pass list of urls with FUZZ in and it will check if it has found a potential SSRF
Jecretz: Jira Secret Hunter – Helps you find credentials and sensitive contents in Jira tickets
Urldedupe: Pass in a list of URLs with query strings, get back a unique list of URLs and query string combinations
AWS_Loot: Pull secrets from an AWS environment by searching for high entropy values, useful for post-exploitation
Burp-samesite-reporter: Burp extension that passively reports various SameSite flags
URLProbe: Urls status code & content length checker in Go
TeaBreak & Intro: A productivity Burp extension which reminds to take break while you are at work!
Njsscan: A SAST tool that can find insecure code patterns in node.js apps using simple pattern matcher from libsast & semgrep
O365enum: Office 365 User Enumeration Reloaded
Go-gtfo: GTFO, now with the speed of Golang
Enumy: Linux post exploitation privilege escalation enumeration
ADCollector: A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending
List of all links in Web Application Hacking Techniques since 2006
Hacktory (30-day free trial) & Beginner tutorials
Linux Privilege Escalation Cheatsheet for OSCP & Windows Privilege Escalation Cheatsheet for OSCP
From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path
Common Insecure Practices with Configuring and Extending Salesforce
Chimichurri Reloaded – Giving a Second Life to a 10-year old Windows Vulnerability
NahamCon 2020 & CTF: June 13
Microsoft throws weight behind machine learning hacking competition
A PortSwigger impossible lab was solved by @shafigullin & @lbherrera_
Rendering non-printing characters in the Burp Suite message editor (June 2020 feature release) (Video)
Psychology of Passwords – The Online Behavior That’s Putting You at Risk
Cloud security: ‘Suspicious superhumans’ behind rise in attacks on online services
Veracode’s Open Source Security Report Finds Library-Induced Flaws in 70% of Applications
Haveibeenpwned.com pwned our helpdesk! GLPI 9.4.5 SQL Injection
Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit
VMware Cloud Director vulnerability allowed for full cloud infrastructure takeover
Google’s indexing of WhatsApp numbers raises privacy concerns
New cold boot attack affects seven years of LG Android smartphones
Linus Torvalds rejects ‘beyond stupid’ AWS-made Linux patch for Intel CPU Snoop attack
USBCulprit malware targets air-gapped systems to steal govt info
This new ransomware is targeting Windows and Linux PCs with a ‘unique’ attack
REvil ransomware creates eBay-like auction site for stolen data
Google: Chinese and Iranian hackers targeted Biden and Trump campaign staffers
Hackers tried to steal database logins from 1.3M WordPress sites
Cloudflare tracks massive spike in cyber-attacks as protests rage against George Floyd death
Clearview AI facial recogition sued again – this time by ACLU
FIRST updates guidelines for multi-party vulnerability disclosure
Analysing the (Alleged) Minneapolis Police Department “Hack”
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/29/2020 to 06/05/2020.