By Anna Hammond
June 24, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 12 to 19 of June.
Seltzer is a Bash script and Burp extensions by Coalfire, that make it really easy to user Burp 2.0’s REST API. With a simple command, you can start Burp in headless mode, scan a target, monitor the progress, export results and save the Burp project file.
This may be the fastest way to start playing with Burp’s REST API!
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers (Google & Mozilla, $30,000)
How I made more than $30K with Jolokia CVEs ($33,500)
Hacking Starbucks and Accessing Nearly 100 Million Customer Records (Starbucks, $4,000)
One Token to leak them all : The story of a $8000 NPM_TOKEN & Video (Google, $8,000)
SMTP Injection in Gsuite (Google, $3,133.7)
I know… How can there be 5 writeups of the week, right? Actually, these are all incredible findings worth reading about. In a nutshell:
@securitymb presents new research on copy-pasting issues in browsers, WYSIWYG editors & websites. In total, 9 bugs including universal XSS, mutation XSS & CSS data exfiltration.
@itsecurityguard shares how he leveraged existing Jolokia CVEs to make it rain bounties. The writeup is particularly interesting if you want to learn about setting up a test environment and applying exting research to bug bounty.
@samwcyo tells in great details how he accidentally found a path traversal bug on Starbucks. Not only does he share the final payload, but the whole thought process: How he identified a suspicious request, questions he asked himself at each step, indicators of vulnerability, payloads tested…
@AseemShrey writes about a well-hidden NPM token found by analyzing JavaScript code. An excellent read if you want to learn about JS analysis.
Zohar Shachar explains how he found an SMTP injection in Google and could spoof any email address! Impressive, the bounty seems suprisingly low considering the impact and the target.
Interview with @Th3G3nt3lman || Recon, Methodology, Learning etc.
@farah_hawa01 looks like a rising bug hunter and Youtuber. I love her style: concise, straight to the point and professional. This video in particular features @Th3G3nt3lman. Watch it if you want to hear about his no BS approach to recon and efficient bug hunting.
“I’m claiming if they had just started immediately, with anything, even the first shittiest tutorial that shows up as the first result on Youtube, they would now be closer to their goal than after they made that plan”
I was about to dismiss this video, thinking it was about game development… But watched it anyway because @LiveOverflow has a knack for making any topic interesting.
I’m glad I did! Around the 15 min mark, he mentions his secret for learning anything: Just pick up any resource (“even the shittiest”) and start there. Don’t overthink it, don’t make sophisticated plans. Then, follow it up with another resource by reserching words you didn’t understand.
It might not work for everyone, but this is definitely something I needed to hear. I generally tend to spend too much time planning, then lacking the time to actually execute the plan! This learning approach works better when time is lacking.
Building a Discord Bot for ChatOps, Pentesting or Server Automation, Part 2 & Part 3
This is an interesting idea: A Discord bot that allows you to run any command on a remote server. Writing `!exec ls` in Discord would execute `ls` on the server, and display the results in Discord.
Between this and the ability to run tools that send Discord notifications when new results are found, everything can be done from a phone… Recon on the move, movie-style!
BOUNTY THURSDAYS – All about them writeups and content creators.
INTERVIEW WITH @Th3G3nt3lman || RECON, METHODOLOGY, LEARNING ETC.
Web, Android and API hacking…all in ONE place! #bugbounty #hacking #pentest
Raspberry Pi Project: Kali Linux Tablet (Kali-Pad) The Ultimate Pentesting Device
Risky Business #588 — Catastrophic bugs to plague ICS for years
Huntr Podcast: How a 16 year old made it into top 100 on HackerOne
CallStranger, SMBleedingGhost, & Misconfigured Kubeflow – ASW #111
frida-boot 👢 – a binary instrumentation workshop, using Frida, for beginners & Workshop material
Bad As You Want To Be – Adversary Emulation Basics (Free registration required)
Webcast: Securing Active Directory: Performing Your Own AD Security Review
Introducing Axiom – The Dynamic Pwnstation Orchestrator for Red Team & Bug Bounty
Introduction to GKE Kubelet TLS Bootstrap Privilege Escalation
Building a Discord Bot for ChatOps, Pentesting or Server Automation, Part 2 & Part 3
Just another Recon Guide for Pentesters and Bug Bounty Hunters
How to Deal with FlutterApp Penetration Testing (Another Way to Bypass SSL Pinning)
SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE #SMB #RCE
Cisco WebEx Memory for the Taking: CVE-2020-3347 #Windows #MemoryLeak
Composr CMS Remote Code Execution #PHP #Deserialization #Web
Pulse Secure Client for Windows <9.1.6 TOCTOU Privilege Escalation (CVE-2020-13162) #PrivEsc #VPN
A Click from the Backyard | Analysis of CVE-2020-9332, a Vulnerable USB Redirection Software #USB
MZ-20-03 – New security advisory regarding vulnerabilities in .Net #.NET #Windows
Security Advisories: D-Link DSL-2640B #Router #Web
SSD Advisory – Mimosa Routers Privilege Escalation and Authentication bypass #PrivEsc #CodeReview #Python
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption #CodeReview #C++ #MemoryBugs
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability #Web
A subtle stored-XSS in WordPress core (WordPress)
GHSL-2020-099: mXSS vulnerability in AngularJS (GitHub Security Lab)
SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution (QIWI, $5,500)
Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation “Delete” (QIWI, $1,000)
SSRF – Guard – Unchecked HKP servers (Open-Xchange, $400)
Rack parses encoded cookie names allowing an attacker to send malicious __Host-
and __Secure-
prefixed cookies (Ruby on Rails)
See more writeups on The list of bug bounty writeups.
Smuggler: An HTTP Request Smuggling / Desync testing tool written in Python 3
Tsunami & Intro: Google’s general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence
gDork: A Mozilla Firefox extension which allows quick access to your google-dorking result
Whoareyou: A tool to find the underlying technology/software used in a list of websites passed through stdin (using Wappalyzer dataset)
Redirector: Redirects any request with which ever http status code you want to a location of your choice (useful for SSRF exploitation)
PatchChecker & Online version: Web-based check for Windows privesc vulnerabilities
SearchOutlook: A C# tool to search through a running instance of Outlook for keywords
Get All Links – [gal]: Get all the links for target websites using href / src / url / etc.
Nipe: An engine to make Tor network your default gateway
WebTLSProfiler & Intro: Web interface for the TLS Profiler Python package
Azure/container-scan: A GitHub action to help you scan your docker image for vulnerabilities
YAA: An Obscure MacOS Compressed File Format: Includes steps to create an Eicar YAA archive
Exfiltrating User’s Private Data Using Google Analytics to Bypass CSP & Reddit discussion
Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers
CVE-2020-1181: SharePoint Remote Code Execution Through Web Parts
Passive host OS fingerprinting from an USB device during enumeration (Summary by MaMe82)
Ripple20 vulnerabilities will haunt the IoT landscape for years to come
How Hackers Use An Ordinary Light Bulb To Spy On Conversations 80 Feet Away
Bug in ‘USB for Remote Desktop’ lets hackers add fake devices
DTA fixed COVIDSafe Bluetooth vulnerability 21 days after it was notified
Old GTP protocol vulnerabilities will also impact future 5G networks
Cisco fixes severe flaws in Webex Meetings for Windows, macOS & New Cisco Webex Meetings flaw lets attackers steal auth tokens
Netgear Zero-Day Allows Full Takeover of Dozens of Router Models
SSB-Server vulnerability reveals contents of private messages
South African bank to replace 12m cards after employees stole master key
AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever
Attackers impersonate secure messaging site to steal bitcoins
Extortionists threaten to destroy sites in fake ransom attacks
Security surprise: Four zero-days spotted in attacks on researchers’ fake networks
Hackers use Google Analytics to steal credit cards, bypass CSP
CoinMiner exploits Apple APSDaemon vulnerability to evade detection
eBay staff charged with cyberstalking, sending fetal pig and spiders
Masked arsonist might’ve gotten away with it if she hadn’t left Etsy review
Theft of CIA’s ‘Vault 7’ Secrets Tied to ‘Woefully Lax” Security
Amnesty calls out countries with ‘most dangerous’ contact tracing apps
Intel will soon bake anti-malware defenses directly into its CPUs
Adversarial attacks against machine learning systems – everything you need to know
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/12/2020 to 06/19/2020.