Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 12 to 19 of June.
Seltzer & Intro
Seltzer is a Bash script and Burp extensions by Coalfire, that make it really easy to user Burp 2.0’s REST API. With a simple command, you can start Burp in headless mode, scan a target, monitor the progress, export results and save the Burp project file.
This may be the fastest way to start playing with Burp’s REST API!
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers (Google & Mozilla, $30,000)
How I made more than $30K with Jolokia CVEs ($33,500)
Hacking Starbucks and Accessing Nearly 100 Million Customer Records (Starbucks, $4,000)
One Token to leak them all : The story of a $8000 NPM_TOKEN & Video (Google, $8,000)
SMTP Injection in Gsuite (Google, $3,133.7)
I know… How can there be 5 writeups of the week, right? Actually, these are all incredible findings worth reading about. In a nutshell:
@securitymb presents new research on copy-pasting issues in browsers, WYSIWYG editors & websites. In total, 9 bugs including universal XSS, mutation XSS & CSS data exfiltration.
@itsecurityguard shares how he leveraged existing Jolokia CVEs to make it rain bounties. The writeup is particularly interesting if you want to learn about setting up a test environment and applying exting research to bug bounty.
@samwcyo tells in great details how he accidentally found a path traversal bug on Starbucks. Not only does he share the final payload, but the whole thought process: How he identified a suspicious request, questions he asked himself at each step, indicators of vulnerability, payloads tested…
@AseemShrey writes about a well-hidden NPM token found by analyzing JavaScript code. An excellent read if you want to learn about JS analysis.
Zohar Shachar explains how he found an SMTP injection in Google and could spoof any email address! Impressive, the bounty seems suprisingly low considering the impact and the target.
Interview with @Th3G3nt3lman || Recon, Methodology, Learning etc.
@farah_hawa01 looks like a rising bug hunter and Youtuber. I love her style: concise, straight to the point and professional. This video in particular features @Th3G3nt3lman. Watch it if you want to hear about his no BS approach to recon and efficient bug hunting.
“I’m claiming if they had just started immediately, with anything, even the first shittiest tutorial that shows up as the first result on Youtube, they would now be closer to their goal than after they made that plan”
From How To Learn Something New? – Game Devlog #1
I was about to dismiss this video, thinking it was about game development… But watched it anyway because @LiveOverflow has a knack for making any topic interesting.
I’m glad I did! Around the 15 min mark, he mentions his secret for learning anything: Just pick up any resource (“even the shittiest”) and start there. Don’t overthink it, don’t make sophisticated plans. Then, follow it up with another resource by reserching words you didn’t understand.
It might not work for everyone, but this is definitely something I needed to hear. I generally tend to spend too much time planning, then lacking the time to actually execute the plan! This learning approach works better when time is lacking.
Building a Discord Bot for ChatOps, Pentesting or Server Automation, Part 2 & Part 3
This is an interesting idea: A Discord bot that allows you to run any command on a remote server. Writing `!exec ls` in Discord would execute `ls` on the server, and display the results in Discord.
Between this and the ability to run tools that send Discord notifications when new results are found, everything can be done from a phone… Recon on the move, movie-style!
See more writeups on The list of bug bounty writeups.
Smuggler: An HTTP Request Smuggling / Desync testing tool written in Python 3
Tsunami & Intro: Google’s general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence
gDork: A Mozilla Firefox extension which allows quick access to your google-dorking result
Whoareyou: A tool to find the underlying technology/software used in a list of websites passed through stdin (using Wappalyzer dataset)
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/12/2020 to 06/19/2020.
