By Anna Hammond
July 1, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 19 to 26 of June.
JS frameworks which simulate events and can turn an XSS that requires user-interaction into an XSS that doesn’t 🙂 & Demo
This is crazy. @freddyb had the idea to leverage events simulation in JavaScript frameworks, to bypass the user interaction required to exploit some XSS vulnerabilities. In other words, the XSS is triggered by simulating user actions instead of waiting for victims to actually perform the corresponding actions themselves.
This technique also works for hidden inputs. Time to revisit any old unexploitable XSS!
Exploiting Bitdefender Antivirus: RCE from any website
Simple story of some complicated XSS on Facebook
The first writeup by @WPalant is a cool combination of antivirus exploitation and remote Web vulnerabilities. The gist is that Bitdefender handles HTTPS certificate errors itself (instead of delegating it to the browser), and leaks some sensitive tokens. Any website can read them and use them to start a session with the Safepay browser. RCE is then obtained by opening URLs like data:text/html,nada --utility-cmd-prefix=\"cmd.exe /k whoami & echo\"
.
The second writeup is about two reflected XSS bugs found on Facebook. It reads like a fascinating investigation. @win3zz identified that MicroStrategy Web SDK was used, downloaded its source code, analyzed it, and transformed the bugs found into working exploits.
Pencode is a command line tool for creating complex encoding chains (e.g. urlencode(b64encode(hexencode(string)))
). It can be used as a standalone tool or as a Go library. Handy for handling complex encoding in scripts!
@joohoi is also planning to add integration with ffuf.
Golang HandleFunc wordlisr by @d0nutptr
@NahamSec & @_StaticFlow_’s 1stleveldomainsbycount
PWDB – New generation of Password Mass-Analysis
Crafting a custom wordlist for python-flask webservers
This week’s been all about wordlists!
@d0nutptr shared the most used HTTP endpoints, found by analyzing 500 popular Golang repositories. This inspired @r0bre to build a similar wordlist for python-flask webservers by analyzing Github repositories. He shares both the resulting wordlist and details of the whole process.
@NahamSec & @_StaticFlow_ shared a list of subdomains built by scanning ~200 million IPs from bug bounty targets.
And @ahakcil collected 100 million leaked credentials and published stats on what he found, as well as wordlists of the most common passwords.
This is a nice tutorial to bookmark. If you come across Thymeleaf, a Java template engine, you’ll know exactly how to test for SSTI, from detection payloads to real-world exploitation.
h1-2006 Virtual Live Hacking Event: Meet the Hackers who #HackForGood, Community Day – CTF, Kickoff, Recap & Closing Ceremonies
Modern Webapp Pentesting: How to Attack a JWT w BB King 1 Hour BHIS HEVC
Upload Scanner Burp extension: Level up your file upload hacking skills #bugbounty #upload #hacking
Risky Business #589 — Why Microsoft’s steep E5 license pricing is a national security risk
How to Prevent Account Takeover Attacks – John Chirhart – ASW #109
SANS webinars:
Security BSides Athens 2020, especially:
BSides Greenville 2020 – Track #1, Track #2, Track #3, Track #4 & Schedule
All The Talks 2020 – Security & MyDevSecOps Virtual Sessions, especially:
External IP domain reconnaissance and attack surface visualization in under 2 minutes.
Hardcoded secrets, unverified tokens, and other common JWT mistakes
IoT hacking field notes #2: Using bind mounts to temporarily modify read-only files
EternalRed aka Sambacry without Metasploit & EternalBlue without Metasploit
Bypassing External Mail Forwarding Restrictions with Power Automate
Java Deserialization Exploitation With Customized Ysoserial Payloads
CVE-2020-8163: Partial Remote Code Execution #Web #Rails
CVE-2020-1170 – Microsoft Windows Defender Elevation of Privilege Vulnerability #PrivEsc #Windows
Zoom In: Emulating ‘Exploit Purchase’ in Simulated Targeted Attacks #PrivExc #Windows
eLection 2.0 Authenticated Remote Code Execution Vulnerability #Web
DLL Hijacking at the Trend Micro Password Manager (CVE-2020–8469) #Windows #PrivEsc
Bypassing Digits origin validation which leads to account takeover (Twitter, $5,040)
Uploading large payload on domain instructions causes server-side DoS (HackerOne, $2,500)
Keybase client (Windows 10): Write files anywhere in userland using relative path in “download attachement” feature (Keybase, $5,000)
From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration ($500)
Chaining an IDOR with a business-logic error to achieve critical impact
Hackerone Bug Bounty Report: Hinge (Hinge, $250)
See more writeups on The list of bug bounty writeups.
Getrelationship.py: Python script to get domain relationships using BuiltWith
Shaggy-rogers: Clojure lambda to scan blob files for sensitive content
Travis Grabber: Grabs all logs for all builds for any given Organisation from Travis CI. Similar to CILeek, but in Go
BugPoC: Burp Suite Extension to send raw HTTP Requests to the BugPoC HTTP PoC Generator (BugPoC.com)
ChopChop: Go tool for dynamic application security testing on web applications
disas-apk: All-in-one tool for automating Android app reverse engineering
Subvenkon: Subdomain enumerator which gathers information from Venkon
Physmem2profit: Create a minidump of a target hosts LSASS process by analysing physical memory remotely
seeker: Accurately locate smartphones using social engineering
Securing Active Directory: Performing an Active Directory Security Review
Max & Intro: Scripts for maximizing BloodHound with a simple suite of tools
Talon & Intro: A tool designed to perform automated password guessing attacks while remaining undetected
Library of Resources for Industrial Control System Cyber Security
CVE-2020-10665 Docker Desktop Local Privilege Escalation: First public exploit by @spaceraccoonsec
The problem with Parse: A low-code server that endangers over 63,000,000 users.
AWS IAM Assume Role Vulnerabilities Found in Many Top Vendors
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Demystifying Hackers: Bugcrowd’s 2020 Inside the Mind of a Hacker Report
Academics studied DDoS takedowns and said they’re ineffective, recommend patching vulnerable servers
Unpatched regex bug leaves Node.js apps open to ReDoS attacks
Backdoor wide open: critical vulnerabilities uncovered in GeoVision
Web admins urged to update Magento stores as first release line reaches end of life
Adobe, Mastercard, Visa warn online store owners of Magento 1.x EOL: “Almost 110,000 online stores are still running the soon-to-be-outdated Magento 1.x CMS.”
Glupteba – the malware that gets secret messages from the Bitcoin blockchain
Credit card skimmers are now being buried in image file metadata on e-commerce websites & Technical details
Docker servers infected with DDoS malware in extremely rare attacks
Chinese bank forced western companies to install malware-laced tax software
Evil Corp blocked from deploying ransomware on 30 major US firms
REvil ransomware scans victim’s network for Point of Sale systems
BlueLeaks: Data from 200 US police departments & fusion centers published online
New Mac malware uses ‘novel’ tactic to bypass macOS Catalina security
Hackers use fake Windows error logs to hide malicious payload
Fxmsp hackers made $1.5M selling access to corporate networks
Oracle’s BlueKai tracks you across the web. That data spilled online
400 organizations sign open letter to save Open Technology Fund (OTF)
Microsoft quietly created a Windows 10 File Recovery tool, how to use
Adobe wants users to uninstall Flash Player by the end of the year
TikTok To Stop Clipboard Snooping After Apple Privacy Feature Exposes Behavior & Penetrum Security Analysis of TikTok versions 10.0.8 – 15.2.3
Safari 14 removes Flash, gets support for breach alerts, HTTP/3, and WebP
FBI uses T-shirt, tattoo and Vimeo clips to track down alleged arsonist
Experts Denounce Racial Bias of Crime-Predictive Facial-Recognition AI
Toward Applied Andragogy in Cyber Security Education #ForContentCreators
Why API Security Is Different and How the OpenAPI Spec Can Help
Remote Workforce is NOT the New Norm, but “Secure Work Anywhere” Should Be
Why More Than Half of Email Phishing Leaks Happen on Mobile Devices
Mental Fatigue and Decision Making in a Time of Crisis & Social Engineering Red Flags document
Sketch 403 – “Private Browsing” – A high level view of what it does and does not do!
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/19/2020 to 06/26/2020.