By Anna Hammond
July 22, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 10 to 17 of July.
Improve Your Hacking Skills Using Devtools | Bug Bounty Tips
Filedescriptor Talks About Learning Javascript for Hacking, Reconless, Hacking Twitter and More!
HUNTing with OptionalValue and hakluke
If you’re short on time and want to learn something really useful, watch the first video. In literally 5 minutes, @filedescriptor shares amazing Devtools tips for bug hunters. And if you can’t get enough of him, watch the @NahamSec interview (second video) where they discuss topics like recon, bug hunting methodology, learning JavaScript, etc.
The last video is an excellent introduction to the new HUNT Burp extension. A must watch if you want to learn what it is for and how to quickly start using it.
Write-up for a Path Traversal on Gravitee.io
Which impact level do you have in mind when you hear about HTML injection in emails?
If you’re thinking low or medium impact, check out this creative writeup. @Fisjkars injected an image tag with a path traversal payload as the URL. Since the HTML code injected was rendered server-side, it became a path traversal bug with access to sensitive files. In other words, HTML injection + email = Path traversal.
Shaking secrets out of CircleCI builds – insecure configuration and the threat of malicious pull requests & circleci-logs
Both articles are about exploiting CI/DC tools for recon.
The first one shows how to use GitLab runner registration tokens you find to access the data of private Gitlab instances (even if you only have the token without context).
The second article extends past research on Travis-CI to CircleCI. It comes with a mini-CTF. Will you be able to find the flag before reading about the new technique?
HeapProfiler Snapshot relative URL extractor
In the DevTools video mentioned above, @filedescriptor talked about using the Memory tab to extract API paths from heap snapshots. @smiegles took this idea and made it into a headless Node.js script that automates the process.
OAuth 2.0 Playground & OAuth 2.0 Flow Simulator
If you find OAuth flows complicated to apprehend, these resources will be helpful. They are like demos that help see how different types of OAuth 2.0 and OpenID Connect flows work in practice.
The added value compared to just analyzing OAuth requests/responses on a bug bounty target, is that you’ll find explanations on back channel (backend) requests that aren’t visible in browsers.
How easy is it to tweet as anyone? | Twitter Hacks & Bug Bounty
How Pros Use CVEs to Find New Bugs (before anyone else! ft CVE-2020-5902)
The InfoSec & OSINT Show 15 – Chris Dale & Breaking up Recon from the Pen Test
SWN #48 – Wrap Up – F5-BIGIP RCE, Zoom 0-Day, & Apache Guacamole RCE
SANS@MIC- Git’ing Users for OSINT: Analysis of All GitHub Users
Webcast: Securing Active Directory: Protecting AD Administration
Null Ahmedabad July 2020 Meetup (Kubernetes 101, Attacks on JWT, Intro to Metasploit & USB Forensics)
Bypassing AWS WAF CRS with Cross-Site-Scripting (XSS) payload
Android App Source code Extraction and Bypassing Root and SSL Pinning checks
SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers #DNS #Windows
Sophos XG – A Tale of the Unfortunate Re-engineering of an N-Day and the Lucky Find of a 0-Day #Web #CodeReview
RCE in F5 Big-IP #RCE
Tesco coupons easily faked to save £750 on Hotels.com bookings worldwide
CVE-2020-13405: MicroWeber Unauthenticated User Database Disclosure #Web
How An API Misconfiguration Can Lead To Your Internal Company Data
How I was able to change victim’s password using IDN Homograph Attack ($600)
How we were able to delete Donald Trump posts on Facebook ? (Facebook, $10,000)
Server Side Template injection to RCE (via CSRF token) (Video)
Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint (TTS Bug Bounty, $300)
File writing by Directory traversal at actionpack-page_caching and RCE by it (Ruby on Rails)
Account takeover intercepting magic link for Arrive app (Shopify, $500)
Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques} (Twitter, $420)
See more writeups on The list of bug bounty writeups.
PwnMachine & Intro: A self hosting solution based on docker aiming to provide an easy to use pwning station for bughunters
getjswords.py: Simple Python tool for find a unique words in javascript files, help the bughunters to create a wordlist for the company (e.g for brute force the hidden params,..etc)
Urlgrab: A golang utility to spider through a website searching for additional links
fdnssearch: Swiftly search FDNS datasets from Rapid7 Open Data
Lazy: An example that shows how to create an axiom box that includes existing tools & resources
Pscan: A parallel scanner that utilises axiom to spin up servers and parallel scan using masscan
CodeArgos: Detect and watch for changes to Javascript files and scriptblocks of a target web app
postMessageFinder: A tool that checks if a set of urls contains one or more postMessage functions or eventhandlers
magiskfrida: Run frida-server on boot with Magisk
reNgine: A python automated recon framework (with GUI)
Bopscrk: Wordlists generation tool
SierraTwo: Simple reverse shell over Slack
SuperTruder: An intruder custom that gave me bounties
Netenum: A tool to passively discover active hosts on a network
SqlClient & Intro: POC for .NET mssql client for accessing database data through beacon
CTF-Katana: A listing of tools and commands that may help with CTF challenge
DVTA 2.0: A Damn Vulnerable Thick Client App developed in C# .NET
Escaping JavaScript sandboxes with parsing issues & Attacking and defending JavaScript sandboxes
X Site eScape (Part I): Exploitation of and Old CoreFoundation Sandbox Bug
That loyal MySQL is a rogue one: a tale of a (partially) failed idea
Advanced VBA macros: bypassing olevba static analyses with 0 hits
Copy pasting the copy-paste adversary for ̶l̶u̶l̶z̶ science.
Testing Ripple20: A closer look and proof of concept script for CVE-2020-11898
Requesting Azure AD Request Tokens on Azure-AD-joined Machines for Browser SSO
Microsoft resolves ‘wormable’ DNS security vulnerability, PoC 1, PoC 2, Fake PoC & Webinar: What You Need to Know About the Windows DNS Vulnerability – CVE-2020-1350
So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You’ll want to patch this, CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java, PoC 1 & PoC 2
Rust programming language: Crates package API tokens revoked over serious security flaw
Twitter hack saga:
Russian hackers target COVID-19 vaccine research with custom malware
Diebold Nixdorf warns of a new class of ATM ‘black box’ attacks across Europe
EU-US Privacy Shield data-sharing framework declared invalid by ECJ: “The landmark decision means that companies seeking to transfer the personal data of EU-based customers to the US must instead sign legal contracts similar to those used by other countries.”
Abracadabra! – CryptBB demystifying the illusion of the private forum
EFF’s new database reveals what tech local police are using to spy on you
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/10/2020 to 07/17/2020.