By Anna Hammond
July 29, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 17 to 24 of July.
CDL Talks About Hacking, Bug Bounties, Recon, Gau (getallurls), Reversing CVEs, and more!
Beginners Guide to iOS Testing Jailbreak, SSL Bypass & Burp
The first video is a cool interview with Corben Leo (@hacker_). @NahamSec and him talk about all things bug bounty, tooling, recon, methodology, burnout… As always, it is interesting to hear about a fellow bug hunter’s story and insights.
The second video is a cool demo by @InsiderPhD on setting up an environment for iOS testing.
HTML sanitization bypass in Ruby Sanitize < 5.2.1
WAF and HTML sanitizer bypasses can seem like black magic for anyone who does not understand how they work and only sees the final payload. So, this is a great learning opportunity.
@SecurityMB explains how Ruby Sanitize works and, step by step, how he built a bypass that introduced XSS.
Attacking MS Exchange Web Interfaces
This is an excellent article on attacking Exchange in the context of pentest / red team engagements. It goes over 5 known techniques that still work in 2020, with their pros and cons. Then it introduces a new technique and a new tool to connect to LDAP via MS Exchange from the Internet and access the Active Directory database.
Towards native security defenses for the web ecosystem
This is an interesting read if you’re into Web app security. It is about the latest security mechanisms being implemented in Chrome and Firefox (e.g. COOP, Fetch Metadata headers, CSP, Trusted Types…).
It is essential to get familiar with these concepts as they have an impact on vulnerabilities like XSS, CSRF, XS-leaks, etc.
Hack-pet is a collection of snippets for bug hunters, to use with the command-line snippet manager pet.
It allows you to quickly search for and run tools like amass, adb, dirseach, subfinder… without the need to remember their syntax.
Hunting for Javascript! (bug bounty, scripthunter, jsmon, getjswords, urltracker, wfuzz and more)
TheBigBountyTube- My $15,000 Bug Bounty Microsoft Windows Insider Preview | How to Get Started
Introduction To Pentesting – Enumeration & Password Cracking
Security Now – A Tale of Two Counterfeits – Twitter Hack, Cloudflare Outage, Zoom’s Vanity URL Flaw
The InfoSec & OSINT Show 17 – Matthias Wilson & Using OSINT Against Nigerian Scammers
SWN #52 – Wrap Up – Emotet Returns, BadPower Attacks, & Twitter Hack Follow Up
Fastjson: exceptional deserialization vulnerabilities & FastJSON deserialization bug can trigger RCE in popular Java library
Container Breakouts – Part 1: Access to root directory of the Host
Shadow Attacks: Hiding and Replacing Content in Signed PDFs #PDF
SSD Advisory – Roundcube Incoming Emails Stored XSS #Web #CodeReview
Kubernetes CVE-2020-8559 Proof of Concept PoC Exploit #PrivEsc #Kubernetes
Advisory – web browser address bar spoofing #Browser #Web
Hunting Android Application Bugs Using Android Studio. ($3,000)
SAML Response Reuse on hackerone.com/users/saml/auth (HackerOne, $500)
Denial of Service [Chrome] (Twitter, $560)
Near to Infinite loop when changing Group’s name that has API token as Team Member (HackerOne, $2,500)
Business Logic Flaw – A non premium user can change/update retailers to get cashback on all the retailers associated with Curve (Curve, $1,000)
Java Debug Console Provides Command Injection Without Privellage Esclation
Ability to link a Google account to another staff account/store owner that isn’t linked yet (Shopify, $2,000)
See more writeups on The list of bug bounty writeups.
ponieproxy: Simple proxy which captures all requests and responses and saves them in uniquely named files
faviconer.go: Go script for grabbing favicon hashes (like Shodan does)
SourceWolf: Amazingly fast response crawler to find juicy stuff in the source code
CodeArgos: A python module for red teams to support the continuous recon of JavaScript files and HTML script blocks in an active web application
Oralyzer: Open Redirection Analyzer
Boomerang: A tool to expose multiple internal servers to web/cloud
E4Enumerat10n: Python script that uses intelx.io to gather emails associated with any domain name
PCWT: A app app with GUI for managing pentest/bug bounty projects and running port scans & subdomain enumeration tools
Pollenisator: Collaborative pentest tool with highly customizable tools
Rootend: A *nix Enumerator & Auto Privilege Escalation tool
calebstewart/pwncat: Fancy reverse and bind shell handler
dazzleUP: A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems
wintrmvte/Citadel: Small collection of pentesting scripts
SharePoint and Pwn :: Remote Code Execution Against SharePoint Server Abusing DataSet (CVE-2020-1147)
My worst nightmare on discovering a Wi-Fi WPS vulnerability on my home router
Apple Will Start Sending Special Devices to iPhone Hackers & Google’s Project Zero team won’t be applying for Apple’s SRD program
h@cktivitycon: July 31 – August 1
CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability: What You Need to Know & PoC
Hide and replace: ‘Shadow Attacks’ can manipulate contents of signed PDF docs
BadPower attack corrupts fast chargers to melt or set your device on fire
Windows 10 Store ‘wsreset’ tool lets attackers bypass antivirus
Django two-factor authentication plugin stored passwords in plain text
Unpatched Tenda WiFi router vulnerabilities leave home networks wide open to abuse
Academics smuggle 234 policy-violating skills on the Alexa Skills Store
TrojanNet – a simple yet effective attack on machine learning models
GitHub security team finds remote code execution bug in popular Node.js changelog library
App for Chinese DJI drones could give hackers full control of users’ phones, researchers say
Ongoing Meow attack has nuked >1,000 databases without telling anyone why
Slack credentials abundant on cybercrime markets, but little interest from hackers
Mac cryptocurrency trading application rebranded, bundled with malware
New BlackRock Android malware can steal passwords and card data from 337 apps
Prometei botnet exploits Windows SMB to mine for cryptocurrency
A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs
Who is behind APT29? What we know about this nation-state cybercrime group
The Anatomy of a Cisco Counterfeit Shows Its Dangerous Potential
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/17/2020 to 07/24/2020.