By Anna Hammond
August 12, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 31 of July to 07 of August.
DEF CON Safe Mode, DEF CON 28Media server & Villages: AppSec Village, Red Team Village, Recon Village & Voting Village
Between these two conferences, there is enough videos and new research to keep anyone busy for weeks. There are so many valuable talks that I’m not sure where to start!
Just to give you an idea: @albinowax published his new research we’re probably continue to hear about for months to come. @securinti presented an updated and longer version of his talk on pwning email systems. @jhaddix did a long version of his Bug Hunter Methodology workshop. @NahamSec and @_StaticFlow_ dropped some mindblowing knowledge on identifying assets in the cloud (although the video hasn’t been shared yet). @heald_ben shared some cool findings on the Parse mobile app backend. @stokfredrik gave the ultime answer to “How to get started in bug bounties”. @NotDeGhost and @ginkoid dived into WAF bypass techniques. @sajjadium and Seyed Ali demonstrated new Web Cache Deception techniques.
And this is just the tip of the iceberg!
SSRF is the golden goose of vulnerability classes. Just when you think everything has been said about it, someone comes up with a novel technique!
At the occasion of Black Hat and DEF CON, @joshmdx presented a new way to exploit SSRF via TLS (as well as CSRF via image tags). The method is similar to SNI injection but relies on behaviors inherent to TLS instead of bugs in a particular implementation.
To help exploit this new type of SSRF, @joshmdx released TLS Poison. This is definitely worth diving into and testing for!
Web Cache Entanglement: Novel Pathways to Poisoning, How to use Param Miner to detect fat GET cache poisoning & New “Web cache poisoning” topic on Web Security Academy
@albinowax dropped his new research, Web cache entanglement, that builds on his previous work on Web cache poisoning. It takes advantages of esoteric cache behaviors, and turns them into high impact exploit chains. Examples of attacks demonstrated include persistently poisoning every page of an online newspaper, and disabling Firefox updates by changing a single character in a legitimate request.
There is a lot to digest to understand Web cache entanglement (an article, a whitepaper, a talk, a Web Security Academy topics and labs, and a tool, param miner, updated to support testing for it)! But my gut tells me this will be the focus of a lot of bug hunters, just as Web cache poisoning has been the past year.
Vulnerabilities in the Openfire Admin Console
@shvetsovalex007 found an unauthenticated internal SSRF in Openfire. It is time to check your bug bounty notes for open ports 9090/http and 9091/https, to test for this!
Script Gadgets! Google Docs XSS Vulnerability Walkthrough
@LiveOverflow breaks down a very interesting XSS in Google spreadsheets. It is a complex finding that involves a chain of script gadgets and postMessage. An excellent example of a bug that is easily missed by automated tools.
Apart from technical details on the XSS, Google’s security team provided some explanations on why the bug existed. And Nickolay, who found the bug, chimed in to answer questions on his background and why he specializes in a specific type of bugs and apps.
BOUNTY THURSDAYS (CVE-2020-13379, Hackers Summercamp, Hackthebox, Bughunters Methodology 4, Nucleai)
STÖK Chats! Bug bounties, hacking, content creation, fear, motivation, veganism, love and life
Account Takeover: From zero to System Admin using basic skills
Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation: Blackhat/Defcon 2020
The InfoSec & OSINT Show 19 – Tommy Devoss (Dawgyg) & Bug Bounty Hunting on Steroids
BootHole – Twitter Hackers Arrested, Garmin Hackers Get Ransom
Risky Business #593 — China promises “mortal combat in the tech realm”
The JerichShow Episode 15 – Supply Chain Side Effects and Data Leakage
The Art of the Honeypot Account: Making the Unusual Look Normal
IoT Security – Part 11 (Introduction To CoAP Protocol And Security)
Implementing Secure Biometric Authentication on Mobile Applications
Building a lab with Server 2019 Server Core and PowerShell …then attacking it!
How To: Applied Purple Teaming Lab Build on Azure with Terraform (Windows DC, Member, and HELK!)
Technical analysis: CVE-2020-15654 and a history of Firefox “Browser Lock” bugs #Browser
Microsoft Teams Updater Living off the Land #Windows #SMB
Hacking Cisco SD-WAN vManage 19.2.2 — From CSRF to Remote Code Execution #Router #RCE #Web
X Site eScape (Part II): Look Up a Shell in the Dictionary #MacOS
Exploiting an ‘Unexploitable’ SquirrelMail Bug for File Disclosure #Web
SCP in OpenSSH 8.3p1 allows eval injection (CVE-2020-15778) #OpenSSH
The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks #Web
Vulnerability in new TouchID feature put iCloud accounts at risk of being breached (Apple)
Refocusing in bug hunting, Bonus: An interestingly simple to test CSRF bypass
CSRF PoC mistake that broke crucial functions for the end user/victim
Availing Zomato gold by using a random third-party wallet_id
(Zomato, $2,000)
Account takeover in cups.mail.ru (Mail.ru, $1,500)
Private list members disclosure via GraphQL (Twitter, $2,940)
Improper use of “path” parameter can be used to trick testers into leaking their Front-End PoC (BugPoC, $1,000)
Full Read SSRF on Gitlab’s Internal Grafana (GitLab, $12,000)
See more writeups on The list of bug bounty writeups.
Mole: A framework for identifying and exploiting out-of-band application vulnerabilities
Link Lock: Distributed application to password-protect URLs using AES in the browser
quoted-printable Parser: A Burp Suite extension to parse Content-Transfer-Encoding: quoted-printable emails received in Burpcollaborator’s SMTP
FestIn: S3 Bucket Weakness Discovery
Taser: Python3 resource library for creating security related tooling
AutomatedHunter: Google Chrome Extension that automates testing fundamental Web Problems via Chrome
Bucky: An automatic S3 bucket discovery tool
Bug Bounty Recon (bbrecon) & Python library and CLI: Free Recon-as-a-Service API
CWFF: Create your Custom Wordlist For Fuzzing
rejig: An ansible+terraform suite to spawn and provision a virtual machine for attack purposes
sshchecker: A ast dedicated SSH brute-forcing tool in Go, to check ssh login on a given list of IPs
routopsy & Intro: A toolkit built to attack often overlooked networking protocols, like Dynamic Routing Protocols (DRP) & First-Hop Redundancy Protocols (FHRP)
Smogcloud: Find AWS cloud assets that no one wants exposed
PersistentJXA & Intro: Collection of macOS persistence methods and miscellaneous tools in JXA
Aria Cloud & Intro: A Docker Container for remote pentesting over SSH or RDP, with a primary emphasis on cloud security tools and secondary on Active Directory tools
ATTPwn: A Python tool designed to emulate adversaries conducting malware campaigns
Quick Tricks for Transferring Files & Big list of http static server one-liners
wzrd: Repository of scripts designed to ease the execution of common tools with optimized commands while only requiring the basic input parameters
Bonus security advice from attackers behind Ragnar Locker ransomware
Unicode for Security Professionals & Interactive cheat sheet
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Reverse Engineering Starling Bank (Part I): Obfuscation Techniques & (Part II): Jailbreak & Debugger Detection, Weaknesses & Mitigations
The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication, [Part 2] – Accessing a Remote Object inside DCOM & IOXIDResolver
The Official IEFT draft on OAuth 2.1 is out & OAuth Happy Hour Live Q&A (video)
Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards
OWASP AppSec Days (Free trainings): August 25 & 26
An API Worm In The Making: Thousands Of Secrets Found In Open S3 Buckets.
Researchers Warn of High-Severity Dell PowerEdge Server Flaw
Team Pangu demonstrates unpatchable Secure Enclave Processor (SEP) chip vulnerability in iOS
Twitter patches Android app to prevent exploitation of bug that can grant access to DMs
Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack
Prototype pollution bug in popular Node.js library leaves web apps open to DoS, remote shell attacks
Cluster of 295 Chrome extensions caught hijacking Google and Bing search results
Ransomware: The tricks used by WastedLocker to make it one of the most dangerous cyber threats
Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)
Google, WiCyS, SANS join forces to launch all-female information security scholarship
Data breach notification website Have I Been Pwned? will be open sourced – Troy Hunt
Microsoft and Google join industry coalition aimed at quashing open source security bugs & Threats, Risks, and Mitigations in the Open Source Ecosystem
Here’s the NSA’s advice for reducing the exposure of cellphone location data
China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI
US government offers $10 million reward for information on cyber interference in elections
Ohio becomes first state to release vulnerability policy for election-related websites
Top voting vendor ES&S publishes vulnerability disclosure policy
We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother & Demo of the issue
BlackBerry releases new security tool for reverse-engineering PE files
Bug Business #7 – Get to know jca, Intigriti’s Top Hacker in Q2
How Attackers Bypass MFA and Conditional Access to Compromise Email Accounts
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/31/2020 to 08/07/2020.