Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 21 to 28 of August.
GitLab’s Red Team Tech Notes
GitLab’s red team are sharing tech notes in this repo. It currently contains technical papers, talks, tools and red team exercises. The notes on testing Kubernetes and Google Cloud Platform are excellent resources.
They are also planning to share even more of their day to day work, so it is worth keeping an eye on this.
Stealing local files using Safari Web Share API
This is a writeup of a browser bug found in Safari. It leverages the Web Share API that allows for sharing links from the browser using other apps (e.g. mail and messaging apps in both iOS and Mac OS).
The bug works by publishing a malicious page containing a “Share with friends” button. When someone visits the page and shares it with someone, it automatically adds to the email or message local files mentioned in the malicious page’s source code. @h0wlu shows proofs on concept for leaking /etc/passwd and Safari’s browsing history.
This is not a critical bug. It requires user interaction and is similar to clickjacking. But I find interesting that it exploits the new Web Share API and allows for stealing local files from any malicious website.
Prototype pollution – and bypassing client-side HTML sanitizers & Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications
@SecurityMB shares his new research on prototype pollution. Most existing examples of exploitation focus on getting RCE in NodeJS. He wanted to find out the client-side impact instead.
The answer, in a nutshell, is that prototype pollution allows you to bypass HTML sanitizers. This is why “if you ever find a prototype pollution in Google Search, then you have XSS in the search field!”.
mapCIDR
mapCIDR is a Go library and CLI tool for performing operations on subnet/CIDR ranges. Given a subnet, it can return the list of IP addresses it contains, or slice it into multiple subnets.
This is helpful if you want to do distributed scanning of large networks. Another handy tool by @pdiscoveryio!
Webcast: Pretty Little Python Secrets – Episode 1 – Installing Python Tools and Libraries the Right Way
This webinar is a gift to any hacker wondering about the best way to install Python, how to manage different versions and avoid a dependency hell, and how to create Python app portables (the equivalent of JARs files in Python).
And if you’re thinking “Why don’t you just use Docker?”, there is an argument for other tools mentioned. @byt3bl33d3r does a great job of answering all these questions.
Auth bypass: Leaking Google Cloud service accounts and projects
My Hacking Adventures With Safari Reader Mode (Apple)
Issue 795595: Security: chrome.devtools.inspectedWindow.eval executes within privileged pages (Google, $2,000)
The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer (Google)
From Copy&Paste XSS To Full Account Takeover!
Remote Code Execution in Slack desktop apps + bonus (Slack, $1,750)
Privilege escalation from any user (including external) to gitlab admin when admin impersonates you (GitLab, $10,000)
An attacker can run pipeline jobs as arbitrary user (GitLab, $12,000)
Ability to publish a paid theme without purchasing it. (Shopify, $2,000)
See more writeups on The list of bug bounty writeups.
gdb_2_root: Python script that adds some useful commands to stripped vmlinux image
jf: A wrapper around jq, to help you parse jq output
bbr: An open source tool to aid in command line driven generation of bug bounty reports based on user provided templates
Wappylyzer: Implementation of Wappalyzer in Python
Monsoon & AMA: A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time
ADBSploit: A python wrapper around ADB for exploiting and managing Android devices
AWS Recon: Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata
Google Account Finder: Website to look for info on Google accounts
ReconSpider: Advanced OSINT Framework for scanning IP Address, Emails, Websites & Organizations. Also combines the capabilities of Wave, Photon & Recon Dog to do a comprehensive enumeration of attack surface
slackcat: A simple way of sending messages from the CLI output to your Slack with webhook
Bheem: A simple collection of small bash-scripts which runs iteratively to carry out day-to-day recon process and store output in an organized way
Subrake: A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters
Phirautee: A proof of concept PowerShell ransomware to use during internal infrastructure penetration testing or during the red team exercise to validate Blue Team/SOC response to ransom attacks
Ansible-Red-EC2, Red-Route53-Interactive & Intro: Ansible roles for automating red team infrastructure
PurpleSharp: C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/21/2020 to 08/28/2020.
