By Anna Hammond
September 9, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 28 of August to 04 of September.
Supercharge Android dev with Scrcpy and ADB WIFI
This will be helpful if you have a physical Android device and want to use it wirelessly from your laptop for tests.
Using Genymotion’s scrcpy, you can cast the device’s screen on your laptop, use ADB over WIFI, record PoCs or demos from your laptop, etc.
Oversecured automatically discovers persistent code execution in the Google Play Core Library (Google)
~30 reports by Jon Bottarini (New Relic)
The first writeup is about a local arbitrary code execution vulnerability in Google Play’s Core Library. It was possible to target any application (including Google Chrome) by crafting a malicious APK. If a victim installed it, it would perform directory traversal, execute code as the target app and access its data.
The second link is what it looks like when @jon_bottarini plays swith a Web app to get familiar with it. It’s about 30 reports of IDOR, Privilege Escalation, Stored XSS and Logic bugs found on New Relic, without recon, on a span of two years. So interesting, and a perfect response for anyone who says there aren’t any bugs left to find!
How to use ffuf – Hacker Toolbox & ffuf translator
This is an excellent introduction to ffuf. @InsiderPhD explains everything you need to start using this powerful tool now: Options for subdomain bruteforcing, fuzzing parameters and headers, cutting down false positives, handling the output, oneliners for common uses, etc.
Weak JWT secrets dictionary & Intro
This is a list of public JWT secrets found with Google dorking and Google BigQuery. It can be used as a wordlist for bruteforcing JWT signatures. The idea is that sometimes developers only sign JSON Web Tokens without encryption, and copy/paste secrets (like the ones compiled) from tutorials.
Two Go tools that help with recon automation: Masscan Parser parses Masscan’s output, as the name suggests, and returns IP:port combinations. This is useful for extracting open ports and feeding the list into another tool.
jf is a wrapper around gf which makes it easier to grep for common patterns in text files. jf provides the same functionality but for JSON files.
Interview with a hacker: Inti from Intigriti (Community manager)
BugBountys: Writing your own SSRF tool in golang & SSRF-Detector
$6,5k + $5k HTTP Request Smuggling mass account takeover – Slack + Zomato
Full bug bounty methodology to get you started V 2.0 (Say cheese)
Risky Business #597 — Alex Stamos talks news, Pompeo’s “clean networks” initiative
The InfoSec & OSINT Show 23 – Samy Kamkar & Reverse Engineering
SWN #61 – Slack RCE, Charming Kitten, & KryptoCibule Malware
SWN #62 – ‘Sepulcher’ Malware, Tesla Dodges Attack, & Snowden Vindicated? – Wrap Up
Go-ing for an evening stroll: Golang beasts & where to find them & Slides
Hunting Logic Attacks – A Peak at SEC552: Bug Bounties & Responsible Disclosure
Webcast: How to Present: Secrets of a Retired SANS Instructor
Getting access to internal source code of multiple organizations
On secure-shell security: SSH hardening guide
Smuggling SIP headers past Session Border Controllers FTW! #SIP
Inconsistent Behavior of Go’s CGI and FastCGI Transport May Lead to Cross-Site Scripting #Web #CodeReview #Go
Cloud firewall management API SNAFU put 500k SonicWall customers at risk #Web
Watchcom Security Group Uncovers Cisco Jabber Vulnerabilities #RCE #XMPP
Maltego CVE-2020-24656 Analysis #Web #XXE
Lock screen/Bitlocker bypass/elevation of privilege in Bitlocker #Bitlocker #Windows
Exploiting Jira for Host Discovery (Atlassian)
XSS via unicode characters in upload filename (WordPress, $600)
Takeover an account that doesn’t have a Shopify ID and more (Shopify, $22,500)
DOM XSS triggered in secure support desk (QIWI, $500)
Stealing data from customers.gitlab.com without user interaction (GitLab, $3,500)
See more writeups on The list of bug bounty writeups.
oobfuzz: Conduct OOB Fuzzing of targets with custom payloads towards callback server
Fuxi: Penetration Testing Platform
iblessing: iOS security exploiting toolkit that includes application information collection, static analysis & dynamic analysis
wadl-dumper: Dump all available paths and/ endpoints on WADL file
jwt-hack: Go tool for JWT hacking
mainRecon: Automated reconnaissance docked image
SNIcat & Intro: Proof of concept tool that performs data exfiltration, utilizing a covert channel method via Server Name Indication, a TLS Client Hello Extension
Tunshell: Remote shell into ephemeral environments
Red Commander & Intro: Red Team C2 Infrastructure built in AWS using Ansible!
MoveScheduler: .NET 4.0 Scheduled Job Lateral Movement q
hsts-preload-recon: One-liner bash script for gathering domains from hsts preload list
Combinations of default usernames and passwords for the Medusa password cracker
judyrecords: 379 million+ United States court records #OSINT s
trailofbits/not-going-anywhere: A Set of Vulnerable Golang programs
Introducing the GraphQL Add-on for ZAP & ZAP JWT Support Add-on
New Web Security Academy topic: Business logic vulnerabilities
Facebook to list all WhatsApp security issues on a new dedicated website
Google Announcing new reward amounts for abuse risk researchers
Vulcan Cyber study finds serious problems with vulnerability management
Average BEC attempts are now $80k, but one group is aiming for $1.27m per attack
Hackers actively exploiting severe bug in over 300K WordPress sites
Cisco fixes critical code execution bug in Jabber for Windows
The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy
Squid proxy addresses web cache poisoning vulnerability with latest release
Microsoft Defender can ironically be used to download malware
Flaw allowed adware slingers to slip past Apple’s approval protocol
Iranian hackers are selling access to compromised companies on an underground forum
Low hanging ‘Forbidden’ fruits: Post-compromise tool targets unguarded Magento flank
US federal agencies required to launch security vulnerability disclosure policies
Microsoft confirms why Windows Defender can’t be disabled via registry
TLS certificate lifespan cut short: A win for security, or cause for chaos?
Mozilla research: Browsing histories are unique enough to reliably identify users
AWS introduces Bottlerocket: A Rust language-oriented Linux for containers
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/28/2020 to 09/04/2020.