By Anna Hammond
September 23, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 11 to 18 of September.
Intigriti wins ‘Cybersecurity Innovator of the Year’
Inti De Ceukelaire voted “IT Person of the Year”
How to Master FFUF for Bug Bounties and Pen Testing & Everything you need to know about FFUF
Finding Hidden Files and Folders on IIS/.NET (Recon), Hacking IIS (APIs and using BigQuery) (Part 2) & Finding Hidden Files and Folders on IIS using BigQuery
These are two very informative videos with accompanying blog posts. Michael Skelton (@codingo_)’s guide to ffuf is so good that the tool’s creator, @joohoi, is linking to it from the main ffuf repo!
Shubham Shah (@infosec_au) shares cool explanations on bruteforcing IIS hidden files and folders, and leveraging BigQuery (without ruining yourself!).
$25K Instagram Almost XSS Filter Link — Facebook Bug Bounty (Facebook, $25,000)
When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number
Bug bounty amounts aren’t everything, but they’re often an indicator of the seriousness of a vulnerability. Andres Alonso’s (@al0nnso) finding is impressive considering not only the bounty but also the hardened target and his young age. He found an open redirect on Facebook that could be escalated to XSS. WAF bypass was possible by injecting code to change the page’s charset and encoding the XSS payload.
The second writeup is a fun vulnerability disclosure story. @mangopdf found a former Australian Prime Minister’s boarding pass on Instagram and could use it to obtain his passport and phone numbers. Followed an entertaining crusade to report this without getting arrested.
Graphtage is a command line utility and library for semantically comparing and merging tree-like structures (e.g. JSON, JSON5, XML, HTML, YAML, TOML and CSV). It’s a great tool for diffing files and automating recon data analysis.
Hacking on Bug Bounties for Four Years
This is an illuminating read for anyone who is doing bug bounties who aspiring to. @infosec_au shares his past four years experience as a part-time bug hunter. This includes the type of bugs he reported, bounty amounts for each, total earnings, his methodology, collaboration experience… Amazing insights of a seasoned bug hunter’s life!
Bypassing WAF by Playing with Parameters
This is an introduction to HTTP Parameter Fragmentation, and how it can be leveraged to bypass WAFs and exploit SQL injection. A nice read to get familiar with this technique!
$4,000 Starbucks secondary context path traversal – Hackerone
BOUNTY THURSDAYS – Loads of new bugbounty content creators that create awesome content for you!
Security Now – BlindSide & BLURtooth – Chrome vs Abusive Ads, Patch Tuesday Palooza
Risky Business #599 — You get domain admin! And YOU get domain admin!
The InfoSec & OSINT Show 25 – Jeremiah Grossman and Asset Inventory
7MS #432: Tales of Internal Network Pentest Pwnage – Part 21
Securi-Tay 2020, especially:
tmpmail – A temporary email right from Linux / Unix terminal
Hijacking a Domain Controller with Netlogon RPC (aka Zerologon: CVE-2020-1472), How to exploit Zerologon (CVE-2020-1472), Thread about the impact of Zerologon & New mimikatz release with Zerologon detection
Online Casino Roulette – A guideline for penetration testers and security researchers
Custom DLL injection with Cobalt Strike’s Beacon Object Files
Domains, Servers, and IPs (aka no, that’s not a subdomain takeover)
Create a Fully Loaded, Free Active Directory Lab in 15 Minutes
CVE-2020-16171: Exploiting Acronis Cyber Backup for Fun and Emails #Web #CodeReview
Falco Default Rule Bypass #Kubernetes
Backdoors and other vulnerabilities in HiSilicon based hardware video encoders #Network
Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation (Shopify, $22,000)
[authmagic-timerange-stateless-core] Improper Authentication (Node.js third-party modules) #JWT
Change the username for any Facebook Page (Facebook, $15,000)
See more writeups on The list of bug bounty writeups.
kb: A minimalist knowledge base manager
Arsenal: Quick inventory, reminder and launcher for pentest commands
Mapboxapiscanner: Python script to determine whether a leaked/found Mapbox API Key is vulnerable to unauthorized access by other applications or not
query-json: Faster and simpler implementation of jq in Reason Native
nvd-scrapper: Pull data from the national vulnerability database and push it to a GCP bucket
OneFuzz: A self-hosted Fuzzing-As-A-Service platform by Microsoft
GKE Auditor: A tool by Google to detect a set of common Google Kubernetes Engine misconfigurations
LambScan & Offensive Security Testing Using Cloud Tools: AWS Lambda-based port scanner
wordlist_generator: Unique wordlist generator of unique wordlists
Tafferugli: Twitter Analysis Framework #OSINT
Darkshot: Lightshot scraper on steroids with OCR #OSINT
mzap: Multiple target ZAP Scanning
Bantam: A PHP backdoor management and generation tool/C2 featuring end to end encrypted payload streaming designed to bypass WAF, IDS, SIEM systems
crlfmap: Go tool to find HTTP Splitting vulnerabilities
MIDNIGHTTRAIN & Intro: A Covert Stage-3 Persistence Framework weaponizing UEFI variables
CdkGoat: Vulnerable AWS CDK Infrastructure
Oh, the Places You’ll Go! Finding Our Way Back from the Web Platform’s Ill-conceived Jaunts
Smart Home Devices: assets or liabilities? – Part 1: Security
ModSecurity, Regular Expressions and Disputed CVE-2020-15598
Defeating Macro Document Static Analysis with Pictures of My Cat
Amazon S3 bucket owner condition helps to validate correct bucket ownership
The IRS offers a $625,000 bounty to anyone who can break Monero and Lightning
COVID cybercrime: 10 disturbing statistics to keep you awake tonight
2020 Threat Hunting Report: Insights From The Crowdstrike Overwatch Team
Darknet markets likely to continue despite exit scams and law enforcement takedowns
US 2020 Presidential apps riddled with tracking and security flaws
Researcher kept a major Bitcoin bug secret for two years to prevent attacks
Billions of devices vulnerable to new ‘BLESA’ Bluetooth security flaw
ModSecurity maintainers contest denial-of-service vulnerability claims
First death reported following a ransomware attack on a German hospital
US govt: China-sponsored hackers targeting Exchange, Citrix, F5 flaws
Android Malware Bypasses 2FA And Targets Telegram, Gmail Passwords
Google App Engine feature abused to create unlimited phishing pages
Maze Ransomware Adopts Ragnar Locker Virtual-Machine Approach
Office 365 phishing runs real-time check of stolen domain logins
UPDATE – TikTok Ban: Security Experts Weigh in on the App’s Risks
Internet Society launches toolkit to safeguard open, secure ‘network of networks’
Google Chrome is making it easier to reset compromised passwords
MITRE releases emulation plan for FIN6 hacking group, more to follow
UK government releases toolkit to easily disclose vulnerabilities
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/11/2020 to 09/18/2020.