Bug Bytes #90 – The impossible XSS, Burp Pro tips & A millionaire on bug bounty and meditation

By Anna Hammond

September 30, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 18 to 25 of September.

Our favorite 5 hacking items

1. Article of the week

Redefining Impossible: XSS without arbitrary JavaScript

This is a guest article by Luan Herrera (@lbherrera_) who solved one of PortSwigger’s impossible XSS labs. He used several techniques including an obscure method to prevent a page from loading and a side-channel attack. A pretty advanced and informative XSS attack!

2. Writeups of the week

Universal XSS in Android WebView (CVE-2020-6506) (Google, Microsoft, Twitter…, $15,560+)
Chains on Chains: Chaining multiple low-level vulns into a Critical.
Exploiting Tiny Tiny RSS

I couldn’t choose only one writeup this week, as these are all excellent and focus on different topics.

The universal XSS is a great read if you want to learn about XSS in Android.

The second writeup is a beautiful chain of low/medium impact bugs that ended up becoming a “critical”. It involves blind XSS, CSP bypass, an exposed JWT generation page, lack of rate-limiting and sensitive information disclosure.

The Tiny Tiny RSS writeup is also a mix of vulnerabilities (XSS, SSRF & LFI) that led to RCE. It is really well written with everything explained, from source code review to mass exploitation.

3. Videos of the week

Web Cache Deception For Beginners!

Todayisnew Talks About Bug Bounty, Meditation, Automation, Tooling and Making $1M in Bounties!

This is a great introduction to Web Cache Deception if you want to learn about it and find the topic too complex. Farah Hawa (@farah_hawa01) explains the gist of it in a very approachable way, with resources to go further.

Also, finally an interview with todayisnew (@codecancare)! He is known as a bug bounty millionaire, and for his kindness. It’s fantastic to see what he has to say about bug hunting, recon, tooling, meditation, burnout, etc.

4. Resources of the week

@MasteringBurp

HunterSuite Assets & Vulndb

Because of the coronapocalypse, Nicolas Grégoire (@Agarri_FR) moved his Burp Pro training online. He also started this new Twitter account, @MasteringBurp, to share all kinds of Burp tips.

For example, did you know that if the left part of a Collaborator hostname is “spoofed”, it is resolved to 127.0.0.1?

HunterSuite Assets was just publicly launched. It’s a free online database of subdomains of programs from all major bug bounty platforms. A fantastic resource but I wouldn’t use it as an only source of subdomain enumeration, rather as a comparison tool to find out where I stand in terms of recon results.

5. Tool of the week

burp-headup

Burp head-up is an extension to toggle Burp proxy and get its status with a global keyboard shortcut. It was created for i3 but could be adapted to other windows manager.

This is so handy! Could someone port it to Mac OS, pretty please 🥺?

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • NoSQLi & Intro: NoSql Injection Go tool

  • Hetty: HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community

  • Duplicut: C tool that remove duplicates from MASSIVE wordlist (e.g. a billion entries and 10GB), without sorting it (for dictionnary-based password cracking)

  • PostMessage POC Builder: @honoki’s tool to build POCs for cross-domain postMessage vulnerabilities

  • Offensive Terraform Modules: Automated multi step offensive attack modules with Infrastructure as Code(IAC)

More tools, if you have time

  • gitjacker: Go tool for extracting content from sites that have an exposed .git directory

  • Cloudleaks & Intro: Search engine that indexes S3 buckets and their content

  • Whalescan: Vulnerability scanner for Windows containers, which performs several benchmark checks & checks for CVEs/vulnerable packages on the container

  • Offensive Docker VPS & Offensive Docker

  • ReconNote: Python automated recon framework with a GUI

  • go-stare: A fast & light web screenshot without headless browser but Chrome DevTools Protocol!

  • httpimg: Headless screenshot tool for web servers (uses wkhtmltoimage)

  • AutoDirbuster & Intro: Automatically Run and Save DirBuster Scans for Multiple IPs

  • Wappy: A CLI tool to discover technologies in web applications. It uses the wap library, that is a python implementation of the Wappalyzer browser extension

  • Wafalyzer: Web Application Firewall (WAF) Detector

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/18/2020 to 09/25/2020.

You may also like