Bug Bytes #91 – The shortest domain, Weird Facebook authentication bypass & GitHub Actions secrets

By Anna Hammond

October 7, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 25 of September to 04 of October.

Intigriti News

Red Bull rewards friendly hackers at the Intigriti platform in their own unique way

Intigriti Q3 2020 leaderboard

Our favorite 5 hacking items

1. Video of the week

What’s the shortest domain? & Unicode Mapping on Domain names

In this video, @filedescriptor tackles the question of short domains. He goes over why they are interesting, how to buy short domains that do not cost thousands of dollars, and how you can use IDN and Unicode tricks to bypass SSRF/URL validation checks.

2. Writeups of the week

Story of a weird vulnerability I found on Facebook (Facebook)
Forcing Firefox to Execute XSS Payloads during 302 Redirects
The Powerful HTTP Request Smuggling 💪 ($17,050)

Here are three things these writeups taught me:

  • 403 permission denied errors can be bypassed just by sending multiple simultaneous requests. This is how @amineaboud obtained authentication bypass and sensitive information disclosure on Facebook!

  • If you find an XSS but cannot execute it because the payload is reflected in the HTTP response Location header, it’s not useless. @QKaiser shows how browsers can be forced to not follow a 302 redirect, and execute the XSS payload!

  • Always try to escalate impact. @ricardo_iramar found HTTP request smuggling and escalated its impact from “Universal Redirect” worth $2,000 to full compromise of the target’s MDM and a $17,050 bounty.

3. Tool of the week

Rusolver

Rusolver is a lightweight DNS resolver in Rust by Eduard Tolosa (@edu4rdshl), the creator of Findomain. By default, it can resolve 1226 hosts in average per second. So, speed is obviously a strength but it would be interesting to test its accuracy compared to other tools such as massdns.

4. Article of the week

Stealing secrets from GitHub Actions & Intentionally vulnerable repo

This is excellent new research on Github Actions by Rojan Rijal (@uraniumhacker). He looked at Github action workflows and found out that some misconfigured implementations can be exploited to exfiltrate secret tokens. Since this is caused by a misconfiuguration and not a flaw inherent to Github, it is worth knowing and testing for on bug bounty and pentest targets.

5. Tutorial of the week

Setting The ‘referer’ Header Using Javascript

This tutorial presents a technique for manipulating the Referer header from JavaScript. I was under the impression that it wasn’t possible, so it is interesting to read about it. Setting the Referer from JavaScript is useful for bypassing Referer checks and, in rare cases, even exploiting XSS.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • feroxbuster: Forced browsing tool in Rust, similar to ffuf with a few notable differences

  • XSScope & Intro: Advanced XSS payload generator to use for increasing impact

  • RmiTaste: Allows security professionals to detect, enumerate, interact and attack RMI services by calling remote methods with gadgets from ysoserial

  • Gitdorker & Intro: A Python program to scrape secrets from GitHub through usage of a large repository of dorks

  • Nuggets: Burp Suite Extension to easily create Wordlists based off URI, URI Parameters and Single Words (Minus the Domain)

  • FHC: Fast HTTP Checker in Rust

  • Massprint: A Rust tool to do basic fingerprinting across a large number of hosts

  • CertAlert: Online service that will alert you to a TLS/SSL Certificate that is due to expire

  • HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser

  • GHunt: OSINT tool to extract information from any Google Account using an email

  • Salesforce Policy Deviation Checker

  • Sharp Wifi Password Grabber: C# toolto retrieve clear-text Wi-Fi passwords saved in a workstation

  • SMB AutoRelay: Bash script that automates the SMB/NTLM Relay technique for pentesting and red teaming exercises in active directory environments

Misc. pentest & bug bounty resources

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/25/2020 to 10/04/2020.

You may also like