By Anna Hammond
November 11, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 01 to 08 of November.
Congratulations to our new Intigriti 1337 members!
Not particularly restricted to browser based features. I've had success in custom apps from Electron to Qt based with the following:
custom-app://views/layout.html
to
custom-app://views/../../../../secret.txt#bugbounty #bugbountytip #bugbountytips #security #infosec https://t.co/WCuti9ZXoE— Dominik Penner (@zer0pwn) November 8, 2020
Great #BugBountyTip by @JR0ch17: before copy pasting blind XSS payloads, think about the context they might render in! Use blind template injection payloads to increase your chances of success! #HackWithIntigriti #BugBountyTips pic.twitter.com/AyrNYtPplI
— Intigriti (@intigriti) November 3, 2020
These are two things probably not a lot of people are testing for: Blind XSS in JavaScript payloads and using “view-source” to bypass LFI blacklists. Fantastic tips by @JR0ch17 and @HusseiN98D!
Facebook DOM Based XSS using postMessage (Facebook, $25,000)
Github: Widespread injection vulnerabilities in Actions (Github)
The first post by @samm0uda is about a beautiful bug chain resulting in DOM XSS on Facebook. A must read if you’re interested in XSS, postMessage vulnerabilities or participating in BountyCon.
The second bug report is the reason why GitHub has deprecated “set-env” and “add-path” commands in GitHub Actions. @_fel1x found that they made Actions vulnerable to command injection attacks.
If you just want a high-level view of these complex findings, I recommend The Daily Swig’s coverage of both the Facebook bug and the GitHub Actions bug.
Hacking with OpenAI GPT-3 | Hacking Without Humans
@ngalongc and @filedescriptor experiment with OpenAI GPT-3 and share ideas on how to leverage it for bug hunting. So, this is about using AI to write bug reports, spot false positive in tools output and even detect logic flaws. An interesting glimpse into the future of bug hunting.
Notify is @pdiscoveryio’s latest Go tool. Its main purpose is to pull results from Burp Collaborator instances and send notifications to Slack, Discord or the CLI. It also support piping with any other tools to notify you of their output too. A pretty handy utility!
BugBountyHunter, Intro & A look inside BugBountyHunter’s member section
After @zseano brought down his excellent BugBountyNotes site, many of us were waiting for his promised new platform. Here it is finally!
BugBountyHunter.com is a Web security training site. The paid membership gives access to @zseano’s hacking methodology ebook, a private vulnerable Web application and reports triage. The free area includes challenges, guides, and an intentionally vulnerable Web application that sometimes has hidden flags to get free access to the membership area.
@ITSecurityguard Talks About Getting Into Bug Bounty, Recon, Automation, Triage, and more!
Zoom – turning on someone’s camera using SQL injection vulnerability – Bug Bounty Reports Explained
How Hacking Actually Looks Like – ALLES! CTF Team in Real Time
Security Now: Google’s Root Program – Google One VPN, WordPress Update Fail, Windows 7 0-Day
Billions of Bitcoins, Zoom Snooping, & Doxing Russian Bears – Wrap Up – SWN #80
China’s Top Hacking Contest, GitHub Actions, & Vulnonym – ASW #129
Multiple iOS 0-Days, Intel Malware Defense, & Windows 0-Day Under Attack – PSW #673
Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 1), Part 2 & Part 3
Setting up a WireGuard VPN Server Architecture for Internal Network Access
A Guide to make your own Serverless Blind XSS and Blind OOB payload
Constructing powerful search queries in OSINT investigations
Hack this repository: The EkoParty 2020 GitHub CTF challenges
Cross-Site Scripting (XSS) All in One: Part 1 & Part 2 (videos)
CVE-2020-26886: Local Privilege Escalation using softaculous/bin/soft #LPE
CVE-2020-16877: Exploiting Microsoft Store Games #Windows #LPE
1000$ for Open redirect via unknown technique [BugBounty writeup] (GitLab, $1,000)
Attack of the clones: Git clients remote code execution (Github)
SMTP interaction theft via MITM (PortSwigger Web Security, $1,000)
GitLab-Runner on Windows DOCKER_AUTH_CONFIG
container host Command Injection (GitLab, $6,500)
Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, … (GitLab, $5,000)
See more writeups on The list of bug bounty writeups.
LemonBooster-v2: Automation and monitoring tool for bug bounty
Aura: Python source code auditing and static analysis on a large scale
MNS (monitor-new-subdomain): Python script to monitor new subdomains
lorsrf: Python tool that bruteforces hidden parameters to find SSRF vulnerability using GET & POST Methods
rexsser: Burp extensions to extract keywords from response using regexes & test for reflected XSS on the target scope
Infosec Bugbounty AMAs with Calum Boal, Paras Arora & Devansh
Upcoming Google Chrome update will eradicate reverse tabnabbing attacks
Hackerone Is Excited To Launch Triage Ratings For Customers And Hackers
How I Manage Impostor Syndrome, Fear of Failure, and Other Common Programmer Problems
Demand, CyberInsurance, and Automation/AI Are the Future of InfoSec
A Google a day: OSINT/googling game
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/01/2020 to 11/08/2020.