Bug Bytes #96 – AI applied to bug bounty, Burp Collaborator notifications & @zseano’s BugBountyHunter

By Anna Hammond

November 11, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 01 to 08 of November.

Intigriti News

Congratulations to our new Intigriti 1337 members!

Our favorite 5 hacking items

1. Tips of the week

Not particularly restricted to browser based features. I've had success in custom apps from Electron to Qt based with the following:

custom-app://views/layout.html

to

custom-app://views/../../../../secret.txt#bugbounty #bugbountytip #bugbountytips #security #infosec https://t.co/WCuti9ZXoE

— Dominik Penner (@zer0pwn) November 8, 2020

Great #BugBountyTip by @JR0ch17: before copy pasting blind XSS payloads, think about the context they might render in! Use blind template injection payloads to increase your chances of success! #HackWithIntigriti #BugBountyTips pic.twitter.com/AyrNYtPplI

— Intigriti (@intigriti) November 3, 2020

These are two things probably not a lot of people are testing for: Blind XSS in JavaScript payloads and using “view-source” to bypass LFI blacklists. Fantastic tips by @JR0ch17 and @HusseiN98D!

2. Writeups of the week

Facebook DOM Based XSS using postMessage (Facebook, $25,000)
Github: Widespread injection vulnerabilities in Actions (Github)

The first post by @samm0uda is about a beautiful bug chain resulting in DOM XSS on Facebook. A must read if you’re interested in XSS, postMessage vulnerabilities or participating in BountyCon.
The second bug report is the reason why GitHub has deprecated “set-env” and “add-path” commands in GitHub Actions. @_fel1x found that they made Actions vulnerable to command injection attacks.

If you just want a high-level view of these complex findings, I recommend The Daily Swig’s coverage of both the Facebook bug and the GitHub Actions bug.

3. Video of the week

Hacking with OpenAI GPT-3 | Hacking Without Humans

@ngalongc and @filedescriptor experiment with OpenAI GPT-3 and share ideas on how to leverage it for bug hunting. So, this is about using AI to write bug reports, spot false positive in tools output and even detect logic flaws. An interesting glimpse into the future of bug hunting.

4. Tool of the week

Notify

Notify is @pdiscoveryio’s latest Go tool. Its main purpose is to pull results from Burp Collaborator instances and send notifications to Slack, Discord or the CLI. It also support piping with any other tools to notify you of their output too. A pretty handy utility!

5. Resource of the week

BugBountyHunter, Intro & A look inside BugBountyHunter’s member section

After @zseano brought down his excellent BugBountyNotes site, many of us were waiting for his promised new platform. Here it is finally!

BugBountyHunter.com is a Web security training site. The paid membership gives access to @zseano’s hacking methodology ebook, a private vulnerable Web application and reports triage. The free area includes challenges, guides, and an intentionally vulnerable Web application that sometimes has hidden flags to get free access to the membership area.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • LemonBooster-v2: Automation and monitoring tool for bug bounty

  • Aura: Python source code auditing and static analysis on a large scale

  • MNS (monitor-new-subdomain): Python script to monitor new subdomains

  • lorsrf: Python tool that bruteforces hidden parameters to find SSRF vulnerability using GET & POST Methods

  • rexsser: Burp extensions to extract keywords from response using regexes & test for reflected XSS on the target scope

Misc. pentest & bug bounty resources

Articles

Bug bounty & Pentest news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/01/2020 to 11/08/2020.

You may also like