By Anna Hammond
November 18, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 08 to 15 of November.
Avalanche of security updates, Zoom snooping & The 2020 business threat landscape
The Act of Balancing: Burnout in Cybersecurity with Chloé Messdaghi!
10 GREAT habits for bug bounty hunters (and a productive life)
A lot of us bug hunters and pentesters have to deal with burnout. So, make sure to watch these two videos that are full of ideas to not only avoid it, but also to gain in productivity and general well-being. Fantastic tips by @ChloeMessdaghi and stokfredrik!
Smuggling an (Un)exploitable XSS
31k$ SSRF in Google Cloud Monitoring led to metadata exposure (Google, $31,337)
From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass
@david_nechuta goes over a blind SSRF in Google that was tricky to exploit. @MrTuxracer shows how he chained an uninteresting request smuggling vulnerability with a hard to exploit header-based XSS to escalate their impact. @bananabr’s writeup details how he used LiveDOM++ to find a new DOMPurify bypass.
These are all great findings and highly recommended to read!
Untrusted Types is a Chrome extension by @filedescriptor that abuses Trusted Types to log DOM XSS sinks. It is handy for tracing sink to source and source to sink when testing for DOMS XSS, and also for finding script gadgets to bypass the CSP.
SAD DNS stands for “Side-channel AttackeD DNS” and is not just another vulnerability that get its own name and site. It bypasses mitigations for DNS Cache Poisoning attacks, and makes it possible again to poison DNS resolvers and forwarders using ICMP as a side-channel.
DNS providers are working on fixing it as it effectively breaks DNS. Anyone could exploit it to re-route traffic to their own servers. A fascinating dive into DNS security!
Deep Dive into Site Isolation (Part 1)
This blog post explains how Site Isolation works in Chrome and mitigates attacks like Universal XSS and Spectre. Jun Kokatsu (@shhnjk) studied it and found 10+ bugs in the Chrome bug bounty program! An excellent read if you’re into browser security, UXSS, or CORS / CORB testing.
@John Hammond Talks About CTF vs Bug Bounty, Organizing CTS, CTF tools, Certificates, and more!
@zseano Talks About bugbountyhunter.com, Recon, Reading Javascript, Getting Started in Bug Bounty🔥
Security Now: NAT Firewall Bypass – SlipStream NAT Firewall Bypass, MS Police Use Ring Doorbell Cams
Risky Business #604 — Election-related cyber shenanigans fail to materialise
CTF Radiooo: Education and CTFs with Fabian aka LiveOverflow
Tianfu, Ghimob, Scalper Bots, Animal Jam, & Pay2Key – Wrap Up – SWN #82
‘Platypus’ Attack, IDOR DOD Bug, & 2 More Chrome 0-Days – ASW #130
The Secret Thoughts of a Successful Hacker | Nadean Tanner | 1 Hour
2020 Collegiate SECTF KeyNote: Chris Hadnagy, Webinar: How To OSINT by Chris Krisch & Webinar: Social Engineering Ask Me Anything
File upload vulnerabilities & Slides/challenges (in Arabic)
DEF Con 401 – Steve Campbell – The 10 (Unexpected) Ways I Pwned You!
Unlock Your Brain ⋅ Harden Your System 2020 (in French)
How to get root on Ubuntu 20.04 by pretending nobody’s /home #Linux #LPE
Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World’s 3rd Largest TV Manufacturer. #SmartTV #Android
Silver Peak Unity Orchestrator RCE & SD-PWN Part 2 — Citrix SD-WAN Center — Another Network Takeover #Web #RCE
A code signing bypass for the VW Polo #IoT #CarHacking
TP-Link Takeover with a Flash Drive #Router #USB
Intel, Please Stop Assisting Me #Windows #LPE
Firefox for Android: LAN-Based Intent Triggering (Microsoft)
How I Found The Facebook Messenger Leaking Access Token Of Million Users (Facebook, $16,125)
Evernote: Universal-XSS, theft of all cookies from all sites, and more (Evernote)
Ticket Trick at https://account.acronis.com (Acronis, $750)
Possibility to freeze/crash the host system of all Slack Desktop users easily (Slack, $500)
Uninstalling Slack for Windows (64-bit), then reinstalling keeps you logged in without authentication (Slack, $500)
See more writeups on The list of bug bounty writeups.
AWS User Data Secrets Finder: Search for secrets inside user data attached to EC2 instances on multiple AWS accounts
SendPass: Securely* send passwords, URLs or other text data from any trusted computer with a camera (Phone, Laptop, Web Cam, etc.) to an un-trusted computer with ease
4xxbypass: A tool that automates a number of well-known 403/401 bypassing techniques
Asthook: Python tool for Android static and dynamic analysis
3klCon: Automation recon tool which works with large & medium scopes
anewer: A rust version of TomNomNom’s anew. It appends lines from stdin to a file if they don’t already exist in the file
xpcspy: Bidirectional XPC message interception and more. Powered by Frida
Dredd: HTTP API Testing Framework. It’s a language-agnostic command-line tool for validating API description document against backend implementation of the API.
enum4linux-ng: A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players
Apollo: A .NET Framework 4.0 Windows Agent
PYTMIPE & TMIPE: Python library and client for token manipulations and impersonations for privilege escalation on Windows
Infosec Bugbounty AMA with JR0ch17 & BenkoOfficial
Exploring the Exploitability of “Bad Neighbor”: The Recent ICMPv6 Vulnerability (CVE-2020-16898)
On the Effectiveness of Time Travel to Inject COVID-19 Alerts
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2020 to 11/15/2020.