Bug Bytes #106 – THE blind SSRF reference, Apple & Microsoft RCEs & Scanning for logic flaws
By Anna Hammond
January 20, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 10 to 17 of January.
Intigriti News
Did you know that Bug Bytes is two years old? It is time to freshen it up a bit and you can help us by providing your feedback. We love to improve based on data and insights. So, your input is highly appreciated and will help us improve the quality of this newsletter.
Fill out the survey for a chance to win an Intigriti Swag voucher of € 50.
The winner of the Intigriti Swag voucher will receive a personal email before January 27.
Introducing report collaboration: split these bounties!
Google Titan 2FA keys cloned, Microsoft Exchange’s unpatched RCE & Mimecast supply chain attack
Our favorite 5 hacking items
1. Resource of the week
A Glossary of Blind SSRF Chains & GitHub repo
This is a massive post on exploit chains that help escalate the impact of blind SSRF. This is simply a must see for bug hunters, a new amazing resource by @assetnote.
There is also a GitHub repo. You can contribute with additionl techniques by sending a pull request.
2. Writeups of the week
Finding 0day to hack Apple (Apple, $50,000)
Making Clouds Rain :: Remote Code Execution in Microsoft Office 365 (Microsoft)
There’s a bunch of exceptional findings and excellent writeups that were published this week. Make sure to check out the entire writeups section below. These two are the one that caught my attention the most for their impact and interesting technical details.
@rootxharsh and @iamnoooob got Remote Code Execution on three Apple subdomains by analyzing the CMS they use (Lucee). @steventseeley also popped shells but on Microsoft Office 365 and he also bypassed two different patches for the vulnerability.
3. Tools of the week
OpenAPI Security Scanner & Automating Permission Checks Using OpenAPI Security Scanner?
Remember BBRF, @honoki‘s Python tool for storing/querying bug bounty data in a CouchDB database? I’ve been using it and it is an excellent solution for easily handling assets and scopes. Now it also has a Burp plugin that allows you to add domains/URLs to your database from Burp! Fantastic, right?
The second tool is an innovative scanner for automating authorization tests. Logic flaws are notoriously difficult to automate but @ngalongc manages to do just that! His OpenAPI Security Scanner pointed to an API with a set of credentials monitors for changes in permissions and notifies you if any permissions have changed.
4. Video of the week
@Farah Hawa Talks About Learning How to Code, Javascript, Creating Content, Mentorship and more!
Anyone who thinks it is too late to start bug bounties or they don’t have the right technical background should watch this interview. @Farah_Hawaa shares her story and how she got into Web hacking in a relatively short time. She went from journalism / mass media studies to becoming a hacker, triager for a bug bounty platform and content creator. Such an inspiration!
5. Podcast of the week
Day[0] Episode 60 – Breaking Lock Screens & The Great Vbox Escape
Day[0] is already at episode 60 and I’ve just heard of it! I love that it’s not just about generic InfoSec news but also comments on very technical writeups and topics. A really nice discovery!
Other amazing things we stumbled upon this week
Videos
BOUNTY THURSDAYS – 2021 + new tools + new stuff = COOL BUGS!
Watch me hack a bug bounty target from scratch. #bugbounty #hacking
Podcasts
Webinars & Webcasts
Conferences
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Pentest writeups
Responsible(ish) disclosure writeups
Bug bounty writeups
How I hijacked the top-level domain of a sovereign state (Internet Bug Bounty)
Attack of the clones 2: Git CLI remote code execution strikes back (GitHub)
Guest Blog Post: Leaking silhouettes of cross-origin images (Mozilla, Chrome)
The Embedded YouTube Player Told Me What You Were Watching (and more) (Google, $1,337)
Let’s know How I have explored the buried secrets in React Native application
Access Token Smuggling from my.playstation.com via Referer Header (PlayStation, $1,000)
See more writeups on The list of bug bounty writeups.
Tools
Metasploit Modules for RCE in Apache NiFi and Kong API Gateway
whatislife_enum: File system enumerator and monitor for Android
Tips
Misc. pentest & bug bounty resources
Challenges
Articles
How I stole the data in millions of people’s Google accounts
Breaking The Browser – A tale of IPC, credentials and backdoors & ChromeTools
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures & Sigwhatever
Bug bounty & Pentest news
Non technical
Community pick of the week
We’d love hearing from you and celebrating your wins! Tag us if like Stefan you’re in swag heaven or want to share your bug hunting joys with other Bug Bytes readers.
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023