Bug Bytes #107 – Go for HTTP smuggling, Open source frameworks vs Cache poisoning & Practicing RCE in NodeJS apps
By Anna Hammond
January 27, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 18 to 25 of January.
Intigriti News
A slew of Cisco bugs, Risks of DoH & DNSpooq (aka new proof that it’s always DNS!)
Our favorite 5 hacking items
1. Videos of the week
Insecure Deserialization Attack Explained
Live Recon on Snapchat with @ITSecurityGuard (amass, FFUF, SecurityTrails Demo)
@PwnFunction is back with an awesome video tutorial on deserialization. It is concise and maybe the best explanation I’ve seen on this rather complex vulnerability class.
The other video is the first of a new series by @NahamSec where he hacks live with a fellow bug hunter (@ITSecurityGuard this time). This is a fantastic idea, like a practical interview or walkthrough to see how other hackers work.
2. Writeup of the week
The Secret Parameter, LFR, and Potential RCE in NodeJS Apps
This is an informative writeup by @0xCaptainFreak on Local File Read in NodeJS apps, when ExpressJS is used with hbs (view engine for Handlebars). Without spoiling it more, can you find the issue in this code that reproduces the bug?
3. Article of the week
Cache poisoning in popular open source packages
@snyksec dived into Web cache poisoning in open source packages and found several well known frameworks vulnerable. For example, Botlle, Tornado and Rack all use “parse_qsl” an insecure method in Python’s source code that makes them vulnerable to cache poisoning attacks.
4. Tip of the week
Another way to do HTTP smuggling
@BitK_ shared a new HTTP smuggling technique that @albinowax interprets as “Golang’s network stack attempting to “parse HTTP headers as ~UTF-8 even though everyone else treats them as ASCII”. It is yet to be confirmed but looks like a very interesting area to explore.
5. Tool of the week
New week, new Burp customizer extension! This one from @irsdl adds cool features like the ability to change Burp’s title and icon, to change the style of tabs and use pretty Gradient icons.
Other amazing things we stumbled upon this week
Videos
Intro to CSRF (Cross-Site Request Forgery) – Security Simplified
$15,000 Playstation Now RCE via insecure WebSocket connection – Bug Bounty Reports Explained
Podcasts
Webinars & Webcasts
Conferences
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Responsible(ish) disclosure writeups
Unauthenticated XSS to Remote Code Execution Chain in Mautic < 3.2.4 #Web
Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678) #NTLM #Network
Microsoft Teams and Skype Logging Privacy Issue #DesktopApp
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) #Linux
The State of State Machines #WebRTC
CVE-2020-5144 – SonicWall Global VPN New Elevation of Privileges Vulnerability #LPE #Windows
Bug bounty writeups
$10,000 for automatic email confirmation bug in Microsoft’s Edge browser (Microsoft, $10,000)
KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card (Amazon, $18,000)
Let’s know How I have explored the buried secrets in React Native application
BitLocker Lockscreen bypass (Microsoft)
ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792 (Apple, Google)
Possible RCE through Windows Custom Protocol on Windows client (NordVPN, $500)
See more writeups on The list of bug bounty writeups.
Tools
EIP Fishing: Go fish on AWS EIPs
jwtXploiter: A tool to test security of json web token
SAP_EEM_CVE-2020-6207: PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)
Tips
Misc. pentest & bug bounty resources
Executable XSS cheat sheets for popular web frameworks #CodeReview
OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
Challenges
Articles
Custom Static Analysis Rules Showdown: Brakeman vs. Semgrep #CodeReview
Credentials hiding in plain sight or how I pwned your http auth & httpcreds
Bug bounty & Pentest news
Non technical
Community pick of the week
Nice beanie there @xsstnv!
We love hearing from you and celebrating your wins. Tag us if you also want to share your swag and bug hunting joys with other Bug Bytes readers.
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023