Bug Bytes #113 – MS Exchange pre-auth RCE, Burp Crawler demystified & SSO security thesis
By Anna Hammond
March 10, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 1 to 8.
Intigriti News
Spectre’s comeback, Exchange zero-days & Risky JSON parsing and Go packages
Our favorite 5 hacking items
1. Articles of the week
Web application cartography: mapping out Burp Suite’s crawler
Security and Privacy of Social Logins & Thesis
The first article is about the internals of Burp’s crawler. Whether you’re a Burp user or interested in Web crawling in general, it is fantastic to discover how it does its magic and overcomes challenges of modern Web apps that make crawling them difficult.
The second article (or rather a brilliant series of three articles plus a full thesis!) are all about SSO security. Louis Jannett analyzed real-world implementations of SSO (including Apple, Google, and Facebook SSO) and shared common weaknesses and vulnerabilities found.
2. Writeup of the week
TryHackMe X HackerOne CTF WriteUp (Hacker Of The Hill)
This is a solid writeup for the recent “Hacker of the Hill” CTF. It shows some interesting Web hacking techniques that might be useful for real tests (e.g. path traversal leveraging RFC822).
3. Video of the week
Finding Your Next Bug: GraphQL Hacking – Katie Paxton-Fear (@InsiderPhd)
This is an excellent introduction to GraphQL hacking. The best part? Not only does @InsiderPhD tell you everything you need to start testing GraphQL implementations, she also provides a lab to practice (see the intentionally vulnerable Generic-University that has a newly added GraphQL API).
4. Tools of the week
BurpSuiteAutoCompletion
netz & Intro
fransr/logger.js
BurpSuiteAutoCompletion by @_StaticFlow_ is a Burp extension that adds header autocompletion to Repeater and Intruder tabs. This is a huge time-saver if you often need to change/add HTTP headers. The headers list used by default is from Seclist but you can customize it.
Netz is a Go tool for mass-scanning the Internet similarly to Shodan, Censys or ZoomEye, but with the ability to perform any custom checks. I haven’t tried it but bookmarked it in case I need to run large scale scans.
Another interesting tool is logger.js, @fransrosen‘s reflection script that helps him find script gadgets for XSS. Worth a try if you’re into DOM XSS!
5. Bugs of the week
@orange_8361 reently teased about a Microsoft Exchange pre-auth RCE, then shared a site and demo for the the bug called Proxylogon. It turned out to be part of a pretty bad RCE bug chain currently being exploited in-the-wild.
I didn’t find a detailed writeup of all vulnerabilities but here a few resources to keep you up to date:
Nuclei template & proxylogscan (@dwisiswant0’s Go scanner) both for CVE-2021-26855/ProxyLogon
Other amazing things we stumbled upon this week
Videos
SQL Injection – Lab #1 SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Dependency Confusion Pt. 1 | The Setup | Packages | Private Registry & Pt. 2 | Final Part | Exploiting Dependency Injection
Podcasts
DAY[0] Episode 67 – Buggy Browsers, Heap Grooming, and Broken RSA?
Hafnium – Dependency Confusion, Intel Side Channel Attacks, Crispy Subtitles From Lay’s
Webinars
Finding Your Next Bug: GraphQL Hacking – Katie Paxton-Fear (@InsiderPhd)
Burp Suite Cheat Sheet & Tips and Tricks & Burp Suite Cheat Sheet v1.0
BHIS | Sacred Cash Cow Tipping 2021 – John Strand & BHIS Testers
Tutorials
Medium to advanced
Beginners corner
Writeups
Pentest writeups
Responsible(ish) disclosure writeups
CyRC Vulnerability Advisory: Denial of service vulnerability in Jetty web server #Web #CodeReview
Multiple Vulnerabilities in Micro Focus Operations Bridge Reporter #Web #CodeReview
CVE-2020-28243 SaltStack Minion Local Privilege Escalation #PrivEsc
SaltStack API vulnerabilities #Web #RCE
Bug bounty writeups
Adobe AEM Security Web Series Part 1 | From dispatcher filter bypass to XSS on 40+ Linkedin websites (video)
Elastic Community Conference: Elastic Disclosure—Finding and Reporting Security Bugs to Elastic (video)
Write Up – Google VRP N/A: SSRF Bypass With Quadzero In Google Cloud Monitoring
See more writeups on The list of bug bounty writeups.
Tools
Wingman: XSS scanner
http2smugl: Go tool that helps detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 -> HTTP/1.1 conversion by the frontend server
dnspy: Find subdomain takeovers
BurpFeed: Python and Go tool for feeding urls into Burp’s Sitemap
Tips & Tweets
Misc. pentest & bug bounty resources
Challenges
Articles
Bug bounty & Pentest news
Non technical
Community pick of the week
We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023