Bug Bytes #126 – XSS in AWS, exotic Python RCE vectors, zseano’s methodology
By Anna Hammond
June 9, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from May 31 to June 7.
Intigriti News
The Ethical Hacker Insights Report 2021 webinar
Our favorite 5 hacking items
1. Conference of the week
Unexpected Execution: Wild Ways Code Execution can Occur in Python & Repo
In this talk, Graham Bleaney and Ibrahim Mohamed show several functions that enable Remote Code Execution in Python other that the standard eval and exec libraries. This is so insightful for anyone interested in RCE, SSTI or Deserialization vulnerabilities in Python apps.
2. Writeup of the week
XSS in the AWS Console (Amazon)
@Frichette_n found two XSS vulnerabilities in AWS Console. Like he says, the writeup has everything from XSS to CSP bypass, Client-Side template injection and memes. A great read and cool findings!
3. Resources of the week
zseano’s methodology & Other BugBountyHunter.com news
NotKeyHacks
@zseano‘s methodology is freeee! It’s a 71 pages ebook where he details his own methodology for bug hunting, including tools and all the questions he asks himself at each step that allow him to find vulnerabilities that most people miss.
@dee__see‘s NotKeyHacks is such a great idea! It’s the opposite of KeyHacks, so a collection of tokens that look sensitive but are not. Next time you intent to report hardcoded tokens or API keys, make sure to check if they appear in this repo.
4. Tools of the week
page-fetch & What is a Prototype Pollution vulnerability and how does page-fetch help?
If you want a self-hosted version of XSS Hunter to test for Blind XSS, this is it! @IAmMandatory re-wrote the tool to make it easy to install and maintain thanks to Docker and Let’s Encrypt certificates.
page-fetch is @TomNomNom‘s latest open source tool that helps test for client-side bugs like Prototype pollution. It comes with a detailed tutorial on this vulnerability class, how it works and how page-fetch helps detect it.
5. Tutorial of the week
ASP.NET Cryptography for Pentesters & Cheatsheet
This tutorial by @paulmmueller covers the practical exploitation of ASP.NET cryptography, with a cheatsheet for pentesters. This could be an invaluable resource when you’re testing an ASP.NET app for the first time.
Other amazing things we stumbled upon this week
Videos
Podcasts
Webinars
Conferences
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Pentest writeups
Passbolt security audit 2021 #PentestReport
Responsible(ish) disclosure writeups
Joomla Password Reset Vulnerability And A Stored XSS For Full Compromise #Web
XSS to Account Takeover — Gambling Sites #Web #DOMXSS
The 0xDABB of Doom: CVE-2021-25641 #RCE #Dubbo
CVE-2021-3198 and CVE-2021-3540: MobileIron Shell Escape Privilege Escalation Vulnerabilities #Web
WE.LOCK: Unlocking Smart Locks with Web Vulnerabilities #SmartLocks #IoT
N-day vulnerabilities
Vcenter Server CVE-2021-21985 RCE PAYLOAD, Nmap NSE script & Learning JNDI Injection From CVE-2021-21985
SolarWinds Orion Deserialization to RCE vulnerability analysis (CVE-2021–31474)
Bug bounty writeups
XSS in the AWS Console (Amazon)
Exploiting Open Redirect – Whitelist Bypass Using Salesforce Environment
Pop-Ups in a good-world ($2,000)
Header modification results in disclosure of Slack infra metadata to unauthorized parties (Slack, $500)
Blind XSS on Google Nest (Google)
See more writeups on The list of bug bounty writeups.
Tools
PrOfESSOS & Security Analysis in an OpenID Connect Lab Environment: An open source implementation for fully automated Evaluation-as-a-Service for SSO
Spyse API wrapper for Go: The official wrapper for Spyse API, written in Golang, aimed to help developers build their integrations with Spyse
Pinaak: A bash script that automatically finds vulnerable paramters and runs some commonly used tools to find various vulnerabilities
Request Logger: @adamtlangley’s dockerized application for logging HTTP and DNS requests
Tips & Tweets
Misc. pentest & bug bounty resources
The 10 Most Popular Bug Bounty Courses and Training Programs for Beginners
Android Application Penetration Testing Mindmap & 2FA Bypass Techniques MindMap
Challenges
Metarget: Framework providing automatic constructions of vulnerable infrastructures
Articles
Bug bounty & Pentest news
Do you have a Burp extension or recon project idea? @Regala_’s offering bounty based sponsorship
Upcoming events:
THCon 2021 (June 11)
Tools updates:
Non technical
Community pick of the week
Awesome! It looks good, @sumgr0, and is very well deserved!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!
You may also like
Intigriti Bug Bytes #221 - February 2025 🚀
February 14, 2025
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024