Bug Bytes #131 – Credential stuffing in bug bounty, Hijacking shortlinks & Hacker shows
By Anna Hammond
July 14, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from July 5 to 12.
Our favorite 5 hacking items
1. Tools of the week
ppmap
WILSON Cloud Respwnder & Intro
ppmap is a Go scanner to test for XSS via prototype pollution using known gadgets and existing research. Being 100% automated, it is a handy way to test for those low-hanging prototype pollution bugs.
WILSON Cloud Respwnder is an alternative to Burp Collaborator and Interactsh by @honoki. Why another tool? Because it allows you to continue receiving OOB requests for a long time (no need to keep Burp or an Interactsh session open). It can send notifications to Slack or Discord, allows block-listing domains from notifications and serving custom files.
If only it was named AlorsOnDNS!
2. Writeups of the week
Credential stuffing in Bug bounty hunting ($8,300)
Whose app are you downloading? Link hijacking Binance’s shortlinks through AppsFlyer
It is interesting to see credential stuffing (usually more associated with pentest/red teaming) leveraged for bug bounties. @Krevetk0Valeriy shares how they did it and managed to score several bounties.
The second writeup is about exploiting a third-party app analytics platform. By overwriting shortlinks, it was possible to serve malicious apps to thousands of users. As usual, a very insightful writeup by @samwcyo.
3. Challenge of the week
SQHell & ep02 CTF TEARDOWN SQHELL on TryHackMe
SQHell is a free TryHackMe room by @adamtlangley. It covers 5 types including nested SQL injection / SQL inception that is interesting to practice. If stuck, check out the hour-long video walkthrough by the challenge’s author himself.
4. Videos of the week
Hacker Tools – CyberChef & Blog post
Hacker Heroes #4 – @real_bitmap (Interview)
I love listening to interviews when I am walking outside, so this new Hacker Heroes series by @PascalSec comes at a perfect time.
If I’m at a mood for more technical content, @PinkDraconian‘s byte-sized tutorials (both blog posts and this new video format) always teach me something new.
Great job and not just because we’re colleagues!
5. Tip of the week
Did you know that XML elements are a good place to test for SQL injection? It’s worth remembering especially in cases where all your XXE attempts are failing.
Other amazing things we stumbled upon this week
Videos
Interview With @Base_64 : 19 Y/o | ~7000 Rep On Hackerone | Methodology, Mindset, Life & More…
What is a Browser Security Sandbox?! (Learn to Hack Firefox)
$20,000 RCE in GitLab via 0day in exiftool metadata processing library CVE-2021-22204
Podcasts
REvil’s Clever Crypto – Microsoft Fails to Patch PrintNightmare & Sodinokibi Malware’s Crypto Design
Webinars
Conferences
Tutorials
Medium to advanced
Two One-liners for Quick ColdFusion Static Analysis Security Testing #CodeReview
Hacking Rendertron and Puppeteer— What to expect if you put a browser on the internet
Long passwords don’t cause denial of service when using proper hash functions
Beginners corner
Writeups
Challenge writeups
Full Stack Web Attack 2021 :: Zero Day Give Away (CVE-2021-28169)
So many different techniques to learn here! [CTF walkthrough]
SQL Injection – Lab #15 Blind SQL injection with out-of-band interaction
Pentest writeups
Responsible(ish) disclosure writeups
CVE-2021-28474: Sharepoint Remote Code Execution Via Server-side Control Interpretation Conflict #Web
Solarwinds Serv-U 15.2.3 Share URL XSS (CVE-2021-32604) #Web
Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587) #Web
CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities & Metasploit PoC #RCE
Windows Defender Antivirus SYSTEM RCE #MemoryCorruption
Old dog, same tricks #Network #RCE
UDP Technology IP Camera vulnerabilities #IoT #RCE
N-day vulnerabilities
Bug bounty writeups
FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com (GitLab, $6,000)
Stored XSS via Mermaid Prototype Pollution vulnerability (GitLab, $3,000)
Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store! (Shopify, $2,900)
See more writeups on The list of bug bounty writeups.
Tools
AioResolver: Fast DNS resolver
JiraScan: A simple remote scanner for Atlassian Jira
roboXtractor: Extract endpoints marked as disallow in robots files to generate wordlists
UserEnumTeams: User enumeration with Microsoft Teams API
TokenTactics: Azure JWT Token Manipulation Toolset
Tips & Tweets
Misc. pentest & bug bounty resources
rfc.fyi: Browseable, searchable RFC index
Filesec.io & Intro: A catalog of the latest file extensions being used by attackers
@0xAwali’s methodologies for testing File upload & Login
Challenges
Vuldroid: An intentionally Vulnerable Android Application
Articles
Don’t Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly & InlineExecute-Assembly
Bypassing macOS TCC User Privacy Protections By Accident and Design
Bug bounty & Pentest news
Ransomwhere project wants to create a database of past ransomware payments
Microsoft Bug Bounty Programs Year in Review: $13.6M in Rewards
Firefox becomes latest browser to support Fetch Metadata request headers
Chinese government lays out new vulnerability disclosure rules
Tool updates
Upcoming events
Non technical
Community pick of the week
You’re killing it! Congratulations @isira_adithya 🔥
If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!
You may also like
Intigriti Bug Bytes #221 - February 2025 🚀
February 14, 2025
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024