Bug Bytes #143 – Building an Apache SSRF exploit, Thesis on HTTP Request Smuggling & Turbo Intruder go brrr
By Anna Hammond
October 20, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from October 11 to 18.
Intigriti News
How Artificial Intelligence is being used to match researchers with bug bounty programs
Our favorite 5 hacking items
1. Resource of the week
Bachelor’s thesis on HTTP Request Smuggling
Mattias Grenfeldt (@mgrenfeldt) and Asta Olofsson published their Bachelor’s thesis on HTTP Request Smuggling. After it was published, they also discovered a new technique that uses chunk extensions and affected Node.js.
There is a lot to unpack here but if you can’t get enough of this vulnerability, they also have a writeup on HRS in Gunicorn.
2. Writeups of the week
Bypassing required reviews using GitHub Actions (GitHub)
Stored XSS in markdown via the DesignReferenceFilter (GitLab, $16,000)
@omer_gil discovered a creative way to bypass required reviews on GitHub. Users with “write” permissions on a repo could create a GitHub Action that approves their pull request, allowing them to bypass required reviews.
The second writeup is an interesting bug chain on GitLab. @wcbowling found a stored XSS with CSP bypass that could ne escalated to Arbitrary file read / SSRF.
3. Vulnerability of the week
Building a POC for CVE-2021-40438, one-liner PoC & Nuclei template
CVE-2021-40438 is an SSRF in Apache HTTP Server 2.4.48 and earlier. It’s was discovered by the Apache HTTP security team and patched back in September, but there wasn’t any public proof of concept until now.
@Firzen14 details in an excellent article how they reverse engineered the patch and constructed the exploit.
4. Tip of the week
How to make Turbo Intruder attacks go as fast as possible
PortSwigger shared tips for making Turbo Intruder go as fast as possible. These can make all the difference when you are testing a vulnerability and speed is an important factor (e.g. race conditions).
5. Tutorial of the week
The first step to hack anything is understanding how it works, right? If you are interested in client-side vulnerabilities or browser security, you might enjoy this introduction to CORS. It is full of information on this fundamental Web mechanism, its history, how it works, with a playground for practice.
Other amazing things we stumbled upon this week
Videos
$2,500 Leaking parts of private Hackerone reports – timeless cross-site leaks
How to conduct a basic security code review | Security Simplified
Webinars
Conferences
Tutorials
Writeups
Challenge writeups
Pentest writeups
Responsible(ish) disclosure writeups
GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117 #Crypto #CodeReview
Check Point Research Prevents Theft of Crypto Wallets on OpenSea, the World’s Largest NFT Marketplace #Web #Ethereum
0-day & N-day vulnerabilities
Bug bounty writeups
Abusing Slack’s file-sharing functionality to de-anonymise fellow workspace members (Slack)
Auth Bypass in Google Assistant (Google, $8,133.70)
Stored XSS in Mermaid when viewing Markdown files (GitLab, $3,000)
See more writeups on The list of bug bounty writeups.
Tools
RIO & Guide: A handy plugin for copying requests/responses or generating reports directly from Burp
gh-dork: Github dorking tool
Gorgo: A multi-threaded password sprayer based on Medusa, built for distributed spraying
LDAP Monitor: Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration
SAML2Spray: Python Script for SAML2 Authentication Passwordspray
Tips & Tweets
Cloudflare bypass for RCE via Unrestricted file upload & Stored XSS
If you find a S3 subdomain takeover, you need to set up the S3 bucket in the correct region
Interactsh server can be used to query cloud metadata services
Misc. pentest & bug bounty resources
Learn Burp Suite Plugin Development from Scratch. ($5 pre-launch, $8 post-launch)
Challenges
Articles
Bug bounty & Pentest news
Cybersecurity
Upcoming events
Ekoparty 2021 (November 2-6)
Tool updates
Non technical
You may also like
Intigriti Bug Bytes #221 - February 2025 🚀
February 14, 2025
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024