Bug Bytes #158 – postMessage XSS tips, API testing toolbox & Finding 100+ bugs in WordPress plugins
By Anna Hammond
February 9, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 31 to February 07, 2022.
Intigriti news
Intigriti’s February XSS challenge By @aszx87410
Our favorite 5 hacking items
1. Tutorial of the week
This is worth a read if you’re interested in postMessage XSS. @oliverrickfors shares a methodology to easily find addEventListener in JS files (given a list of hosts as input), then what to do next to test and exploit them for XSS.
2. Writeups of the week
Solving DOM XSS Puzzles
CVE-2022-21703: cross-origin request forgery against Grafana
Can’t get enough of postMessage XSS? Check out @spaceraccoonsec‘s writeup on two XSS vulnerabilities he found on bug bounty programs. They involve interesting bypasses and advanced tips worth adding to any DOM XSS methodology.
Another interesting finding is a CSRF found on Grafana by @jub0bs and @theabrahack. It could basically make a Grafana Admin unwittingly send you a user invite to become admin of their instance, demonstrating that CSRF is definitely not dead.
3. Video of the week
My API Testing Automated Toolbox
Testing a small intentionally vulnerable API is one thing, but where to start when you’re looking for bugs in a large API with thousands of requests on a hardened bug bounty target?
Watch @InsiderPhD explain a sensible approach that combines automation and a manual workflow, with details on the tools she recommends.
4. Article of the week
A technique to semi-automatically find vulnerabilities in WordPress plugins
What is better than finding a vulnerability in a WordPress plugin? Finding over 100 vulnerabilities in dozens of popular WordPress plugins!
@kazet1234 details a semi-automatic approach used to scan for multiple vulnerability classes including XSS, SQL injection, CSRF, arbitrary file read and more. Amazing research that is interestingly transferable to other CMSes.
5. Tool & Tip of the week
fonetic-go
35 bytes PHP backdoor that’s protected by a password & supports arbitrary function calls
@s0md3v just dropped these two beautiful gems. The first one is a Go tool that tells you whether a string is machine-generated or human readable. I’m not sure which use case he has mind, but I’d use this to programatically extract potential secrets from code.
The second tool is a neat PHP webshell that is protected by a password and supports arbitrary function calls despite being very short. From now on, this is my go-to PHP webshell!
Other amazing things we stumbled upon this week
Videos
100 hours of bug bounty on a public Hackerone program. Bounty vlog #1 – Stripe
Reverse Engineering 101 – Introduction to IDA PRO: Reversing/Patching a Binary from crackmes.one
Podcasts
Webinars
[SecWed] 26 Jan 22 | Automate Reverse Engineering CTF with Angr & An introduction to container hacking
Conferences
Slides & Workshop material
Tutorials
How to restrict XXE resolving? #BlueTeam
I’m Bringing Relaying Back: A Comprehensive Guide On Relaying Anno 2022
Writeups
Challenge writeups
SQLi, SSTI & Docker Escapes / Mounted Folders – HackTheBox University CTF “GoodGame”
H1-CTF Hacky Holidays Writeups by akshansh & w31rd0
Pentest writeups
Responsible(ish) disclosure writeups
Don’t trust comments #Web
Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments #CI/CD
CoronaCheck App TLS certificate vulnerabilities #iOS #Android
Bug bounty writeups
Abusing Facebooks
Call To Action
To Launch Internal Deeplinks (Facebook, $4,000)My first bounty, IDOR + Self XSS [€3000] (Intigriti, $3,000)
A wontfix request header injection vulnerability in net/http (Ruby)
CVE-2021-44142: Details On A Samba Code Execution Bug Demonstrated At Pwn2Own Austin ($45,000)
Tools
LFIDump: A simple python script to dump remote files through a local file read or local file inclusion web vulnerability
Aerides & Intro: An implementation of infrastructure-as-code scanning using dynamic tooling
SMBSR: Lookup for interesting stuff in SMB shares
SMBeagle: SMB fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written (useful for lateral movement and privilege escalation)
EvilSelenium: A C# tool that weaponizes Selenium to attack Chrome
Tips & Tweets
@mrtuxracer, @equat0rium & @samm0uda‘s inspiring success stories
Misc. pentest & bug bounty resources
InsecureProgrammingDB: Insecure programming functions database
Top 25 Browser Extensions for Pentesters and Bugbounty Hunters (2022)
File formats, Techniques and Tools that can be used to execute code in MS Office
Articles
Challenges
wrongsecrets: Examples with how to not use secrets
Bug bounty & Pentest news
Bug bounty
Cybersecurity
Upcoming events
Intigriti 1337UP LIVE (March 12)
Hacking Battlegrounds #4: Valentine’s Special – Hacking Will Tear Us Apart! (Live stream on February 18)
Tool updates
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023