Bug Bytes #164 – New Collaborator domain, BITB attack & XSS to RCE on an almost static site
By Anna Hammond
March 23, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 14 to 21.
Intigriti news
Intigriti’s March XSS challenge By @BrunoModificato
Our favorite 5 hacking items
1. Tip of the week
Using privacy.com to generate cards with $0 spending limit
Tell the truth, have you ever been charged after signing for a trial then forgetting to cancel the subscription?
It happened to me more times than I’d like to admit, but it won’t anymore thanks to @hacker_ fantastic tip: Using privacy.com‘s free tiers, it is possible to create virtual cards with a $0 spending limit and never get charged for anything.
2. Writeups of the week
From XSS to RCE (dompdf 0day)
CVE-2022-0337 System environment variables leak on Google Chrome, Microsoft Edge and Opera (Google, Microsoft & Opera, $10,000)
@positive_sec penetration testers discovered an XSS on a mostly static site. They share how this low impact finding led to RCE because of a functionality to export pages as PDF. A creative tale involving HTML injection in a HTML-to-PDF converter and injecting PHP disguised as a font.
The second writeup is about a system environment variables leak in the Chromium engine, found by @pulik_io and impacting Google Chrome, Microsoft Edge, and Opera.
3. Tutorial of the week
Basic security for humans in 4 Fridays
This reminds me of a cousin who has trouble remembering all her passwords but refuses to use a paid password manager or anything complex to set up.
This tutorial is the perfect solution to share with her and anyone in our lives who needs a simple solution to manage passwords, MFA and secure their devices using only reputable free software.
Thanks to securibee for sharing this link on your newsletter where I discovered it!
4. Article of the week
Browser In The Browser (BITB) Attack & Repo
@MrDox demonstrates a simple but terrifyingly effective phishing technique: Using HTML/CSS to create a fake “Login with Google/Microsoft/Apple/etc” popup window. It is just appears like a popup with the right URL, but is actually just an image inside the attacker’s site.
Note that this is not new, similar attacks have been known as “picture-in-picture attack”.
5. Video of the week
Q: PENTEST VS BUGBOUNTY? (Bounty Thursday’s – ON AIR)
I know I’ve already mentioned this show before, but it just brings me so much joy.
The production is top notch, the bug bounty news part is always informative, and the new Q&A / chat part brings the show to a whole new level.
I am sure y’all already know about it, so this is essentially a shoutout to @stokfredrik for sharing such quality and joyful content for hackers.
Other amazing things we stumbled upon this week
Videos
Career Conversations with seclilc – Offensive Cybersecurity!
Alissa Knight Talks About API Hacking, Car Hacking, Creating Content for Hackers and More!
$100k Hacking any website in Safari with uXSS – a 0-day chain
iOS + Frida Tutorial, Part I, iOS + Frida Tutorial, Part II & iOS + Frida Tutorial, Part III
Heap Exploitation on Linux 101: The House of Force Technique
Podcasts / Audio
Webinars
Conferences
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
CORS – Lab #1 CORS vulnerability with basic origin reflection
Intigriti 1337UP CTF (pwn challenges):
Pentest writeups
Responsible(ish) disclosure writeups
Prototype Pollution in plist v3.0.4 and simple-plist (CVE-2022-22912) #Web #CodeReview
How I Discovered Thousands of Open Databases on AWS #Web #Cloud
How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects #CI/CD
Infinite loop in BN_mod_sqrt() reachable when parsing OpenSSL certificates (CVE-2022-0778), PoC by @Drago1729
CVE-2022-27226: CSRF to RCE in iRZ Mobile Routers through 2022-03-16 #Router #Web
cr8escape: New Vulnerability in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811)
Known vulnerabilities
Bug bounty writeups
Securing Developer Tools: Git Integrations (Microsoft, JetBrains, GitHub)
How I Tracked You Around The Globe 🌎 (Google)
CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years (Apple)
Arbitrary file read via the bulk imports UploadsPipeline (GitLab, $29,000)
See more writeups on The list of bug bounty writeups.
Tools
Smap: Replica of nmap that uses shodan’s free API for scanning
frequest & How I was able to find 50+ Cross-site scripting (XSS) Security Vulnerabilities on Bugcrowd Public Program?: Quickly test multiple URLs for XSS and SQL injection
DomainAlerting: Get notifications when a new domain name is registered and contains your keywords
redirex: Go tool that generates bypasses for open redirects
mksub: Make subdomains using a wordlist
CrackHound & Intro: Introduce plain text passwords into BloodHound
AWS Scaled Command Bash Script – Run AWS commands for many profiles
Tips & Tweets
Oneliner to find subdomain takeovers using BBRF, nuclei and Axiom
@Jhaddix’s testing environment, #BugBountyDiary & The next innovations in recon frameworks
Misc. pentest & bug bounty resources
Cloud Labs AD: Provisioning scripts for an Active Directory lab environment on Azure
Articles
AWS RDS does not force clients to connect using a secure transport layer
Abusing Arbitrary File Deletes To Escalate Privilege And Other Great Tricks
Challenges
Intigriti’s March XSS challenge By @BrunoModificato (March 21 – 27)
Winja CTF – Berlin 2022 (April 9)
Bug bounty & Pentest news
Cybersecurity
Researcher uses Dirty Pipe exploit to fully root a Pixel 6 Pro and Samsung S22
Okta ‘identifying and contacting’ customers potentially affected by Lapsus$ breach
NPM maintainer targets Russian users with data-wiping ‘protestware’
Apple Safari empowers developers to mitigate web flaws with WebKit CSP enhancements
Upcoming events
OSINT Summit 2022 (April 7)
Tool updates
Burp Professional / Community 2022.3 (Collaborator now uses
oastify.com
instead ofburpcollaborator.net
) & New “Fastest” crawl strategy
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023