Bug Bytes #170 – Evasive vulnerabilities, Hacking Swagger UI & Reverse engineering REST APIs
By Anna Hammond
May 18, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 9 to 16.
Intigriti news
Intigriti invites cybersecurity players to join its global Partner Program initiative
Our favorite 5 hacking items
1. Conference of the week
Keynote Day 2 | Hunting Evasive Vulnerabilities: Finding Flaws That Others Miss by James Kettle, Slides
I’ve been waiting for this talk recording for weeks, even more that @albinowax‘s previous talks. The reason is that it is not about a single vulnerability, but about broad principles and techniques that @albinowax uses to discover new attack classes and bugs that everyone else misses.
I think we all want to know how he does it, so do not miss this talk if you are interested in Web research.
2. Tool of the week
mitmproxy2swagger is a very useful tool for both developers and hackers. It automatically reverse-engineers REST APIs based on traffic captured while browsing an app.
More specifically, it takes a mitmproxy capture or a HAR file (exported from browser DevTools) as input, and returns an OpenAPI 3.0 specification for the REST API.
3. Videos of the week
Bug Bounty Redacted #3: Hacking APIs & XSS, SQLi, WAF Bypass in a regional web application
Q: How to write a BUG BOUNTY report that actually gets paid?
XSSHUNTER by @IAmMandatory (Behind The Tool #2)
I know it is supposed to be just one “video of the week”, but I want to celebrate three of my favorite shows that are true gifts for bug hunters.
In this Bug Bounty Redacted, @infosec_au covers two bug bounty findings. Although the reports are old, the tips for testing Swagger UIs and regional assets are very relevant today.
@stokfredrik‘s Bounty Thursday is, as usual, so enjoyable and full of insightful tips, with a focus on reporting this time.
Last but not least, Behind The Tool features @IAmMandatory. If you like XSSHunter, this is a great discussion to know more about its author and the behind the scenes of its creation.
4. Writeups of the week
Multiple bugs chained to takeover Facebook Accounts which uses Gmail. (Meta / Facebook, $44,625)
Hacking Swagger-UI – from XSS to account takeovers (Shopify, Paypal, GitLab, Atlassian, Yahoo, Microsoft, Jamf & others)
@samm0uda‘s fantastic writeup shows how he chained client-side vulnerabilities to take over Facebook accounts, turning an “intended-by-design XSS in a Facebook sandbox domain” into a $44+ bug bounty.
The other writeup is about a DOM XSS that @kannthu1 found in Swagger UI and reported to several bug bounty programs. This is excellent research and a good resource if you want to learn more about hacking Swagger APIs (after watching Bug Bounty Redacted #3 on the same topic).
5. Challenge / Resource of the week
Gin and Juice Shop: put your scanner to the test
“Gin and Juice Shop” is a new intentionally vulnerable web app by PortSwigger. It is intended to be used to test Burp Scanner. I think it also provides a good training ground to practice manual Web hacking after finishing the other Web Security Academy labs and courses.
Other amazing things we stumbled upon this week
Videos
Bug Bounty 101: #15 – XXE (External Entities Injection) Basics, #16 – Login Dialogue Bypass via Password Spray / Brute Force Attack & #17: Recon Sub-domains with Intruder for Auth Bypass
They said this doesn’t work 🤣 Hacking networks with VLAN hopping and Python
Podcasts & Audio
Webinars
Cyber Apocalypse CTF 2022 – Intergalactic Chase: Live Hacking Workshops
Learning from AWS (Customer) Security Breaches with Rami McCarthy & Slides
BHIS | How DNS can be abused for Command & Control | Troy Wojewoda
Conferences
Slides & Workshop material
Black Hats Asia 2022, especially:
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions
PicoCTF 2022 Web, Reverse Engineering, Forensics, Cryptography & Binary Exploitation
Pentest writeups
Responsible(ish) disclosure writeups
Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) #Web #CodeReview
rubygems CVE-2022-29176 explained #Web #CodeReview
CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection & Nuclei template #Web
Exploiting a Use-After-Free for code execution in every version of Python 3 #MemoryCorruption
Path Traversal Vulnerabilities in Icinga Web & RainLoop Webmail – Emails at Risk due to Code Flaw #Web #CodeReview
Bug bounty writeups
The Underrated Bugs, Clickjacking, CSS Injection, Drag-Drop XSS, Cookie Bomb, Login+Logout CSRF… ($3,850)
Can analyzing javascript files lead to remote code execution?
Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923) (Microsoft) & Free TryHackMe room
New Wine in Old Bottle – Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108) (Microsoft)
See more writeups on The list of bug bounty writeups.
Tools
pipe-intercept: Intercept Windows Named Pipes communication using Burp or similar HTTP proxy tools
badkeys: Tool and library to check cryptographic public keys for known vulnerabilities
Skanuvaty: Dangerously fast DNS/network/port scanner
Fastsub: A custom built DNS bruteforcer with multi-threading, and handling of bad resolvers
Tips & Tweets
Misc. pentest & bug bounty resources
@cyb_detective’s OSINT repos:
Articles
A new secret stash for “fileless” malware & Why the newly discovered Microsoft Windows ‘fileless’ log exploit is a marvel of stealth
Challenges
Bug bounty & Pentest news
Pentest
Cybersecurity
Upcoming events
LevelUpX – Salesforce Object Recon by @B3nac (May 20 at 4 PM UTC)
Tool updates
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023