Bug Bytes #171 – New Android Web Views attacks, Arbitrary file theft on Android & Scanning for PII in images
By Anna Hammond
May 25, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 16 to 23.
Our favorite 5 hacking items
1. Tool of the week
Octopii is a Personal Identifiable Information (PII) scanner for images. It uses tesseract-ocr and AI to identify images of passports, photos, signatures, etc. This can be useful for automated recon, when you have access to a lot of images (in a local directory, S3 bucket or via directory listing) and cannot go through all of them manually.
2. Writeup of the week
@jespinhara found a Tomcat Manager that used default credentials on a public bug bounty program. The vulnerable host could only be accessed from a t2.xlarge AWS instance in the us-east-1a region, which probably explains why the bug wasn’t discovered before.
So, a valuable lesson for recon automation and vulnerability scanning is to try different cloud providers, regions and instance types.
3. Video of the week
LevelUpX – Series 1: Salesforce Object Recon with B3nac & AuraIntruder
@B3nac shares how to find data leaks by disclosing Salesforce Objects using different techniques, and a Burp extension to automate the process.
4. Tutorials of the week
Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations
Android security checklist: theft of arbitrary files
@0x00C651E0 three of the most common ways to obtain RCE on Ruby on Rails apps. Although they can be detected with Brakeman, this walkthrough will help go further and construct working exploits.
The second tutorial / cheat sheet by @OversecuredInc is a compilation of multiple techniques to exploit Android apps and access arbitrary files.
5. Articles of the week
The Bridge between Web Applications and Mobile Platforms is Still Broken
Security Code Audit – For Fun and Fails
The first paper presents two new attacks using Android Web Views. One allows leaking user information and the other accessing the user’s camera and microphone.
The second paper is an insightful tale of “failed” code review by @frycos. It is very interesting to read about a code auditor’s methodology whether there is an RCE at the end or not.
Other amazing things we stumbled upon this week
Videos
Bug Bounty 101: #18 – Approaching a Public Target (Pinterest) & Interview #4: Question and Answer Session #1
INDUSTRY Penetration Testing & Training w/ Jean-François Maes
Hacking networks with Python // Creating malicious packets and breaking TCP/IP rules
Podcasts & Audio
401 Access Denied, especially:
Webinars
Conferences
Finding Bugs on NFT Websites for Fun & Profit | IWCON-S22 Talk by Zseano
Security Automation, (Re) Defined | IWCON-S22 Talk by Dhiyaneshwaran DK
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Responsible(ish) disclosure writeups
Yik Yak Vulnerability Exposed Precise GPS Locations: Analysis #iOS
Mailcow RCE and domain admin privilege escalation (CVE-2022-31245) #Web
Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) #Web
Printing Fake Fiscal Receipts – An Italian Job p.2 & p.1 #Printers #Android
Known vulnerabilities
“NginxDay2022”: NGINX LDAP reference implementation Zero Day Vulnerability
How I could exploit the CVE-2022-1388, F5 BIG IP iControl Authentication bypass to RCE
Bug bounty writeups
Stealing Google Drive OAuth tokens from Dropbox (Dropbox, $1,728)
Finding vulnerabilities in Swiss Post’s future e-voting system – Part 2 (Swiss Post)
Integer overflow vulnerability (Glovo)
See more writeups on The list of bug bounty writeups.
Tools
h2cSmuggler-proxy: Python script that implements a proxy over h2cSmuggler so you can navigate in your browser making requests to the back-end server
mx-takeover: Go tool that detects misconfigured MX records using three techniques
slipit: Utility for creating ZipSlip archives
righettod/toolbox-pentest-web: Docker toolbox for pentest of web based application
Tips & Tweets
Misc. pentest & bug bounty resources
Articles
Dotnet’s Default AES Mode Is Vulnerable To Padding Oracle Attacks
We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere
No-Fix Local Privilege Escalation Using KrbRelay With Shadow Credentials
Challenges
Bug bounty & Pentest news
Bug bounty
Cybersecurity
Upcoming events
“Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling” (@albinowax’s talk at Black Hat USA 2022)
Tool updates
You may also like
Intigriti Bug Bytes #221 - February 2025 🚀
February 14, 2025
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024