Bug Bytes #97 – Breaking Site Isolation, Untrusted Types, SAD DNS & 31k Google SSRF
By Anna Hammond
November 18, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 08 to 15 of November.
Intigriti News
Avalanche of security updates, Zoom snooping & The 2020 business threat landscape
Our favorite 5 hacking items
1. Videos of the week
The Act of Balancing: Burnout in Cybersecurity with Chloé Messdaghi!
10 GREAT habits for bug bounty hunters (and a productive life)
A lot of us bug hunters and pentesters have to deal with burnout. So, make sure to watch these two videos that are full of ideas to not only avoid it, but also to gain in productivity and general well-being. Fantastic tips by @ChloeMessdaghi and stokfredrik!
2. Writeups of the week
Smuggling an (Un)exploitable XSS
31k$ SSRF in Google Cloud Monitoring led to metadata exposure (Google, $31,337)
From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass
@david_nechuta goes over a blind SSRF in Google that was tricky to exploit. @MrTuxracer shows how he chained an uninteresting request smuggling vulnerability with a hard to exploit header-based XSS to escalate their impact. @bananabr’s writeup details how he used LiveDOM++ to find a new DOMPurify bypass.
These are all great findings and highly recommended to read!
3. Tool of the week
Untrusted Types is a Chrome extension by @filedescriptor that abuses Trusted Types to log DOM XSS sinks. It is handy for tracing sink to source and source to sink when testing for DOMS XSS, and also for finding script gadgets to bypass the CSP.
4. Vulnerability of the week
SAD DNS stands for “Side-channel AttackeD DNS” and is not just another vulnerability that get its own name and site. It bypasses mitigations for DNS Cache Poisoning attacks, and makes it possible again to poison DNS resolvers and forwarders using ICMP as a side-channel.
DNS providers are working on fixing it as it effectively breaks DNS. Anyone could exploit it to re-route traffic to their own servers. A fascinating dive into DNS security!
5. Tutorial of the week
Deep Dive into Site Isolation (Part 1)
This blog post explains how Site Isolation works in Chrome and mitigates attacks like Universal XSS and Spectre. Jun Kokatsu (@shhnjk) studied it and found 10+ bugs in the Chrome bug bounty program! An excellent read if you’re into browser security, UXSS, or CORS / CORB testing.
Other amazing things we stumbled upon this week
Videos
@John Hammond Talks About CTF vs Bug Bounty, Organizing CTS, CTF tools, Certificates, and more!
@zseano Talks About bugbountyhunter.com, Recon, Reading Javascript, Getting Started in Bug Bounty🔥
Podcasts
Security Now: NAT Firewall Bypass – SlipStream NAT Firewall Bypass, MS Police Use Ring Doorbell Cams
Risky Business #604 — Election-related cyber shenanigans fail to materialise
CTF Radiooo: Education and CTFs with Fabian aka LiveOverflow
Tianfu, Ghimob, Scalper Bots, Animal Jam, & Pay2Key – Wrap Up – SWN #82
‘Platypus’ Attack, IDOR DOD Bug, & 2 More Chrome 0-Days – ASW #130
Webinars & Webcasts
The Secret Thoughts of a Successful Hacker | Nadean Tanner | 1 Hour
2020 Collegiate SECTF KeyNote: Chris Hadnagy, Webinar: How To OSINT by Chris Krisch & Webinar: Social Engineering Ask Me Anything
File upload vulnerabilities & Slides/challenges (in Arabic)
Conferences
DEF Con 401 – Steve Campbell – The 10 (Unexpected) Ways I Pwned You!
Unlock Your Brain ⋅ Harden Your System 2020 (in French)
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Pentest writeups
Responsible(ish) disclosure writeups
How to get root on Ubuntu 20.04 by pretending nobody’s /home #Linux #LPE
Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World’s 3rd Largest TV Manufacturer. #SmartTV #Android
Silver Peak Unity Orchestrator RCE & SD-PWN Part 2 — Citrix SD-WAN Center — Another Network Takeover #Web #RCE
A code signing bypass for the VW Polo #IoT #CarHacking
TP-Link Takeover with a Flash Drive #Router #USB
Intel, Please Stop Assisting Me #Windows #LPE
Bug bounty writeups
Firefox for Android: LAN-Based Intent Triggering (Microsoft)
How I Found The Facebook Messenger Leaking Access Token Of Million Users (Facebook, $16,125)
Evernote: Universal-XSS, theft of all cookies from all sites, and more (Evernote)
Ticket Trick at https://account.acronis.com (Acronis, $750)
Possibility to freeze/crash the host system of all Slack Desktop users easily (Slack, $500)
Uninstalling Slack for Windows (64-bit), then reinstalling keeps you logged in without authentication (Slack, $500)
See more writeups on The list of bug bounty writeups.
Tools
If you don’t have time
AWS User Data Secrets Finder: Search for secrets inside user data attached to EC2 instances on multiple AWS accounts
SendPass: Securely* send passwords, URLs or other text data from any trusted computer with a camera (Phone, Laptop, Web Cam, etc.) to an un-trusted computer with ease
More tools, if you have time
4xxbypass: A tool that automates a number of well-known 403/401 bypassing techniques
Asthook: Python tool for Android static and dynamic analysis
3klCon: Automation recon tool which works with large & medium scopes
anewer: A rust version of TomNomNom’s anew. It appends lines from stdin to a file if they don’t already exist in the file
xpcspy: Bidirectional XPC message interception and more. Powered by Frida
Dredd: HTTP API Testing Framework. It’s a language-agnostic command-line tool for validating API description document against backend implementation of the API.
enum4linux-ng: A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players
Apollo: A .NET Framework 4.0 Windows Agent
PYTMIPE & TMIPE: Python library and client for token manipulations and impersonations for privilege escalation on Windows
Misc. pentest & bug bounty resources
Infosec Bugbounty AMA with JR0ch17 & BenkoOfficial
Challenges
Articles
Exploring the Exploitability of “Bad Neighbor”: The Recent ICMPv6 Vulnerability (CVE-2020-16898)
On the Effectiveness of Time Travel to Inject COVID-19 Alerts
Bug bounty & Pentest news
Non technical
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2020 to 11/15/2020.
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023