The 5 Hacking NewsLetter 107
Posted in Newsletter on May 27, 2020
Posted in Newsletter on April 7, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 27 of March to 03 of April.
@samwcyo’s Kernelcon talk explores attacking various secondary contexts (APIs, reverse proxies, middleware) in Web applications. He shows how to detect application routing (in black box), and examples of vulnerabilities that can result from interactions between different servers.
This is excellent research and an interesting area to explore further. The talk video is not available yet, but will be released soon hopefully.
Also good to know, you can reproduce the last trick (Authy 2FA bypass) in @PentesterLab’s “Idor to Shell”.
It was impossible to feature only one writeups as these 3 are all awesome! The iPhone Camera Hack is a deep dive into several bugs found in Safari. They allowed Ryan Pickren to gain zero-click unauthorized camera access on iOS and macOS, and earned him an impressive $75,000 bounty.
The second article sums up @securinti’s findings after scanning 10.000 popular domain names for misconfigured Atlassian instances. He noticed a 12% increase of exposed instances since last summer, maybe because of remote work due to COVID-19.
The third writeup reads like an investigation. @redtimmysec identified middleware in use (a WAF and a Bluecoat proxy), and was able to bypass the WAF to exfiltrate sensitive data with SSRF. This is an excellent example of a “secondary contexts” bug.
Gitlab’s transparency is amazing. This is a writeup for a file upload vulnerability found internally. It illustrates the concept of parser differentials which is similar to @samwcyo’s “secondary contexts” attacks, but applied to file uploads.
This is a unique opportunity to learn about a critical bug with details, from the company itself, about the source code and how file uploads are handled.
@Codingo_ Talks About Pentesting, Escalating Bugs, OSCP, Working at Bugcrowd, Burp Suite and More!
The interview with @codingo_ is A-M-A-Z-I-N-G! He shares so many ideas and good insights. For instance his philosophy around XSS proofs of concept got him a much bigger bounty for a duplicate XSS than its first reporter! He has a unique background, and a strong opinion on which programming languages to learn.
Also a big shout-out to @NahamSec for being a great interviewer and asking all the questions I had in mind.
Crithit allows you to do directory and file brute forcing at large scale. It takes each entry from a wordlist and tests it against all targets before moving on to the next entry.
If this reminds you of something, it is probably of Inception which is similar. The difference is that Inception takes a configuration file with specific endpoints to test for as input (e.g. .env, .git, etc), while Crithit can be used with any wordlist. So, Crithit is more practical when you want to test bigger or existing wordlists. It also support filtering outputs using HTTP response codes and signatures to look for in responses.
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study (Bitdefender, $5,000)
Limited freemarker ssti to arbitrary liql query and manage lithium cms
Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps
Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO (Shopify, $15,000)
[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation (Shopify, $15,000)
Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation (Shopify, $7,500)
Periscope iOS app CSRF in follow action due to deeplink (Twitter, $2,940)
Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation (Slack, $750)
H1514 CSRF in Domain transfer allows adding your domain to other user’s account (Shopify, $500)
An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss (SEMrush, $2,111)
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/27/2020 to 04/03/2020.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…