Bug Bounty Bulletin #2
Insights, inspiration and hunting opportunities for ethical hackers
Welcome to the second edition of YesWeHack’s Bug Bounty Bulletin – comprising new hunting opportunities, CTF-style challenges ??, and hacking advice and inspiration for ethical hackers! ??
We kick off this instalment with an interview with one of Italy’s finest hackers and an all-time top 20 hunter. Currently 17th on YesWeHack’s all-time leaderboard, Simone Paganessi aka ‘drak3hft7’ kindly sat in front of a camera to discuss his journey to being a hacker, best bug find so far and favourite hacking tools. ????
And in AI news, a New Scientist feature (paywalled) reveals the trouble large language models (LLMs) are causing to those tasked with weeding out ‘hallucinated’ vulnerabilities, even if many ethical hackers are productively integrating bug-hunting AI tools into their workflows.
Windows 12: Our latest hacking challenge
Whether you’re an experienced hunter or a newcomer to Bug Bounty, you may be interested in taking on our latest DOJO challenge, since it offers an opportunity to not only sharpen your skills but also win swag and the points that can eventually unlock invitations to private Bug Bounty Programs.
‘Windows 12’, which is active until 23 June, is described thus: “We've had the honour of trying out a new computer in the office! Seems we got a nice welcome message when we started the computer, wonder what else there is to find?”
The three best writeups win a YesWeHack swag pack. Good luck!
Last month’s challenge, ‘Security Panel’, invited participants to exploit a prototype pollution vulnerability. Take a bow ‘Kant1’, ‘ambush’ and ‘denabled’ for the three best write-ups. ??
领英推荐
SSRFs in Next.js apps
Trawling for the most interesting, upvoted or commented upon content from hunters and security researchers, we found a disclosure “that many DKIM setups still use keys vulnerable to” a severe 2008 vulnerability. This bug relates to how “a patch in Debian’s and Ubuntu’s OpenSSL packages broke the random number generator, effectively limiting the number of possible keys to a few ten thousand plausible variations”. The writer, Hanno B?ck, will be presenting these findings at miniDebConf Berlin.
Variously praised on r/netsec as “top notch work” and “a real eye opener”, a writeup by Assetnote documented the discovery of Server-side request forgery (SSRF) in Next.js apps. The researchers assert that any notion that “static single-page apps and frameworks” might pose a minimal risk is ill-conceived, since “these frameworks often rely on numerous underlying APIs and logic, presenting a considerable attack surface”.
Also generating a decent volume of upvotes were posts on a response filter Denial of Service (RFDoS) technique that shut down a website by triggering WAF rules, a fresh twist on a technique for bypassing AMSI and leveraging LLM agent integration for RCE.
On the tools front, pcap-did-what, which enables analysis of pcaps with Zeek and Grafana Dashboard, and RRFuzz, “a new type of fuzzer” that can “fuzz just about anything”, elicited not-insignificant interest.
Live Bug Bounty events
It’s less than a month now until our next Live Bug Bounty, taking place at leHACK’s 20th edition in Paris, 5-7 July. As per usual, the target will remain under wraps until the day the event kicks off on 6 July. Participation is open to all leHACK attendees – find out more here. Once again, we’ll also be giving out swag, information about our platform and good vibes from a booth (#41) at Cité des Sciences et de l’Industrie. The conference lineup, by the way, has been confirmed.
In addition, we recently announced our upcoming live hacking event at RomHack on 28 September - the first ever Live Bug Bounty to be held in Italy! It will be another great opportunity to connect with the infosec community and have fun hacking an exclusive target! Save your spot now if you want to take part in something unique.
In other hacking event news, we recently held another Bug Bounty Challenge for NUS students in Singapore and sent a team called (what else?) YesWePwn to France’s largest Capture the Flag (CTF) competition. You can watch highlights of BreizhCTF, which had around 600 participants, while pentester Vincent Michel has documented how he solved three of the challenges.
PS. Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.