Bug Bounty Bulletin #5

Insights, inspiration and hunting opportunities for ethical hackers

Welcome to the fifth edition of YesWeHack’s Bug Bounty Bulletin – comprising new hunting opportunities, CTF-style challenges ??, hacking writeups and Bug Bounty videos ?? for ethical hackers! ??

We already have proof for the concept that open source vulnerabilities can have catastrophic impact, in the form of the landmark Log4Shell bug. The location of the devastating flaw, Log4j, happens to be among seven public Bug Bounty programs operated by the Sovereign Tech Fund, which invests in open digital infrastructure to ensure a resilient and sustainable open source ecosystem. ??

The comparable ubiquity of the other programs’ technologies – Systemd, ntpd-rs, OpenPGP.js, Sequoia PGP and CycloneDX Rust Cargo – means it’s not hyperbolic to say that finding similarly critical bugs in these programs could help to prevent some pretty devastating downstream impacts. ???Mindful of the significance of these programs, we’ve summarised the hunting opportunities on offer – which can net you up to €10k rewards and, indeed, the satisfaction of helping to secure some pretty fundamental digital infrastructure. ???

We’re also delighted to showcase a new interview with one of the world’s most successful hunters, Nagli. ?? Among other things, the Israeli hacker shares his journey into Bug Bounty, revisits his most memorable bug discovery, reveals the secrets behind his success, discusses currently productive scopes, and offers invaluable advice for aspiring bug hunters. ??

Listen to the timing oracles

Beyond YesWeHack, web security research pioneer James Kettle has broken new ground again with his latest Black Hat USA presentation. The PortSwigger director of research begins his writeup for ‘Listen to the whispers: web timing attacks that actually work ’ by urging his peers to start listening to the “timing oracles” pervading websites since they are “eager to divulge their innermost secrets”. His latest tour de force promises to “unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface”. ?? With hypothetically-sound web timing attack techniques all too often failing when applied to real-world scenarios, he illustrates each technique for exploiting this neglected side-channel “with multiple real-world case studies on diverse targets”. The researcher also provides “battle-tested open-source tools” and a CTF. ??

Orange Tsai, a researcher of comparable renown, has unearthed another vast attack surface linked to architectural problems with Apache HTTP Server. In ‘Exploiting Hidden Semantic Ambiguity in Apache HTTP Server ’, which also featured at Black Hat, Tsai revealed how he pioneered 20 ‘confusion attack’ techniques and found nine related vulnerabilities. ?? He has cited the biggest highlights as escaping from DocumentRoot to System Root, bypassing built-in ACL/Auth with just '?', and turning XSS into RCE with legacy code from 1996. ?? He also warned that more types of confusion attacks will emerge “unless the Apache HTTP Server undergoes architectural improvements or provides better development standards”.

SSTIs and template engines / white-box Python pentesting

Our very own bug hunter and researcher enablement analyst has produced a pair of nifty hacking writeups since our last edition. ?? In Limitations are just an illusion: Advanced server-side template exploitation with RCE everywhere , Brumens explains some novel techniques for exploiting SSTIs with complex, unique payloads that leverage default methods and syntax from various template engines. Better still, he achieves RCE without needing any quotation marks or extra plugins within the templates. Brumens also found time to pen a writeup on how to perform white-box penetration testing on a Python web application running in a Docker container, and perform debugging inside Visual Studio Code in order to track our payloads throughout the process, and understand how security filters can hide vulnerabilities in plain sight. ??

In more Brumens -related news, the fourth and final WAF bypass module to emerge from his fantastic presentation on the topic at NahamCon 2024 has landed. As well as learning filter collision, transformation and space-excluding techniques on Dojo, now you can leverage encoding to turn your payload into a web application firewall nemesis. ??

As well as financial rewards and invites to private programs, an ultimate dividend of all this hunting education and practice could be a place on our leaderboard and the respect of your peers - and indeed the Bug Bounty Bulletin! To this end, let us give thanks and admiration to all-time runaway leader rabhi, who sits at the summit of the Q3 rankings so far for 2024 , to Xel (second place, and recent climber into the all-time top three ), and DinDinDin, propelled into third by a superb showing at our recent live hacking event for L'Oréal (watch the highlights below!). The podium for 2024 as a whole so far: rabhi, Noam and st0rm_. ??? ??

Gotta cache ‘em all

The PortSwigger team had a productive August, with two of Kettle’s colleagues also publishing impressive research. Gareth Heyes ‘splits the email atom ’ by demonstrating how to turn email parsing discrepancies into access control bypasses and even RCE, and provides a CTF for road-testing the skills duly acquired. ?? And in Gotta cache 'em all: bending the rules of web cache exploitation ’ (?? great title), Martin Doyhenard explores how various HTTP servers and proxies behave when parsing specially crafted URLs, as well as RFC ambiguities that create path confusion. He also details novel techniques for abusing parser discrepancies to achieve arbitrary web cache poisoning and deception in numerous websites and CDN providers. ??

Date fright

Fortbridge researchers have documented a series of ‘broken access control vulnerabilities’ on a hugely popular dating app that, they claim, enabled attackers to read other users’ messages, access attachments (photos and videos) from their chats, and update someone else’s profile info, among other misdeeds. ?? In a six-month disclosure timeline, the vendor apparently said the vulnerabilities have now been addressed.

A vulnerability in FIDO devices that use the Infineon SLE78 security microcontroller allows attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys and clone the FIDO device. Dubbed ‘EUCLEAK’ , the side channel attack requires extended physical access, specialized equipment, and advanced understanding of electronics and cryptography. Credit goes to NinjaLab's Thomas Roche, who previously devised a side-channel attack that enabled the cloning of Google Titan security keys . ??

A pair of writeups concerning security weaknesses in Microsoft Copilot to flag next. ?? First, Microsoft has seemingly remediated a vulnerability enabling a chain of ‘exploits’ affecting the chatbot (one Redditor quibbled with the term ‘exploit ’ in this context), including prompt injection via a malicious email (or hidden in a shared document); automatic tool invocation without a human in the loop to read other emails or documents; ASCII Smuggling to stage, to the user invisible, data for exfiltration; rendering hyperlinks to attacker-controlled domains (websites, mailto:); and, optionally, conditional prompt injection. Second, Tenable Research has detailed a critical information-disclosure vulnerability in Copilot Studio via a server-side request forgery (SSRF) that leveraged Copilot’s ability to make external web requests . Combined with an SSRF protection bypass, the SSRF, which has now been patched, gave the researchers access to internal infrastructure for Copilot Studio.

A first for Italy

We’re breaking new ground next month when we run Italy’s first-ever live hacking event on 28 September. The identity of the organisation involved will, as usual, be kept secret until the day of the event, which takes place at RomHack in Rome, Italy, between 24-28 September. YesWeHack will also have a booth in the exhibition area. We will also have booths at INDOSEC (Jakarta, Indonesia; 24-25 September), Cyber Security World Asia (Marina Bay, Singapore; 9-10 October) and Assises de la Cybersécurité 2024 (Monaco; 9-12 October). ??

PS. Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

PPS. This isn’t the only way to keep track of YesWeHack content, hacking competitions and hunting opportunities! You can also follow us on X/Twitter and LinkedIn .