Defender's Thoughts on CTBB Podcast Episode: 127
Critical Thinking Bug Bounty Podcast - Episode 127
A Hacker's Guide to Google Dorking
https://www.yeswehack.com/learn-bug-bounty/recon-hackers-guide-google-dorkingThis YesWeHack guide is full of useful info for advanced Google searching. Many folks may be familiar with the Advanced Google Search form - https://www.google.com/advanced_search but the examples shown in the blog post make it crystal clear how to search for maximum recon.
Google CAPTCHA Challenges
One note for bug hunters, if you have used Google Dorks directly in your browser, you will have undoubtedly run into this CAPTCHA at some point:
Google API Search
You will get the following JSON response data that easily parsable for tooling:
YesWeHack Dojos
https://dojo-yeswehack.com/ Dojos are an awesome environment to be able to make CTF style challenges that emulate a myriad of different vulnerabilities types. My daughter (https://x.com/4ng3lhacker) and I even used them as part of our Defcon 32 Bug Bounty Village workshop to demonstrate different data manipulation scenarios. Here are three Dojo examples from our workshop:
- WAF Bypass - Edge-Side Includes (ESI) Abuse
- WAF Bypass - XSS Sanitizer Abuse
- WAF Bypass - HTML Entities
PDF CSP Bypass
My first Defender comment is related to file uploads and the poor state of file attachment inspection. First of all, most file uploads are not rigorously inspected at all, and if they are, the 3rd party tooling used to do that inspection do not have very robust coverage for this type of XSS PoC.
I discussed this scenario with xssdoctor and from a CSP perspective, script-src directives should also include a nonce value.
Bug Hunter Tips with CSP Nonces
One scenario that exists with CSP and nonces that bug hunters should be aware of before giving up on trying XSS exploitations. There exist some 3rd party integrations/architectures that can actually be abused - https://blog.cloudflare.com/addressing-the-webs-client-side-security-challenge/. This is an integration between Tala Security and Cloudflare Web Workers. Note what it describes as the process:
I can speak from first hand experience in testing the Tala Security CSP management architecture years ago that reflected XSS was still possible as this architecture was upstream from the target app and it would include the attack payload in the dynamic noncing process. Bug hunters should attempt to validate if the nonce values are indeed added inside the origin application itself or perhaps added later, dynamically in flight by an intermediary layer on its way out to clients.
Newtowner
https://github.com/assetnote/newtowner
Although this tool is positioned for abusing trust whitelists, it also can easily be used to circumvent IP blacklisting as users would get new IPs.
AWS API Gateway AUP
https://github.com/assetnote/newtowner?tab=readme-ov-file#aws-api-gateway As a bug hunter, be aware that using the AWS API Gateway infrastructure in this way is an AUP violation.
https://aws.amazon.com/security/penetration-testing/
AWS API Gateways' purpose is for ingress control front ending your own AWS assets and not for sending traffic egress to third party applications. I have reported and worked with the AWS security team on this exact issue. The concept is good however and can be used with EC2, etc but not API Gateways.
Firefox XSS Vectors
https://x.com/garethheyes/status/1932066642026012716
I tested these in jsfiddle.net site and confirmed that they do work when using Firefox:
These vectors may be useful to bypass some naive WAF filters however most would still be detecting the javascript protocol handler data.
Comments