New tool for finding mutated XSS, $20k Chromium sandbox escape, Live bug bounty results from Ekoparty – ethical hacker news roundup

November 18, 2024

XSS and bug bounty

Our latest ethical hacker roundup leads with a new open source tool for understanding how browsers parse HTML and uncovering mutated XSS vulnerabilities. 🛠️ The handiwork of our resident security researcher, Bitk, Dom-Explorer incorporates popular HTML sanitizers Ammonia, Angular, DomPurify, JsXss and SafeValues, while supported parsers include DomParser, Parse5, srcdocParser and TemplateParser. “By using this tool, you can generate this weird behaviour where if your input is not valid, it will change to something that might indicate the potential for vulnerabilities,” says Bitk. The researcher believes Dom-Explorer can simplify, accelerate and send in fresh directions this niche area of security research. 🔥

DOM Explorer and the Hacker's toolbox

Using YouTube to steal your files

A client-side exploit chain across various Google services has impressed the InfoSec world. Leveraging Google Slides’ YouTube embed feature to access a victim’s Google Drive file, path traversal, open redirects across YouTube subdomains and oddities in Google Docs’ sharing UI, the discovery has netted security researcher Lyra/’Rebane’ an oddly specific bounty of $4,133.70. 💰 The research has been cited as an exemplar of how exploits can become “easier the longer you spend targeting a single company”, and evidence of an unusual combination of hacking skills. “Most white-hats specialize a bit, website logic shenanigans like iframes or the hardcore code analysis stuff like the link I posted for example. But not this [person, she] seems to have mastered both,” observed one Redditor. 🕵️

PHP devotees

In other hacking tool news, ‘Cfreal’, highly respected for his PHP work, has made another significant contribution to this field with the unveiling of lightyear, which helps ethical hackers exploit blind file read primitives in PHP. The researcher says the utility transcends most limitations undermining similar tools. 🚀

Speaking of PHP, the star of our YouTube channel’s latest hunter Q&A, Blaklis, also favours PHP targets. As well as discussing his preferred scopes, the prolific hunter, who sits 21st on our all-time leaderboard, reflects on how hacking video games introduced him to bug hunting, outlines his typical working day, and tells us which non-computing-related career he thinks most closely resembles Bug Bounty (watch the video below). 🐞 Similarly, we’ve also published a new Q&A writeup, complete with related video, starring HakuPiku, in which he declares a fondness for hacking Android apps and open-source code. 📱

Open source leaderboard

HakuPiku’s penchant for open source means he features on our new open-source leaderboard, which tracks the most successful hunters in terms of valid vulnerabilities reported to our open source programs. Top spots are currently held by calehuri, mdisec and foobar0x7 (visualised on the image below). 🏆 Hunters are further incentivised by the fact that any valid bugs reported to our open source Bug Bounty Programs will score hunters some exclusive merch, as well as the usual financial rewards. 🎁 Applicable scopes for this swag include Sovereign Tech Fund’s seven public programs, which offer max €10,000 rewards: Log4j, Systemd, GNOME, ntpd-rs, OpenPGP.js, Sequoia PGP and CycloneDX Rust Cargo. The swag is also available via three programs managed by Open-Xchange: OX App Suite, Dovecot and PowerDNS. Incidentally, the bounty grid for PowerDNS, an open-source DNS server, was recently increased to a €8,000 maximum. 💰 🎯

As for the general leaderboard, Rabhi, Xel and pocsir currently head both the overall 2024 and 2024 Q4 rankings so far. 👏

YesWeHack open source leaderboard

Using AFL++, afl-cov and basic custom harnesses to find a libsoup bug

Back to the research writeups: we're spotlighting research from a hunter who also stars on the aforementioned open source leaderboard. In a new blog post, 'Sigabrt' details a case study in which he used AFL++, afl-cov and basic custom harnesses to find a heap overflow bug in libsoup on a YesWeHack public program, namely that of GNOME. 👏

Chromium sandbox escape

'Ading2210', meanwhile, has recounted how he netted a $20,000 bounty for reporting Chromium vulnerabilities that allowed for a sandbox escape from malicious browser extensions with just “a tiny bit of user interaction”. The potential consequences were grave: “Instead of merely stealing your passwords and compromising your browser, an attacker could take control of your entire operating system,” he wrote. Eek. One redditor called it “one of the best discovery recaps I've read since The Cuckoo's Egg”. 💰

Web browsers based on Chromium

Multiple vulnerabilities in a Realtek SD card reader, meanwhile, apparently “enabled non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device”. 💻 An advisory details Realtek’s fixes for what were seemingly highly serious flaws. “If your laptop is equipped with an SD card reader, it is highly likely to be manufactured by Realtek, making it susceptible to these vulnerabilities as well,” wrote the researcher who found them, ‘ZwClose’. ⚠️

Our latest white-box penetration testing guide explores how to debug for JavaScript vulnerabilities. In testing a web application vulnerable to prototype pollution within a Docker container, Brumens’, another of our resident hackers, demonstrates how to debug JavaScript inside Visual Studio Code in order to track payloads throughout the code process and learn how security filters can hide vulnerabilities. Relatedly, we’ve also detailed our top 5 hacking tools for white-box pen testing. 🔧

CORS blimey*!

*Explainer for non-native English speakers

In ‘Exploiting trust: Weaponizing permissive CORS configurations’, Outpost24’s Thomas Stacey reveals the results of a project initiated to answer the question: “Are we underestimating CORS vulnerabilities?”. 🤔 Possibly, it seems, given the application security auditor uncovered multiple CORS (Cross-Origin Resource Sharing) flaws affecting customers, including critical issues including user sessions. He observes that both the detection and exploitation of permissive CORS can be tricky, the latter “due to modern security controls like the “SameSite” cookie attribute, or even modern application architectures like single-page applications”. Mindful of these challenges, he sets out some tooling and methodology advice for finding vulnerabilities in CORS implementations.

Other recent writeups and InfoSec news of interest include “the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software”; Sonar showing how to turn a file write vulnerability in a Node.js application into RCE when the target’s file system is mounted as read-only; and a data breach involving France’s second largest internet service provider (ISP) and telephone operator, affecting more than 19 million customers and 5.11 million IBAN numbers. 😮

Talkie Pwnie

Next up, Dojo news. Trick or treating might be over for another year, but our platform’s new dark mode 🖤 – released to coincide with the celebration – is here to stay, while our Halloween-themed monthly CTF challenge – ‘Spooky Party Invitation’ – has concluded (congrats to the winners: Atlas_py, qu35t3190 and Fravoi). 👻 The current active challenge is ‘Hacker Forum’, open for submissions until 12 December. Elsewhere on Dojo, another new training module has dropped: insecure deserialization. And finally, check out our new feature, Talkie Pwnii, a series of videos from one of our researcher enablement analysts, pwnwithlove aka pwnii! In the first video, below, pwnii shows you two alternative solutions to our latest Dojo challenge, 'Shell Escape', and a few technical tips and tricks. 🚀

Live Bug Bounty in Argentina

Over the weekend, we ran a successful live Bug Bounty in Buenos Aires, Argentina.

Taking place at Ekoparty across two days, the live hacking event involved targets from Galicia Bank. This was the final top 3:

🥇 🎩 Alan L. aka soyelmago

🥈 Damián Gambacorta aka g4mb4

🥉 Adrián Pedrazzoli aka lemonoftroy

💉 First Blood: Damián Gambacorta aka g4mb4

💥 Best Impact: 🎩 Alan L. aka soyelmago

A huge thank you to Galicia Bank for their trust and involvement. We also want to extend our gratitude to Ekoparty and Bug Bounty Argentina for their support in making this event a resounding success. 🙏

Ekoparty

Highlights from the Ferrero live Bug Bounty

And here is the final podium for another live Bug Bounty that took place at the end of September, with legendary sweet-packaged food brand Ferrero providing the targets:

🥇 Sébastien Copin aka Cosades, Antoine Ardino aka Elweth, Jordan DOULIEZ aka Ali4s and Thibault Galbourdin aka Liodeus

🥈 Raphaël Arrouas aka Xel

🥉 Simone Paganessi aka drak3hft7, seeu, Al7eX and Leo Racanelli aka leorac

Watch highlights from this competition, which was Italy’s first-ever live hacking event, below 🍫

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.