Bug Bounty Bulletin #7

Bug Bounty Bulletin #7

Insights, inspiration and hunting opportunities for ethical hackers

Welcome to the seventh edition of YesWeHack’s Bug Bounty Bulletin – comprising new hunting opportunities, CTF-style challenges 🏁, research roundup, plus hacking advice and inspiration for ethical hackers! 💻

We’ll kick off this bumper edition with a new open source tool for understanding how browsers parse HTML and uncovering mutated XSS vulnerabilities. 🛠️ The handiwork of our resident security researcher, Bitk, Dom-Explorer incorporates popular HTML sanitizers Ammonia, Angular, DomPurify, JsXss and SafeValues, while supported parsers include DomParser, Parse5, srcdocParser and TemplateParser. “By using this tool, you can generate this weird behaviour where if your input is not valid, it will change to something that might indicate the potential for vulnerabilities,” says Bitk. The researcher believes Dom-Explorer can simplify, accelerate and send in fresh directions this niche area of security research. 🔥

PHP devotees

In other hacking tool news, ‘Cfreal’, highly respected for his PHP work, has made another significant contribution to this field with the unveiling of lightyear, which helps ethical hackers exploit blind file read primitives in PHP. The researcher says the utility transcends most limitations undermining similar tools. 🚀 

Speaking of PHP, the star of our YouTube channel’s latest hunter Q&A, Blaklis, also favours PHP targets. As well as discussing his preferred scopes, the prolific hunter, who sits 20th on our all-time leaderboard, reflects on how hacking video games introduced him to bug hunting, outlines his typical working day, and tells us which non-computing-related career he thinks most closely resembles Bug Bounty (watch the video below). 🐞 Similarly, we’ve also published a new Q&A writeup, complete with related video, starring HakuPiku, in which he declares a fondness for hacking Android apps and open-source code. 📱

Open source leaderboard

HakuPiku’s penchant for open source means he features on our new open-source leaderboard, which tracks the most successful hunters in terms of valid vulnerabilities reported to our open source programs! Top spots are currently held by calehuri, mdisec and foobar0x7. 🏆 The gap to fourth place suggests that might be the case for a while yet. As for the general leaderboard, Rabhi, Xel and marcosen head the 2024 Q4 rankings so far, mirroring the overall 2024 leaderboard, except for the fact st0rm_ is third overall but fourth for Q4 so far. 👏

Chromium sandbox escape

Back to the research writeups: we're spotlighting research from a hunter who stars on the aforementioned open source leaderboard. In a new blog post, 'Sigabrt' details a case study in which he used AFL++, afl-cov and basic custom harnesses to find a heap overflow bug in libsoup on a YesWeHack public program, namely that of GNOME.

'Ading2210', meanwhile, has recounted how he netted a $20,000 bounty for reporting Chromium vulnerabilities that allowed for a sandbox escape from malicious browser extensions with just “a tiny bit of user interaction”. 💰 The potential consequences were grave: “Instead of merely stealing your passwords and compromising your browser, an attacker could take control of your entire operating system,” he wrote. Eek. One redditor called it “one of the best discovery recaps I've read since The Cuckoo's Egg”.

Multiple vulnerabilities in a Realtek SD card reader, meanwhile, apparently “enabled non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device”. An advisory details Realtek’s fixes for what were seemingly highly serious flaws. “If your laptop is equipped with an SD card reader, it is highly likely to be manufactured by Realtek, making it susceptible to these vulnerabilities as well,” wrote the researcher who found them, ‘ZwClose’. 💻⚠️

Our latest white-box penetration testing guide explores how to debug for JavaScript vulnerabilities. In testing a web application vulnerable to prototype pollution within a Docker container, Brumens’, another of our resident hackers, demonstrates how to debug JavaScript inside Visual Studio Code in order to track payloads throughout the code process and learn how security filters can hide vulnerabilities. Relatedly, we’ve also detailed our top 5 hacking tools for white-box pen testing. 🔧

Other writeups and InfoSec news of interest this month include “the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software”; Sonar showing how to turn a file write vulnerability in a Node.js application into RCE when the target’s file system is mounted as read-only; and a data breach involving France’s second largest internet service provider (ISP) and telephone operator, affecting more than 19 million customers and 5.11 million IBAN numbers. 😮

Unlock your brain; harden your system

On to our events calendar, and we have just two November events to flag but they're pretty cool ones! First up, there’s the superbly named ‘Unlock Your Brain, Harden Your System’ , which takes place in Brest, France on 8-9 November. 🧠 Our tech ambassador Lucas Philippe aka BitK is delivering a workshop on ‘Detecting and exploiting prototype pollution in JavaScript applications” between 10am-12pm on 8 November. The following day, 9 November, between 11,15am-12pm, Tom Chambaretaud aka Aethlios, technical lead & security analyst at YesWeHack, will talk about ‘Insecure time-based secret in web applications and Sandwich Attack exploitation’. 📅

The following week, in Buenos Aires, Argentina, we’ll host a live Bug Bounty at Ekoparty, across two days, specifically 14-15 November. Watch highlights from our recent live hacking event in Italy below, with scopes provided by sweet-packaged foods giant Ferrero, for a foretaste of what that involves. 🍫  

As per our policy, the Ekoparty targets will only be revealed on the day, but we can tell you that participation will be open to all Ekoparty attendees. 🕵️ The day before this live hacking event begins, 13 November, starting 4:30pm, Alex Brumen, Researcher Enablement Analyst at YesWeHack, will present ‘Limitations are just an illusion: advanced server-side template exploitation with RCE Everywhere'. Our team will also hand out swag and discuss out platform on booth 10 throughout the three-day event. Finally, Selim Jaafar, head of customer success at YesWeHack, will feature on a panel discussing the Bug Bounty industry, 2pm-4.30pm on 13 November, alongside security experts from Meta, Bugcrowd, Hackerone, MercadoLibre and Brotek. 💪

Spooky CTF

Finally, Dojo news. Trick or treating might be over for another year, but our platform’s new dark mode 🖤 – released to coincide with the celebration – is here to stay, while our Halloween-themed monthly CTF challenge – ‘Spooky Party Invitation’ – is open for submissions a little longer, until tomorrow. 👻 Elsewhere on Dojo, another new training module has dropped: insecure deserialization. 🚀

PS. Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

PPS. This isn’t the only way to keep track of YesWeHack content, hacking competitions and hunting opportunities! You can also follow us on X/Twitter and LinkedIn.

To view or add a comment, sign in

More articles by YesWeHack

Insights from the community

Others also viewed

Explore topics