Bug Bytes #129 – LEXSS, SSRF via ColdFusion/CFML tags & ForgeRock OpenAM RCE

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from June 21 to 28.

Our favorite 5 hacking items

1. Articles of the week

LEXSS: Bypassing Lexical Parsing Security Controls
SSRF in ColdFusion/CFML Tags and Functions

In the first article, Chris David does a deep dive into special HTML tags that take exploit inconsistencies between the HTML parser and sanitizing lexical parsers to achieve XSS. This is excellent research, next-level XSS!

The second article by @hoyahaxa is about CFML tags and functions that can be used to perform SSRF. It’s really good research and a blog worth following.

2. Writeup of the week

Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

@artsploit started looking at OAuth vulnerabilities in bug bounty programs. They ended up with pre-authentication RCE via Java deserialization in the Jato framework used by ForgeRock OpenAm.
This is a great writeup worth dissecting to learn about deserialization and the bug hunter’s thought process.

3. Tools of the week

onaws
pcap-burp

@amalmurali47‘s onaws is a Python tool that fetches details of assets hosted on AWS. It is a convenient tool to quickly identify if an IP or hostname is in the AWS IP space, including the service and region details.

@neonbunny9‘s pcap-burp is a Burp extension for importing and passively scanning Pcap files. It is handy for testing apps that you just can’t proxy through Burp, but still want to analyse their traffic captured with Wireshark/tcpdump.

4. Video of the week

ep01 – CTF TEARDOWN – HackerOne CodeCanCare 100k CTF

This is a walkthrough of the recent H1 100k CTF by its creator, @adamtlangley. It is very informative for anyone interested in Web security. The techniques involved include subdomain takeover, XXE, SQL injection, data exfiltration via ICMP and source code review (plus insights into the CTF creation process).

5. Tip of the week

Bypassing email registration forms that require a corporate domain only

This Twitter thread is about bypassing the requirement of a corporate domain email in registration forms. Some techniques worth trying are putting the domain name in caps, or using unexpected email address formats @securinti-style.

Other amazing things we stumbled upon this week

Videos

• Hacker Heroes #2 – @InsiderPhD (Interview)
• $25,000 Facebook.com postMessage account takeover vulnerability
• Found a Crash Through Fuzzing? Minimize AFL Testcases! & Blog post
• Pentester Diaries Ep6: The Importance of Report Writing

Podcasts

• Halfway Through 2021 – Google’s FLoC, $600M Ransomware Attack, Where Will Windows 11 Run?
• The InfoSec & OSINT Show 62 – Alissa Knight & Hacking Cars

Webinars

• Don’t Gamble with Golden SAML
• Introduction to web cache poisoning
• Attack and Defend: The Dangers of Modern Distributed Applications

Conferences

• BSides Athens 2021
• x33fcon Europe 2021

Tutorials

Medium to advanced

• Azure Persistence with Desired State Configurations
• XSS Filter Evasion And WAF Bypassing
• 4 Useful fzf Tricks for Your Terminal
• Manage Cobalt Strike with Services

Beginners corner

• Cut the crap from Intercept
• Hacker tools: XSStrike – Hunting for low-hanging fruits.
• Graphql Exploitation – Part 3- Injection Attacks And XSS Attacks
• Intercepting Flutter iOS Application
• Bug Bounty on Android : setup your Genymotion environment for APK analysis
• Wi-Fi Penetration Testing – Part 2 (PreConnection Attack)

Writeups

Challenge writeups

• How to solve an XSS challenge from Intigriti in under 60 minutes & Intigriti — XSS Challenge 0621
• SQL Injection – Lab #13 Blind SQL injection with time delays
• TENTACLE Walkthrough by t1v0
• Subdomain takeover, CSRF, IDOR, XSS, Code review and many more! [CTF walkthrough]

Pentest writeups

• Stupid Unix Tricks – Using $IFS in Web Application Command Injection Vulnerabilities for Full RCE
• Crypto Wallet Local Storage Attack

Responsible(ish) disclosure writeups

• The Fault in Our Stars: Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
• Linux marketplaces vulnerable to RCE and supply chain attacks
• AEM CRX Bypass: The 0-day that took control over some enterprise AEM CRX Package Manager
• Multiple pre-auth RCEs in Apache Dubbo
• PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service & Impacket implementation
• CVE-2021-1497: Cisco Hyperflex HX Auth Handling Remote Command Execution
• Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

N-day vulnerabilities

• CVE-2021-27850 Exploit (Apache Tapestry unauthenticated RCE)
• Using CVE-2020-9971 to escape Microsoft Office’s app sandbox
• CVE-2020-3580: Proof of Concept Published for Cisco ASA Flaw Patched in October

Bug bounty writeups

• A supply-chain breach: Taking over an Atlassian account (Atlassian)
• Three Microsoft Store vulnerabilites & Microsoft Store free purschase vulnerabilites (Microsoft)
• Cracking Encrypted Credit Card Numbers Exposed By API
• Flywheel Subdomain Takeover
• gcp-dhcp-takeover-code-exec (Google)
• Microsoft Edge uXSS POC CVE-2021-34506 (Microsoft, $20,000)
• Some ways to find more IDOR
• Gaining access to protected components
• Stored XSS in IE11 on hackerone.com via custom fields (HackerOne, $2,500)

See more writeups on The list of bug bounty writeups.

Tools

• Serialized Payload Generator & Intro: A Web Interface to generate payload using various deserialization exploitation frameworks
• ZDNS: Fast CLI DNS Lookup Tool
• raccoon & Intro: Salesforce object access auditor
• SharpMailBOF: A BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay

Tips & Tweets

• HTML tags that have special parsing rules
• @garethheyes’s alternatives ways to run alert(2): 1, 2, 3 & 4
• Signed bucket disclosure via GraphQL
• Python eval RCE

Misc. pentest & bug bounty resources

• HackingKubernetes
• Infosec House
• Modern Unix
• awesome-apisec
• linux-default-file-locations
• Cloud Pentesting (Azure/AWS/GCP)

Challenges

• CryptoHack New Challenges 06/2021
• SANS.edu HBCU Scholarship CTF (July 27-28)

Articles

• Building XSS Polyglots
• AD CS relay attack – practical guide
• Knock! Knock! The postman is here! (abusing Mailslots and PortKnocking for connectionless shells)

Bug bounty & Pentest news

• Seven years of the GitHub Security Bug Bounty program
• Google: Announcing a unified vulnerability schema for open source
• New TCM Security course: Movement, Pivoting, and Persistence
• Security organizations join forces with EFF to lobby for DMCA reform
• Upcoming events
  • BSides Amman 2021 2nd Edition (featuring @mazen160 on Attack Vectors on Terraform Environments)
• Updates
  • dnsx v1.0.5 (new DNS code probing feature/flag)
  • bbrf-serber now installs a reverse proxy for speed
  • Ghidra 10.0
  • Learning from our Myths (Mythic 2.2 release)

Non technical

• @zseano AMA
• Meet the hacker: Katie Paxton-Fear
• ROP and Roll: EXP-301 Offensive Security Exploit Developer (OSED) Review and Exam

Community pick of the week

A dog hunter 😍 Enjoy your swag and time with this cutie, @svennergr!

If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!