Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from June 21 to 28.
Our favorite 5 hacking items
1. Articles of the week
LEXSS: Bypassing Lexical Parsing Security Controls
SSRF in ColdFusion/CFML Tags and Functions
In the first article, Chris David does a deep dive into special HTML tags that take exploit inconsistencies between the HTML parser and sanitizing lexical parsers to achieve XSS. This is excellent research, next-level XSS!
The second article by @hoyahaxa is about CFML tags and functions that can be used to perform SSRF. It’s really good research and a blog worth following.
2. Writeup of the week
Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
@artsploit started looking at OAuth vulnerabilities in bug bounty programs. They ended up with pre-authentication RCE via Java deserialization in the Jato framework used by ForgeRock OpenAm.
This is a great writeup worth dissecting to learn about deserialization and the bug hunter’s thought process.
3. Tools of the week
@amalmurali47‘s onaws is a Python tool that fetches details of assets hosted on AWS. It is a convenient tool to quickly identify if an IP or hostname is in the AWS IP space, including the service and region details.
@neonbunny9‘s pcap-burp is a Burp extension for importing and passively scanning Pcap files. It is handy for testing apps that you just can’t proxy through Burp, but still want to analyse their traffic captured with Wireshark/tcpdump.
4. Video of the week
ep01 – CTF TEARDOWN – HackerOne CodeCanCare 100k CTF
This is a walkthrough of the recent H1 100k CTF by its creator, @adamtlangley. It is very informative for anyone interested in Web security. The techniques involved include subdomain takeover, XXE, SQL injection, data exfiltration via ICMP and source code review (plus insights into the CTF creation process).
5. Tip of the week
Bypassing email registration forms that require a corporate domain only
This Twitter thread is about bypassing the requirement of a corporate domain email in registration forms. Some techniques worth trying are putting the domain name in caps, or using unexpected email address formats @securinti-style.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Serialized Payload Generator & Intro: A Web Interface to generate payload using various deserialization exploitation frameworks
- ZDNS: Fast CLI DNS Lookup Tool
- raccoon & Intro: Salesforce object access auditor
- SharpMailBOF: A BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Community pick of the week
A dog hunter 😍 Enjoy your swag and time with this cutie, @svennergr!
If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!