Bug Bytes #113 – MS Exchange pre-auth RCE, Burp Crawler demystified & SSO security thesis

By Anna Hammond

March 10, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from March 1 to 8.

Intigriti News

Spectre’s comeback, Exchange zero-days & Risky JSON parsing and Go packages

Our favorite 5 hacking items

1. Articles of the week

Web application cartography: mapping out Burp Suite’s crawler
Security and Privacy of Social Logins & Thesis

The first article is about the internals of Burp’s crawler. Whether you’re a Burp user or interested in Web crawling in general, it is fantastic to discover how it does its magic and overcomes challenges of modern Web apps that make crawling them difficult.

The second article (or rather a brilliant series of three articles plus a full thesis!) are all about SSO security. Louis Jannett analyzed real-world implementations of SSO (including Apple, Google, and Facebook SSO) and shared common weaknesses and vulnerabilities found.

2. Writeup of the week

TryHackMe X HackerOne CTF WriteUp (Hacker Of The Hill)

This is a solid writeup for the recent “Hacker of the Hill” CTF. It shows some interesting Web hacking techniques that might be useful for real tests (e.g. path traversal leveraging RFC822).

3. Video of the week

Finding Your Next Bug: GraphQL Hacking – Katie Paxton-Fear (@InsiderPhd)

This is an excellent introduction to GraphQL hacking. The best part? Not only does @InsiderPhD tell you everything you need to start testing GraphQL implementations, she also provides a lab to practice (see the intentionally vulnerable Generic-University that has a newly added GraphQL API).

4. Tools of the week

netz & Intro

BurpSuiteAutoCompletion by @_StaticFlow_ is a Burp extension that adds header autocompletion to Repeater and Intruder tabs. This is a huge time-saver if you often need to change/add HTTP headers. The headers list used by default is from Seclist but you can customize it.

Netz is a Go tool for mass-scanning the Internet similarly to Shodan, Censys or ZoomEye, but with the ability to perform any custom checks. I haven’t tried it but bookmarked it in case I need to run large scale scans.

Another interesting tool is logger.js, @fransrosen‘s reflection script that helps him find script gadgets for XSS. Worth a try if you’re into DOM XSS!

5. Bugs of the week

@orange_8361 reently teased about a Microsoft Exchange pre-auth RCE, then shared a site and demo for the the bug called Proxylogon. It turned out to be part of a pretty bad RCE bug chain currently being exploited in-the-wild.

I didn’t find a detailed writeup of all vulnerabilities but here a few resources to keep you up to date:

Other amazing things we stumbled upon this week





Medium to advanced

Beginners corner


Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • Wingman: XSS scanner

  • http2smugl: Go tool that helps detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 -> HTTP/1.1 conversion by the frontend server

  • dnspy: Find subdomain takeovers

  • BurpFeed: Python and Go tool for feeding urls into Burp’s Sitemap

Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

Community pick of the week

We’d love to hear from you too about your bug bounty wins, swag and joys. Tag us on social media if you want to share them with other Bug Bytes readers.

You may also like