Bug Bytes #129 – LEXSS, SSRF via ColdFusion/CFML tags & ForgeRock OpenAM RCE

By Anna Hammond

June 30, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from June 21 to 28.

Our favorite 5 hacking items

1. Articles of the week

LEXSS: Bypassing Lexical Parsing Security Controls
SSRF in ColdFusion/CFML Tags and Functions

In the first article, Chris David does a deep dive into special HTML tags that take exploit inconsistencies between the HTML parser and sanitizing lexical parsers to achieve XSS. This is excellent research, next-level XSS!

The second article by @hoyahaxa is about CFML tags and functions that can be used to perform SSRF. It’s really good research and a blog worth following.

2. Writeup of the week

Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

@artsploit started looking at OAuth vulnerabilities in bug bounty programs. They ended up with pre-authentication RCE via Java deserialization in the Jato framework used by ForgeRock OpenAm.
This is a great writeup worth dissecting to learn about deserialization and the bug hunter’s thought process.

3. Tools of the week


@amalmurali47‘s onaws is a Python tool that fetches details of assets hosted on AWS. It is a convenient tool to quickly identify if an IP or hostname is in the AWS IP space, including the service and region details.

@neonbunny9‘s pcap-burp is a Burp extension for importing and passively scanning Pcap files. It is handy for testing apps that you just can’t proxy through Burp, but still want to analyse their traffic captured with Wireshark/tcpdump.

4. Video of the week

ep01 – CTF TEARDOWN – HackerOne CodeCanCare 100k CTF

This is a walkthrough of the recent H1 100k CTF by its creator, @adamtlangley. It is very informative for anyone interested in Web security. The techniques involved include subdomain takeover, XXE, SQL injection, data exfiltration via ICMP and source code review (plus insights into the CTF creation process).

5. Tip of the week

Bypassing email registration forms that require a corporate domain only

This Twitter thread is about bypassing the requirement of a corporate domain email in registration forms. Some techniques worth trying are putting the domain name in caps, or using unexpected email address formats @securinti-style.


Other amazing things we stumbled upon this week






Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • Serialized Payload Generator & Intro: A Web Interface to generate payload using various deserialization exploitation frameworks

  • ZDNS: Fast CLI DNS Lookup Tool

  • raccoon & Intro: Salesforce object access auditor

  • SharpMailBOF: A BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay

Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

Community pick of the week

A dog hunter 😍 Enjoy your swag and time with this cutie, @svennergr!

If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!

You may also like