Bug Bytes #134 – SAML authentication bypass, RCE in PyPI & Lesser known XXE attack vectors

By Anna Hammond

August 6, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from July 26 to August 2.

Our favorite 5 hacking items

1. Writeups of the week

Securing XML implementations across the web
Zimbra 8.8.15 – Webmail Compromise via Email

Mattermost researcher @jupenur disclosed round-trip vulnerabilities found in four XML parsers. Interestingly, they lead to authentication bypass in major SAML implementations.

The other writeup by @scannell_simon is about DOM-based stored XSS and authenticated SSRF. Chaining them increased their impact and would’ve allowed unauthenticated attackers to compromise Zimbra webmail servers.

2. Writeups² of the week

XXE Case Studies
Potential remote code execution in PyPI (, $3,000)

The first writeup by @cinzinga_ has some interesting attack vectors for XXE, e.g. XXE via KML, proprietary, PDF and Excel files. They’re worth knowing if you like to test for XXE.

The second writeup is the continuation of @ryotkak‘s work on supply-chain attacks. Static analysis of PyPI’s source code revealed three vulnerabilities including RCE on

3. Tool of the week

hallucinate & Intro

Hallucinate allows you to inspect and manipulate TLS traffic using dynamic instrumentation. The difference with a Web proxy like Burp is that it does not replace certificates, so it is particularly useful when you want to analyze an app’s encrypted traffic without bypassing certificate pinning.

4. Video of the week

DO NOT USE alert(1) for XSS & Blog post

If you use alert(1) when looking for XSS, you’ll find this very informative. @LiveOverflow demonstrates why it can lead to false positives (e.g. if the XSS payload runs in a sandbox domain/iframe) and what other Proofs of Concept are generally better to use.

5. Resource of the week

Last Week in Security (LWiS) – 2021-08-02

Last Week in Security (LWiS) is @badsectorlabs‘s weekly summary of offensive security news, techniques and tools. It is similar to Bug Bytes but focuses more on the red team / internal pentest / Active Directory side. So if these are the topics you’re most interested in, it is a great newsletter to follow.

I usually also include these topics in Bug Bytes but this week in particular, there have been too many noteworthy new tools and attacks. So exceptionally, this Bug Bytes will be almost only focused on Web / API / mobile hacking and for all the new AD and red teaming fun, please refer to LWiS.


Other amazing things we stumbled upon this week






Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • dnsline: Tool for making it easy to collect dns results from the CLI

  • Sanity: MXSS Fuzzer

  • SaveBrowsingImages: Burp extension to save all browsed images to disk

  • Revealin: Uncover the full name of a target on Linkedin

  • Key-Checker: Go scripts for checking API key / access token validity

  • reverse-apk: Quickly analyze and reverse engineer Android applications

  • plution: Prototype pollution scanner using headless chrome

Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

Community pick of the week

This is so inspiring! Make sure to check out @zseano’s free methodology to see how these guys did it 😎

Also tag us on social media to share your own bug hunting wins and joys, we love hearing from you!

You may also like