Bug Bytes #165 – Spring4Shell, CDN WAF bypass & Practical cryptography for pentesters

By Anna Hammond

March 31, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from March 21 to 28.

Intigriti news

Changelog #33 – Collaboration makes you better!

Stijn Jans and Inti De Ceukelaire, Intigriti: “bad actors won’t seek your permission to hack your business”

Our favorite 5 hacking items

1. Vulnerabilities of the week

Spring4Shell & CVE-2022-22963 – Java 0-days in Spring

There is a lot of chatter about 0-days in Spring and some confusion because there isn’t one but two vulnerabilities:

  • Spring4Shell is a severe RCE via insecure deserialization in Spring Core. It is exploited in the wild, was leaked by a Chinese-speaking researcher, does not have a patch nor a CVE yet.

  • CVE-2022-22963 is a less severe and patchable SPEL Expression Injection in Spring Cloud Function.

Some say it is the new Log4shell and others say there is no need to panic about Spring4Shell as it is only exploitable in certain configurations. Until we know more, here are some good resources to dive into both vulnerabilities:

2. Writeups of the week

Ruby Deserialization – Gadget on Rails (Ruby on Rails)
PHP filter_var shenanigans

@httpvoid0x2f‘s latest writeup is a deep dive into insecure deserialization in Ruby/Rails. They go over the current state of ruby deserialization gadget chains, and show how they discovered a new RCE gadget for the latest version of Rails.

The second writeup is about a vulnerability in PHP that allows circumventing filter_var() in some cases. There are some limitations but it is interesting to see @pwningsystems‘s process for finding this, and it is a good research opportunity as @albinowax pointed out.

3. Videos of the week

🎙️ HTB Stories #8: Bug Bounties 101 w/InsiderPhD
rootxharsh Talks About Recon, Finding A $50,000 Remote Command Execution in Apple, and more!

@InsiderPhD and @rootxharsh are two of my favorite hackers.
@rootxharsh is part of HTTPVoid, a crew of bug hunters who have been putting out amazing writeups lately like the Ruby Deserialization bug mentioned above.
And @InsiderPhD juggles between multiple specialties and often shares cool productivity tips in addition to technical content.

So, these interviews are a nice opportunity to get to know them more and pick up some useful insights on how they think and hack.

4. Article / Tool of the week

Bypassing CDN WAF’s with Alternate Domain Routing & CDN Proxy

@Ryan_Jarv shares a really cool attack and tool for bypassing WAFs.
The tool currently supports CloudFlare and CloudFront, with two prerequisites: Knowing the server’s origin IP and that the Web app is accessible from the CDN’s shared IP range.
In these conditions, the “Alternate Domain Routing” attack allows you to completely bypass the CloudFlare or CloudFront WAF, access the server directly and bypass any IP restrictions or rate limiting.

5. Conference of the week

Practical Cryptography for Infosec Noobs & Slides

This is an awesome talk if you want to learn practical cryptography, beyond the easy or unrealistic challenges found in many CTFs.
@mubix demonstrates how to identify and decrypt random data in real life, for example during pentesting or bug hunting when you don’t even know the type of cryptography used.

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Known vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

Non technical

You may also like