Bug Bytes #129 – LEXSS, SSRF via ColdFusion/CFML tags & ForgeRock OpenAM RCE
By Anna Hammond
June 30, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from June 21 to 28.
Our favorite 5 hacking items
1. Articles of the week
LEXSS: Bypassing Lexical Parsing Security Controls
SSRF in ColdFusion/CFML Tags and Functions
In the first article, Chris David does a deep dive into special HTML tags that take exploit inconsistencies between the HTML parser and sanitizing lexical parsers to achieve XSS. This is excellent research, next-level XSS!
The second article by @hoyahaxa is about CFML tags and functions that can be used to perform SSRF. It’s really good research and a blog worth following.
2. Writeup of the week
Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)
@artsploit started looking at OAuth vulnerabilities in bug bounty programs. They ended up with pre-authentication RCE via Java deserialization in the Jato framework used by ForgeRock OpenAm.
This is a great writeup worth dissecting to learn about deserialization and the bug hunter’s thought process.
3. Tools of the week
@amalmurali47‘s onaws is a Python tool that fetches details of assets hosted on AWS. It is a convenient tool to quickly identify if an IP or hostname is in the AWS IP space, including the service and region details.
@neonbunny9‘s pcap-burp is a Burp extension for importing and passively scanning Pcap files. It is handy for testing apps that you just can’t proxy through Burp, but still want to analyse their traffic captured with Wireshark/tcpdump.
4. Video of the week
ep01 – CTF TEARDOWN – HackerOne CodeCanCare 100k CTF
This is a walkthrough of the recent H1 100k CTF by its creator, @adamtlangley. It is very informative for anyone interested in Web security. The techniques involved include subdomain takeover, XXE, SQL injection, data exfiltration via ICMP and source code review (plus insights into the CTF creation process).
5. Tip of the week
Bypassing email registration forms that require a corporate domain only
This Twitter thread is about bypassing the requirement of a corporate domain email in registration forms. Some techniques worth trying are putting the domain name in caps, or using unexpected email address formats @securinti-style.
Other amazing things we stumbled upon this week
Videos
$25,000 Facebook.com postMessage account takeover vulnerability
Found a Crash Through Fuzzing? Minimize AFL Testcases! & Blog post
Podcasts
Webinars
Conferences
Tutorials
Medium to advanced
Beginners corner
Graphql Exploitation – Part 3- Injection Attacks And XSS Attacks
Bug Bounty on Android : setup your Genymotion environment for APK analysis
Writeups
Challenge writeups
How to solve an XSS challenge from Intigriti in under 60 minutes & Intigriti — XSS Challenge 0621
SQL Injection – Lab #13 Blind SQL injection with time delays
Subdomain takeover, CSRF, IDOR, XSS, Code review and many more! [CTF walkthrough]
Pentest writeups
Responsible(ish) disclosure writeups
Linux marketplaces vulnerable to RCE and supply chain attacks
AEM CRX Bypass: The 0-day that took control over some enterprise AEM CRX Package Manager
PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service & Impacket implementation
CVE-2021-1497: Cisco Hyperflex HX Auth Handling Remote Command Execution
Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin
N-day vulnerabilities
CVE-2021-27850 Exploit (Apache Tapestry unauthenticated RCE)
Using CVE-2020-9971 to escape Microsoft Office’s app sandbox
CVE-2020-3580: Proof of Concept Published for Cisco ASA Flaw Patched in October
Bug bounty writeups
A supply-chain breach: Taking over an Atlassian account (Atlassian)
Three Microsoft Store vulnerabilites & Microsoft Store free purschase vulnerabilites (Microsoft)
gcp-dhcp-takeover-code-exec (Google)
Microsoft Edge uXSS POC CVE-2021-34506 (Microsoft, $20,000)
Stored XSS in IE11 on hackerone.com via custom fields (HackerOne, $2,500)
See more writeups on The list of bug bounty writeups.
Tools
Serialized Payload Generator & Intro: A Web Interface to generate payload using various deserialization exploitation frameworks
ZDNS: Fast CLI DNS Lookup Tool
SharpMailBOF: A BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay
Tips & Tweets
Misc. pentest & bug bounty resources
Challenges
Articles
Bug bounty & Pentest news
Google: Announcing a unified vulnerability schema for open source
New TCM Security course: Movement, Pivoting, and Persistence
Security organizations join forces with EFF to lobby for DMCA reform
Upcoming events
BSides Amman 2021 2nd Edition (featuring @mazen160 on Attack Vectors on Terraform Environments)
Updates
dnsx v1.0.5 (new DNS code probing feature/flag)
Learning from our Myths (Mythic 2.2 release)
Non technical
Community pick of the week
A dog hunter 😍 Enjoy your swag and time with this cutie, @svennergr!
If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023