For those of you who didn’t see it yet, last week I published a video about an account takeover on Facebook. It was very similar to the Oauth attacks described in the previous newsletter and I suspect we will see more of these in 2022. So if you are not familiar with...
Writeups
GravCMS Arbitrary YAML Write leads to Code Execution (CVE—2021—21425)
This amazing write-up shows you how to properly utilise reading code to your advantage. You can learn exactly what was wrong with the PHP code that allowed Mehmet Ince to bypass authentication, authorization and then execute RCE via a malicious YAML file....
Gitlab RCE via metadata
Seeing many RCE payloads in the image metadata, I wondered what is required for those payloads to be triggered. Now I know - there's an awesome report on Hackerone from Gitlab, where it was possible to execute arbitrary commands via metadata in the image....
Exploiting X-Forwarded-For XSS by poisoning the cache
Very good article by Gal Nagli, describing the history of XSS exploited by poisoning the cache. The fact that you can do this is not anything new, but two points were important and you need to remember them if you ever encounter a cache poisoning bug. Not every file...
50 SSRFs found in ColdFusion
3 weeks ago on my channel, I published a video about 0-day in Lucee that was exploited on Apple server. The video is doing really well, closing in on 10k views so you probably saw it already and you are familiar with ColdFusion and CFML tags. Turned out that 50 (!)...
Many struggled for hours, he did it in 57 minutes
What an XSS-themed issue of the BBRE newsletter this is... This time take a look from yet another side. Intigriti is known for awesome and really hard monthly XSS challenges. The June XSS challenge was completed only by 16 hackers! It's hard to tell how many tried...
$20,000 RCE in GitLab via 0day in exiftool
If you haven't yet watched my video from last week, please watch it or add it to the "Watch Later" playlist. In my opinion, it's a really cool bug! https://youtu.be/YYLqzj5-N7w
Prototype pollution writeups
A few weeks ago in the newsletter, I told you a bit about the prototype pollution vulnerability class. In the last 2 weeks, I found 2 cool write-ups about this vulnerability class. One is Ngo Wei Lin's solution to the challenge by Michał Bentkowski....
Discovery and exploitation of RCE via deserialization
Shubham Shah, one of the hunters I follow most closely, released a writeup about finding a deserialization RCE in Sitecore Experience Platform CMS. He describes the whole process, from approaching the codebase of .NET applications, up to the command used to prepare...
Bug Hunter recorded himself finding $10k SSRF in Google
David Schütz, the first guest of my BBRD podcast and the author of 2 vulnerabilities covered on my channel, had an idea to record himself while bug hunting on Google. He did that and he captured the whole process of finding and escalating an SSRF found in Google. We...