🪲 Bug Bounty Reading

Methodology methodology

• Zseanos Methodology | Yasmeena Rezk - Xmind
• How to Understand a New Codebase Quickly – avdi.codes.

Cite

The best way I know to get acquainted with an unknown codebase is to fire it up locally (this alone may be very hard). Then approach softly, humbly, as a mere user. Start making theories about how it works, and what parts of the code are responsible for the behaviors you see.

Then deliberately start breaking it.

And notes. Take oh so many notes.

• TILs are junk food

Abstract

Nó giống như việc xem shorts/reels và làm chúng ta bị FOMO.

Chúng ta không cần một random fact để trở nên hứng thú với điều gì đó. Thay vào đó, ta nên chủ động tìm kiếm các thông tin mà ta thấy hứng thú hoặc làm project.

• So, you want to get into bug bounties?

Cite

I recommend you spend as much time actually hacking, because it is not time wasted even if you do not find any valid issues.

I do encourage that you learn how to build, not just break things. This can be a major advantage in bug bounties as it allows you to potentially better understand how systems are built, so you can formulate attacks to break them.

What you may find is that some companies are harder to find vulnerabilities in (how long it takes to find security issues), and you may give up before you find anything, but you need to understand that there are still vulnerabilities yet to be found for any attack surface. In bug bounties, you have to be comfortable with spending a lot of time not finding anything and genuinely enjoy the journey not just the destination.

I cannot understate how important it is to be constantly learning as a bug bounty hunter and challenging yourself to learn concepts in other hackers write ups that you do not immediately understand.

My advice to you is to specialise (i.e. become a master at) on what you enjoy the most in bug bounties. There are companies running bug bounties that cover the wide spectrum of technologies and platforms needed to be a perfect battle ground to progress your skills enough to mastery.

When reporting bugs to bug bounty programs, I highly recommend you forget about the submission and start finding more bugs that you can report, immediately. Another harsh reality you should be prepared for is that programs may not see the risk the same way you do when you find and report a vulnerability.

Something I suggest to those getting into bug bounties is to find a specific program that you want to focus on and become a master at understanding the assets on that programs attack surface, and the technologies and processes this program may employ.

If you start sensing that you are burning out, the worst thing to do is try and push yourself to work harder and longer. When experiencing burn out, stop doing what you’re doing and spend some time decompressing.

• Why Do We Reject Some Vulnerability Submissions? (Bug Bounty Basics)

Summary

Để một vulnerability được xem là hợp lệ thì nó cần ảnh hưởng đến CIA và có thể khai thác được. Các best/bad practices không được xem là vulnerability.

• Monke’s Guide to Bug Bounty Methodology

Summary

Hacking With Direction: Hacking với mục đích cụ thề chẳng hạn như “hôm nay tôi sẽ tìm ra các params bị reflected vào DOM”.

Motivation: Có thể set routine hằng ngày thay vì dựa vào motivation do nó không ổn định.

Starting Out: Đừng so sánh với người khác. Không ai giỏi ngay từ ban đầu. Việc tìm được bao nhiêu bug là không quan trọng, quan trọng là ta bắt đầu và thực hành. Và hơn hết là học được thứ gì đó và phát triển bản thân.

Flexible Thinking: Không nên đóng khuôn application vào một loại lỗi nhất định. Thay vào đó, ta nên xem xét cách mà ứng dụng phản hồi và tìm lỗi cụ thể đặc thù cho từng loại ứng dụng.

Assumptions: Không nên giả sử một feature nào đó là an toàn.

Generating Ideas: Khi bị stuck, hãy nghỉ ngơi, không nghe nhạc rồi quay lại sau. Sự buồn chán cùng với suy nghĩ sẽ giúp sinh ra ideas mới.

Dissecting Attack Surface: Bugbounty là impact-based, chúng ta chỉ nên tìm các lỗ hổng mà có impact đến thứ mà công ty quan tâm. Ví dụ, ứng dụng chat sẽ là các cuộc hội thoại còn ứng dụng tài chính sẽ là các dữ liệu tài chính.

Dành ít nhất 30 tiếng cho từng program.

Starting From Zero: Đừng áp lực bản thân là sẽ thành công mà hãy tận hưởng quá trình học và săn bug. Tất nhiên, cũng không nên đặt áp lực vào việc học.

Đừng report bug nếu không chắc chắn về impact.

• Map your hacking sessions- then execute - Douglas Day’s Blog
• The Bug Hunter’s Methodology Full 2-hour Training by Jason Haddix
• GitHub - HolyBugx/HolyTips: A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.

Recon recon

• Cracking the lens: targeting HTTP’s hidden attack-surface
• Finding Hidden Parameters: Advanced Enumeration Guide
• 7 Overlooked recon techniques to find more vulnerabilities
• GitHub dorking for beginners: How to find more vulnerabilities
• Shodan & Censys for beginners: How to find more vulnerabilities
• Abusing Exposed Sourcemaps
• Bypassing Reverse Proxies: How to identify the origin IP
• How to access servers behind Cloudflare by bypassing the firewall.

Authentication broken-authentication

• Account hijacking using “dirty dancing” in sign-in OAuth-flows - Labs Detectify
• Not So Dirty Dancing in GIS SDK
• Salt Labs Finds OAuth Abuse Used to Take Over Accounts oauth-vulns
• New OAuth Vulnerability Impacts Hundreds of Online Services oauth-vulns
• OAuth Account Takeover - Account Takeover on Booking.com oauth-vulns
• Bypassing HackerOne 2FA due to race condition. | by Akash Hamal | Medium 2fa-bypass
• PayPal Bypass OTP Verification Code Vulnerability Worth $15,000 Bounty IDOR 2fa-bypass
• Common OAuth Vulnerabilities · Doyensec’s Blog oauth-vulns
• OAuth 2.0 Client Credentials Misuse in Public Apps
• SCIM Hunting - Beyond SSO · Doyensec’s Blog oauth-vulns SCIM
• What is Pre-Account Takeover? Exploitations & Security Tips
• Trivial C# Random Exploitation · Doyensec’s Blog csharp cryptography
• Using Microsoft SSO to Achieve Full Account Takeover • SECarius
• Full Account Takeover (0-Click ATO) — My Story with a Critical Vulnerability | by Nayef Hamouda | Aug, 2025 | Medium
• How I Found a Critical Password Reset Bug in the BB program(and Got $4,000) | by Imran Hossain | Aug, 2025 | Medium password-attacking
• OTPs For Everyone: The Simplest $OTPLeak$ You’ll Ever Find | by tinopreter | Oct, 2025 | Medium 2fa-bypass
• Universal Cross-app Attacks: Exploiting and Securing OAuth 2.0 in Integration Platforms oauth-vulns
• Defending OAuth: Common attacks and how to prevent them — WorkOS oauth-vulns
• 🛠️ OAuth 2.0 | The Hacker Recipes oauth-vulns
• Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480 | Google Cloud Blog
• JWT Reuse

Authorization broken-access-control

• Bypassing Access Control through OPTIONS Request + Method Smuggling: A HackerOne Finding | by Ayush Kumar | Apr, 2025 | Medium
• Mastering 403 Forbidden Bypass Techniques bypass-403
• Mastering 403 Forbidden Bypass Techniques - Part 2 bypass-403
• GitHub - PalindromeLabs/awesome-websocket-security: Awesome information for WebSockets security research

XSS XSS

• Turb0 - From Component to Compromised: XSS via React createElement
• Zoom Session Takeover - Cookie Tossing Payloads, OAuth Dirty Dancing, Browser Permissions Hijacking, and WAF abuse | Harel Security Research
• About This Series | Beyond XSS
• aretekzs | From Self-XSS, HttpOnly Cookies and no iframes to ATO
• Hunting postMessage Vulnerabilities – Part 1 | Ryuku | Web Security & Bug Bounty postmessage
• Hunting postMessage Vulnerabilities – Part 2 | Ryuku | Web Security & Bug Bounty postmessage
• Pwning OpenAI Atlas Through Exposed Browser Internals | Hacktron AI
• Bug Bounty: Stored XSS via Markdown (I got P2 in 1 minute!)
• Markdown based Stored XSS in Zendesk ! | Blog - 0daylabs
• Bypass Akamai WAF to XSS
• How I Discovered XSS that Affects around 20 Uber Subdomains
• Bug Writeup: Stored XSS to Account Takeover (ATO) via GraphQL API | A developer’s notes in the world of security research and bug bounty, by pmnh graphql-vulns
• Hunting for blind XSS vulnerabilities: A complete guide
• Client-side JavaScript Instrumentation · Doyensec’s Blog
• How we got persistent XSS on every AEM cloud site, thrice › Searchlight Cyber
• JavaScript Security Vulnerabilities Tutorial – With Code Examples
• Are you causing XSS vulnerabilities with JSON.stringify()?
• The Most Common XSS Vulnerability in React.js Applications
• Preventing XSS in React (Part 1): Data binding and URLs

Summary

React mặc định không sanitize URL mà chỉ đưa ra cảnh báo khi URL có unsafe scheme chẳng hạn như javascript.

• Preventing XSS in React (Part 2): dangerouslySetInnerHTML

Summary

Có một cách exploit khá hay đặc thù cho React: nếu application nhận vào JSON string và truyền nó vào làm Props của một component thì ta có thể thêm vào thuộc tính dangerouslySetInnerHTML để inject XSS payload:

{
  "style": {
    "color": "green",
    "backgroundColor": "yellow",
    "border": "solid 5px blue"
  },
  "dangerouslySetInnerHTML": {
    "__html": "<img src='none.png' onerror='alert(\\\"Rainbow mode FTW!\\\")'>"
  }
}

• Preventing XSS in React (Part 3): escape hatches and component parsers
• The seventh way to call a JavaScript function without parentheses | PortSwigger Research
• Content Security Policy Bypass Techniques and Security Tips

Summary

Giải thích rất chi tiết về các directives và các giá trị của CSP. Đưa ra rất nhiều misconfigured examples của CSP kèm theo cách tấn công. Giới thiệu công cụ CSP Evaluator để test CSP.

• REGEXSS: How .* Turned Into over $6k in Bounties · Stealthcopter
• XSS to RCE in Google IDX Workstation: A Technical Deep Dive $22,500 Bounty Earned 💰 | NullSecurityX web-worker
• Exploiting Web Worker XSS with Blobs | Critical Thinking - Bug Bounty Podcast: XSS in Web Worker environment. web-worker
• Write-up of DOMPurify 2.0.0 bypass using mutation XSS - research.securitum.com mXSS
• Mutation XSS: Explained, CVE and Challenge | Jorian Woltjer mXSS
• mXSS: The Vulnerability Hiding in Your Code | Sonar mXSS

DOM Clobbering DOM-clobbering

• XSS in GMail’s AMP4Email via DOM Clobbering - research.securitum.com. This explains everything well. The mentioned playground: Gmail AMP for Email Playground.
• Overview | DOMC Wiki
• DOM clobbering | Web Security Academy
• Webpack’s AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS · CVE-2024-43788 · GitHub Advisory Database. This is related to the output.publicPath config key and the generated JavaScript code of Webpack depends on a property that can be shadowed by the attacker via HTML injection.
• It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses

Client-Side Path Traversal CSPT

• https://vitorfalcao.com/posts/au![[🪲 Bug Bounty Reading 2025-12-09 11.32.20.excalidraw]]tomating-cspt-discovery/
• Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF · Doyensec’s Blog
• CSPT2CSRF_2023_RC1
• Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side Chain | Vitor Falcao
• (1) Behi on X: “Client Side Path Traversal is an underrated bug… But it can lead to critical bugs. Here’s everything you need to know about it 🧵👇” / X
• Cloudflare Image Proxy CSPT Exploit Explained

CSRF CSRF

• Facebook CSRF protection bypass which leads to Account Takeover. | Youssef Sammouda (sam0) personal blog
• Facebook CSRF bug which lead to Instagram Partial account takeover. | Youssef Sammouda (sam0) personal blog
• How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup) | Hackademic

SSRF SSRF

• https://orca.security/resources/blog/ssrf-vulnerabilities-azure-functions-app/
• https://x.com/Behi_Sec/status/1996270740346151316
• Road to SSRF : PDF generation and filter bypass on ASP.net application | by Supr4s | Apr, 2025 | Medium: sử dụng full-witdth Unicode characters để bypass việc chặn < và > với assume là application sẽ normalize chúng thành < và >. Payload để detect: ＂＞＜ｂ＞ＩＮＪＥＣＴＥＤ. Payload để exfiltrate thông tin sử dụng SSRF: "＞＜iframe src="file://C:/Windows/System32/drivers/etc/hosts"＞＜/iframe＞.
• Exploiting PDF generators: A complete guide to finding SSRF vulnerabilities in PDF generators.
• Hunting for SSRF Bugs in PDF Generators  - Black Hills Information Security, Inc..
• August CTF Challenge: Exploiting SSRFs in Next.js Middleware
• Digging for SSRF in NextJS apps
• Novel SSRF Technique Involving HTTP Redirect Loops › Searchlight Cyber
• CA CTF 2022: Exploiting Redis Lua Sandbox Escape RCE with SSRF - Red Island RCE
• I Studied 100+ SSRF Reports, and Here’s What I Learned | by Aditya Sawant | InfoSec Write-ups
• Hunting for SSRF vulnerabilities in Next.js targets
• When GPTs Call Home: Exploiting SSRF in ChatGPT’s Custom Actions | by SirLeeroyJenkins | Nov, 2025 | Medium
• TURN server allows TCP and UDP proxying to internal network, localhost and meta-data services

Summary

Attacker khai thác tính năng custom action của ChatGPT. Tính năng này cho phép nhập vào OpenAPI schema dùng để gửi request. Mục tiêu là gửi request đến SSRFUtility - SSRF Exploitation Tool và cho nó redirect đến http://169.254.169.254 (sử dụng redirect để bypass việc schema chỉ cho phép dùng HTTPS).

Sau đó, attacker còn cần phải set custom header là Metadata: True đế lấy IMDS. Để làm điều này, attacker đã tận dụng chức năng cho phép sử dụng custom authentication header để set custom header.

LFI file-inclusion

• Testing LFI in Windows: How I (never) got a $30000 bounty | @adeadfed
• Local File Inclusion via XSS in Prince PDF Generator - Blog - Sudarshana
• Accessing +700,000 users data and reading files on a Solr server
• LangChain JS Arbitrary File Read Vulnerability

Injections

• Double Dash, Double Trouble: A Subtle SQL Injection Flaw | Sonar SQLi
• https://web.archive.org/web/20241026172037/https://medium.com/@oscuridad1010/orm-hql-injection-e072207e8942 ORM
• Exploiting an ORM Injection to Steal Cryptocurrency from an Online Shooter · xEHLE ORM
• plORMbing your Django ORM - elttam ORM
• XPath Injections: Exploitations and Security Tips xpath-injection
• veracode-research/solr-injection: Apache Solr Injection Research solr-injection
• XSLT Injection Basics - Atlan Digital - Offensive Security Lab xslt-injection
• Microsoft Word - Abusing XSLT for Practical Attacks White Paper.docx xslt-injection

RCE

• High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478) › Searchlight Cyber
• How to find RCE: A list of pathways and detection methods | @Bugcrowd

Insecure Deserialization insecure-deserialization

• lorenzodegiorgi/jackson-vulnerability: Exploiting Jackson deserialization vulnerability with 3 gadgets
• Jackson Deserialization Vulnerabilities | NCC Group

Open Redirect open-redirect

• Open URL Redirect: Advanced Exploitation Guide | Intigriti

WebSocket web-socket-vulns

• [/] WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine | PortSwigger Research
• Hacking WebSocket. With Cross-Site WebSocket Hijacking… | by Vickie Li | The Startup | Medium
• ‘Websocket Hijacking’ to steal Session_ID of victim users | by Sunil Yedla | InfoSec Write-ups
• GitHub - PalindromeLabs/awesome-websocket-security: Awesome information for WebSockets security research
• Gitpod remote code execution 0-day vulnerability via WebSockets | Snyk Labs
• Breaking caches and bypassing Istio RBAC with HTTP response header injection | Snyk Labs

GraphQL graphql-vulns

• Hacking GraphQL endpoints in Bug Bounty Programs – YesWeHack
• GraphQL API Vulnerabilities, Common Attacks & Security Tips
• GraphQL: How It Works, Why It Beats REST, & Security Risks
• Forging GraphQL Bombs, the 2022 version of Zip Bombs
• We Hacked Burger King: How Authentication Bypass Led to Drive-Thru Audio Surveillance | bobdahacker

Archive-Based archive-attacks

• Zip Slip Vulnerability | Snyk
• Zip Symlink attack

WordPress, Salesforce wordpress salesforce

• RESEARCH DAY: Discovering vulnerabilities in WordPress plugins - Onvio wordpress
• 5 Ways to hack WordPress targets | Intigriti wordpress
• Hacking Salesforce-backed WebApps - Hypn.za.net
• Salesforce Penetration Testing Fundamentals salesforce
• Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community — Enumerated salesforce

Race Conditions race-conditions

• Features likely vulnerable to race conditions
• Ultimate Bug Bounty guide to race condition vulnerabilities | YesWeHack

Cache Poisoning & Deception web-cache-poisoning web-cache-deception

• Cache Poisoning: $100K+ Case Studies Part 1 | Herish Blog
• Avoid CPDoS in CloudFront | VRT Digital Products dos
• CPDoS: Cache Poisoned Denial of Service dos
• (895) Web Cache Deception | PortSwigger Labs | - YouTube web-cache-deception

Request Smuggling & Tunneling http-request-smuggling

• The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling | Assured AB, Security Consultants
• HTTP Request Smuggling on business.apple.com and Others. | by Stealthy | Medium
• From Akamai to F5 to NTLM… with love.
• Unveiling TE.0 HTTP Request Smuggling: Discovering a Critical Vulnerability in Thousands of Google Cloud Websites | @Bugcrowd
• The ultimate Bug Bounty guide to HTTP request smuggling | YesWeHack
• How I Found the Worst ASP.NET Vulnerability — A $10K Bug (CVE-2025-55315) | Praetorian

DoS DoS

• Zip bomb - Wikipedia
• Billion laughs attack - Wikipedia

Misconfiguration misconfiguration

• Exploring Spring Boot Actuator Misconfigurations | Wiz Blog spring-boot
• Common Nginx misconfigurations - Blog Detectify nginx
• Nginx resolver vulnerabilities allow cache poisoning attack nginx
• (Research) Exploiting HTTP Parsers Inconsistencies
• Fastly Subdomain Takeover $2000 - Bug Bounty Writeup | InfoSec Write-ups subdomain-takeovers
• Shaking secrets out of CircleCI builds - insecure configuration and the threat of malicious pull requests - Nathan Davison
• Hunting down subdomain takeover vulnerabilities | Intigriti subdomain-takeovers
• Hacking misconfigured AWS S3 buckets: A complete guide AWS s3
• A Guide to DNS Takeovers: The Misunderstood Cousin of Subdomain Takeovers — ProjectDiscovery Blog
• [/] Subdomain Takeover: Starbucks points to Azure
• [/] WSTG - Latest | OWASP Foundation
• [/] Exploring Spring Boot Actuator Misconfigurations | Wiz Blog

Mobile mobile-hacking

• How to build an Android Bug Bounty lab for mobile hacking | YesWeHack android
• Android recon for Bug Bounty hunters: A complete guide | YesWeHack android

Browser Extension browser-extension

• How to Hack Browser Extension | HAHWUL

Cloud cloud

• Hacking Firebase Targets: Advanced Exploitation Guide firebase
• Hacking misconfigured Cloudflare R2 buckets: A complete guide cloudflare
• dazesecurity.io/blog/apimMIVuln azure

CVEs cve

• HackerOne | Report #1858574 - [CVE-2022-44268] Arbitrary Remote Leak via ImageMagick | HackerOne
• I owned 2 CVEs in 1 weekend - this is how (Directus vulnerability research)
• GitHub - 0xMarcio/cve: Latest CVEs with their Proof of Concept exploits.

Source Code Audit source-code-audit

• Source Code Audit: Understanding the Methodology & Process
• CodeQL zero to hero part 1: The fundamentals of static analysis for vulnerability research - The GitHub Blog
• CodeQL zero to hero part 2: Getting started with CodeQL - The GitHub Blog
• CodeQL zero to hero part 3: Security research with CodeQL - The GitHub Blog
• I owned 2 CVEs in 1 weekend - this is how (Directus vulnerability research).

Summary

• Nguyên tắc chọn project: phổ biến, dùng bởi nhiều công ty lớn.
• Nếu là một platform (không phải thư viện kiểu Mongoose) thì có thể tìm trên FOFA xem có nhiều instances hay không để đo độ phổ biến.
• Codebase được updated thường xuyên và có nhiều contributors
• Có security policy
• Có nhiều tutorials hướng dẫn và documentation dễ đọc.

Misc

• SVG Filters - Clickjacking 2.0 Ʊ lyra’s epic blog
• SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL dotnet
• JavaScript Analysis for Pentesters | kpwn.de

Summary

Nội dung gần cuối liên quan đến việc sử dụng tính năng Overrides của browser để lưu client-side source rồi chỉnh sửa. Tính năng này khiến cho những thay đổi persistent qua các lần reload. Ngoài ra còn biết thêm extension HTTP Mock: về cơ bản là giống với Match & Replace nhưng dễ nhìn và dễ chỉnh sửa response hơn.

Ngoài ra còn chỉ cách phân tích client-site đã bị ofuscated (khó hơn cả bundled) và phân tích các trang có cơ chế bảo vệ client-side source khỏi dynamic analysis chẳng hạn như Self-Defending JavaScript, Debug Protection (tương tự như cách chống dynamic analysis của binary application).

• A step by step guide how to hack webhooks :: Himanshu Anand :: Threat Notes webhook
• ORM Leaking More Than You Joined For - elttam ORM
• Credentials Harvesting using Swagger UI | Zerotak swagger

Summary

Sử dụng param url và configUrl để tạo ra một trang phishing ở giao diện của Swagger nhằm đánh lừa người dùng để login. Về bản chất chỉ là HTML injection. Tương tự với report https://hackerone.com/reports/2534300.

• Synacktiv publications
• [HackerNotes Ep. 72] Research TLDRs & Smuggling Payloads in Well Known Data Types
• SVG Filters - Clickjacking 2.0 Ʊ lyra’s epic blog clickjacking
• ASP.NET MVC View Engine Search Patterns | Critical Thinking - Bug Bounty Podcast
• 0-Click Account Takeover Using Special Characters 👌✔ | by CaptinSHArky(Mahdi🇹🇳) | Nov, 2025 | Medium
• Astro framework and standards weaponization - zhero_web_security XSS SSRF
• Payload obfuscation: How to mask malicious scripts – YesWeHack obfuscation
• Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone - Black Hills Information Security, Inc. JSON
• Hunting postMessage Vulnerabilities – Part 1 | Ryuku | Web Security & Bug Bounty postmessage
• From PDF to Five-Figure Payday: When Legacy Docs Attack | by Armand Jasharaj | Aug, 2025 | Medium PDF
• Abusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke) › Searchlight Cyber dotnet
• Subdomain takeovers - Security | MDN subdomain-takeovers
• Netflix Vulnerability: Dependency Confusion in Action - Lupin & Holmes dependency-confusion
• Story Of 15 Vulnerabilities in one public BBP ! | by Ahmed Elheny (Ahmex000) | Medium IDOR race-conditions misconfiguration
• From Demo to Live: Zero-Click Account Takeover via the Same Encryption Algorithm | by can1337 | InfoSec Write-ups: sử dụng OTP response từ demo app cho live app để take over account có cùng ID (incremental) encrytion
• Some notes and techniques for reverse engineering Webpack (and a little bit about React/Vue/Angular) apps reversing
• The ultimate beginner’s guide to Caido | @Bugcrowd caido
• Critical Thinking - Bug Bounty Podcast on X: “HackerNotes TLDR for episode 132! — ►⠀Archive Alchemist was born from Mathias’ frustration with repeatedly looking up archive utility parameters for testing archive-based bugs. It streamlines testing by making it easier to list, add, remove, and extract files without” / X archive-attacks
• How a GitHub Quirk Helped Me Earn $40K+ in Bug Bounties | by Arshad Kazmi | Jul, 2025 | InfoSec Write-ups
• Struts Devmode in 2025? Critical Pre-Auth Vulnerabilities in Adobe Experience Manager Forms › Searchlight Cyber
• Stealing HttpOnly cookies with the cookie sandwich technique | PortSwigger Research cookie-attacks
• Bypassing WAFs with the phantom $Version cookie | PortSwigger Research cookie-attacks
• An Exploration & Remediation of JSON Interoperability… | Bishop Fox json-interoperability
• Hacking Swagger-UI - from XSS to account takeovers - Vidoc Security Lab swagger

Summary

Swagger UI cho phép sử dụng url param để load Swagger specs từ xa rồi render ra giao diện. Khi render thì sử dụng DOMPurify thể sanitize. Tuy nhiên, các version cũ của Swagger UI sử dụng DOMPurify cũ và có thể bypass dẫn đến XSS do Swagger UI render bằng dangerouslySetInnerHTML.

Payload ban đầu được sử dụng là <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><style><a title="</style><img src='#' onerror='alert(1)'>"> nhưng do style bị cấm một cách tường minh bởi Swagger UI khi nó config DOMPurify nên ta cần tìm cách bypass. Cụ thể hơn, ta cần tìm một element tương đương với <style>. Để làm điều đó, tác giả cung cấp script sau: https://gist.github.com/kannthu/fd5cdd4664cc669755a928fb42aba0de?ref=blog.vidocsecurity.com. Script này sẽ lặp qua tất cả các HTML tags và thay thế vào payload rồi dùng DOMPurify để sanitize. Nếu output vẫn còn <img onerror=alert(1)> thì tìm được bypass.

Từ script trên tìm ra được 2 tags là <textarea> và <title>. Payload được cập nhật thành: <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(1)'>">.

• Mass Assignment - OWASP Cheat Sheet Series mass-assignment
• Hunting Down The Top 6 Most Common Price Manipulation Vulnerabilities in E-Commerce Websites
• Spring4Shell: The zero-day RCE in the Spring Framework explained | Snyk RCE spring-boot
• From LaTeX Injection to RCE: A Real Bug Bounty Case RCE
• Cullinan | HAHWUL
• Capture the flag | GitHub Security Lab codeQL
• Bypassing WAFs for Fun and JS Injection with Parameter Pollution WAF
• 24278-paper.pdf
• How to test NextJS applications
• allanlw/svg-cheatsheet: A cheatsheet for exploiting server-side SVG processors.
• bRPC-Web: A Burp Suite Extension for gRPC-Web – Compass Security Blog
• We Hacked Google A.I. for $50,000 - Lupin & Holmes
• Hacking Gemini: A Multi-Layered Approach
• IIS Shortname Vulnerability. What are 8.3 File Names? | by Adrian Jenkins | Medium
• Only an Electron Away from Code Execution | Silvia’s blog electron
• Open Sesame: Escalating Open Redirect to RCE With Electron Code Review electron