“The HTTP/1.1 standard seems to be riddled with strange features that absolutely no one uses and no one even really knows about,” begins Jeppe Weikop in ‘Funky chunks: abusing ambiguous chunk line terminators for request smuggling’. Kicking off our latest monthly roundup for ethical hackers, the computer engineering student’s writeup says implementations of this standard often result in “parsing logic that is lax or incomplete – after all, why bother enforcing strict syntax rules for protocol elements that aren’t used for anything anyway?” The scene is duly set for a series of novel techniques, payloads, black-box detection methods and vulnerabilities in popular HTTP implementations that have won plaudits from PortSwigger researcher James Kettle and a couple of redditors on r/netsec. “This is cool. I've added a module to my automation framework. Will add a follow-up once I find something in the wild!” said one.💻
Keeping your XSS within scope
Also hailed on r/netsec as “an excellent read” is the amusingly titled ‘Make Self-XSS Great Again’. Noting that self-XSS bugs usually fall outside of Bug Bounty scopes because of reproducibility problems, Vsevolod Kokorin sets out to show that “Stored Self-XSS can actually be transformed into a regular Stored XSS using modern browser capabilities” – in particular credential-less frames. This pleasingly punchy post includes examples of CSRF on login forms, including one with a CAPTCHA to overcome, a CSRF-clickjacking combo, and an exploit that harnesses the fetchLater API to bypass X-Frame-Options: Deny.👏
Assetnote co-founder Shubham Shah has lived up to his high standards with a blog post documenting an innovative technique for achieving a full HTTP response from an SSRF, and its deployment against a popular, unnamed enterprise application. Brisbane-based Assetnote’s security team harnessed HTTP redirect loops and incremental status codes that leaked the full response. Shah believes the technique could reap dividends elsewhere. “It could lead to other SSRF vulnerabilities being exploitable in a similar way,” he said. James Kettle was impressed by this one too, in particular the approach of finding the vulnerability first before reverse-engineering the root cause.🔥
Google JavaScript oversight
A researcher netted $5k from Google for a vulnerability that could have enabled attackers to brute-force the private phone number of any user. ‘Brutecat’ was surprised to discover during recon that a password-recovery page still functioned without JavaScript, despite Google policy enforcing the use of the language on account recovery forms since 2018. Benefiting from a resulting lack of bot protection, the researcher was able to craft an exploit that could enable phishing and SIM-swapping attacks. ☎️
While we’re on the subject of phone numbers, in our previous edition we highlighted a vulnerability that potentially exposed the phone number and precise geolocation data of any user on the O2 mobile network. 📱This is quite an impact, with O2 having 23 million mobile customers in the UK. Researcher Dan Williams documented how attackers could access this data using only a VoLTE call, and that O2’s VoLTE network was leaking cell tower IDs and IMSI (International Mobile Subscriber Identity) numbers. O2 has now said it has remediated the flaw. A video of Williams discussing the research at an IOActive event in London has now landed on YouTube. 👇
Adolescents have been a perennial source of societal anxiety – in terms of threats posed to and by them – since the term ‘teenager’ emerged in the mid 20th century as a popular descriptor of a cohort that exists awkwardly between childhood and adulthood. Well alarm has reached fever pitch again amid concerns over not just social media and knife crime, but, recently, over teenagers’ remarkable role as cybercrime masterminds who brought a UK high street giant to its knees through the vehicle of ‘Scattered Spider’.
In rather fortuitous timing, BBC cyber correspondent Joe Tidy has just published a book entitled “Ctrl+Alt+Chaos: How Teenage Hackers Hijack the Internet”, which tells a story that Jack Rhysider of Darknet Diaries podcast fame says “grabs you, pulls you in, and doesn’t let go”. Speaking at the recent Infosecurity Europe conference in London, Tidy reflected on the fact that teen black hats are typically a little lax on the OpSec front and therefore more likely to be caught. This is perhaps not only because their prefrontal cortex (responsible among other things for evaluating risk) is underdeveloped, but also, as Tidy mentions, an awareness that they’ll be exempt from the worst punishments on account of their young age. Citing Bug Bounty, Tidy also notes that these miscreants might be wise to consider ethical, less risky alternatives for making money from hacking. Reaffirming the wisdom of this point is the story of a British cybersecurity student facing up to 20 years in prison over US charges alleging that he led a hacking enterprise that caused more than £18 million of damage worldwide.👮
Before we summarise our own recent hacker-focused output, here’s a few more articles of note that we’ve spotted in the past month:
🔬 Unexpected security footguns in Go's parsers – Vasco Franco, The Trail of Bits Blog
🔬 Meta is able to track it’s users via WebRTC on Android including private mode and behind VPN – Jorge García Herrero
🔬 Can we really mitigate client-side prototype pollution by using iframes? – by ‘Canalun Company’
🔬 Talkback: An AI-powered InfoSec resource aggregator to boost productivity – from elttam
🔬 Marketplace takeover: how we could’ve taken over every developer using a VSCode fork – Oren Yomtov
Internet time machine
“The past is never dead. It’s not even past,” wrote American literary giant William Faulkner. 📚 He could have been talking about the utility for present-day Bug Bounty exploits of artifacts captured from internet history. 😉 Because snapshots in time revealed on WayBack Machine and related tools often capture redundant website assets – debug panels, test APIs, credentials – that devs forgot to remove. 🔑 The latest instalment in our #BugBounty recon series explains the merits of archive-based recon and shares some useful commands and tools for performing these techniques.
Why does Argentinian hacker Adrián Pedrazzoli – aka lemonoftroy – particularly relish finding insecure direct object reference (IDOR) and broken access control vulnerabilities? Watch our newest hunter interview to find out, as well as what triggered the hunter’s interest in hacking, plus his favourite hacking tools, best bug discovery so far and tips for newbies. 👇 This interview was filmed during Ekoparty in Buenos Aires last year, during a live hacking event held by YesWeHack. Adrián finished third on the leaderboard.
Caido integration
📢 Are you a Caido user? Just in case you missed our recent announcement: YesWeHack is the first platform to integrate Bug Bounty programs with the security testing toolkit. A new plugin, now available in the Caido plugin store, enables you to fetch all your YesWeHack programs from within Caido and add targets to your scopes tab with a single mouse click. 😎
🚨 Bounty boost alert! French cloud provider OVHcloud has raised critical rewards by 25% and high-severity rewards by 50% for a specific scope for a limited time only – running until 31 July. Consult OVHcloud’s Bug Bounty Program page to find out more. 💰
The second-quarter leaderboard concluded with a familiar-looking podium: hat’s off to the consistently brilliant rabhi (also all-time #1), Xel (all time #2) and Noam (all-time #9). Sitting in fourth, drak3hft7 (all-time #10) has continued his stellar rise of the rankings while Philippines-based xavoppa in fifth is making a big impact having registered with YesWeHack only in 2024. 👏
🤘 Black Hat debut upcoming 🤘
Next up on our 2025 schedule is the grandaddy of hacker cons, Black Hat USA, where we’ll be debuting as exhibitors. If you’re attending the event, which takes place between 6-7 August in Las Vegas, swing by Booth 2367 to discuss Bug Bounty with the YesWeHack team – and to grab yourself some YesWeHack merch. We’ll also be running a casino-themed ‘Hide and Seek’ CTF challenge. 👀
Then in the autumn we're exhibiting from booth E8 at IndoSec 2025, in Jakarta, Indonesia, between 16-17 September.
Our next live hacking event will take place between 4-5 September at the fourth edition of Nullcon Berlin. Anyone attending the conference is welcome to participate.
This follows our recent live Bug Bounty at LeHACK, the hacker con in Paris, where hunters surfaced a typically impressive number of significant vulnerabilities. Thank you to all participants, in particular to the three who made the podium:
🥇 Cassim Khouani aka Aituglo
🥈 Sébastien Copin aka cosades
🥉 Romain B. aka SpawnZii
Well done also to the top three hackers on the scoreboard for Payload Plz, the CTF challenge our in-house researcher Bitk created for the event:
🥇 Ruulian
🥈 Mizu
🥉 RTH
And that’s it for this edition. Happy hunting! 👋
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.