Pingiskok

Yes, that's right. Thanks, I'm glad you liked the blog! You correctly noticed the jump from part 14 to part 17. The thing is, in articles 15 and 16 I was planning to release the tooling and testing methodology, but by the time of publication I realized they weren't good enough or comprehensive enough to share with a wide audience. I didn't want them to be published in such a raw state, so I'll release them later. I'm also planning to release a single unified web tool that will cover checks for most of the issues described in the articles that can be verified offline.

Great catch, you're right. In the jku/x5u article I really did focus on SSRF via HTTP(S) and cloud metadata, but I skipped file:// and other schemes, even though it's a classic. If the server uses a universal URL loader (Java URL/URLConnection, Python urllib.urlopen, PHP streams with allow_url_fopen), then jku: "file:/// etc/passwd" or x5u: "file:/// proc/self/environ" turn into clean LFI right through the JWKS parser. And what's especially interesting, this often bypasses the host whitelist, because the scheme is different and there's no host at all. Thanks for the feedback, and it's awesome that you actually read the stuff instead of just bookmarking it! ❤️ I'll add these things as a "P.S." when I'm putting out the next series of articles.