Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from July 5 to 12.
Our favorite 5 hacking items
1. Tools of the week
WILSON Cloud Respwnder & Intro
ppmap is a Go scanner to test for XSS via prototype pollution using known gadgets and existing research. Being 100% automated, it is a handy way to test for those low-hanging prototype pollution bugs.
WILSON Cloud Respwnder is an alternative to Burp Collaborator and Interactsh by @honoki. Why another tool? Because it allows you to continue receiving OOB requests for a long time (no need to keep Burp or an Interactsh session open). It can send notifications to Slack or Discord, allows block-listing domains from notifications and serving custom files.
If only it was named AlorsOnDNS!
2. Writeups of the week
Credential stuffing in Bug bounty hunting ($8,300)
Whose app are you downloading? Link hijacking Binance’s shortlinks through AppsFlyer
It is interesting to see credential stuffing (usually more associated with pentest/red teaming) leveraged for bug bounties. @Krevetk0Valeriy shares how they did it and managed to score several bounties.
The second writeup is about exploiting a third-party app analytics platform. By overwriting shortlinks, it was possible to serve malicious apps to thousands of users. As usual, a very insightful writeup by @samwcyo.
3. Challenge of the week
SQHell & ep02 CTF TEARDOWN SQHELL on TryHackMe
SQHell is a free TryHackMe room by @adamtlangley. It covers 5 types including nested SQL injection / SQL inception that is interesting to practice. If stuck, check out the hour-long video walkthrough by the challenge’s author himself.
4. Videos of the week
Hacker Tools – CyberChef & Blog post
Hacker Heroes #4 – @real_bitmap (Interview)
I love listening to interviews when I am walking outside, so this new Hacker Heroes series by @PascalSec comes at a perfect time.
If I’m at a mood for more technical content, @PinkDraconian‘s byte-sized tutorials (both blog posts and this new video format) always teach me something new.
Great job and not just because we’re colleagues!
5. Tip of the week
XML SQL injection
Did you know that XML elements are a good place to test for SQL injection? It’s worth remembering especially in cases where all your XXE attempts are failing.
Other amazing things we stumbled upon this week
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- AioResolver: Fast DNS resolver
- JiraScan: A simple remote scanner for Atlassian Jira
- roboXtractor: Extract endpoints marked as disallow in robots files to generate wordlists
- UserEnumTeams: User enumeration with Microsoft Teams API
- TokenTactics: Azure JWT Token Manipulation Toolset
Misc. pentest & bug bounty resources
- Vuldroid: An intentionally Vulnerable Android Application
Bug bounty & Pentest news
Community pick of the week
You’re killing it! Congratulations @isira_adithya 🔥
If you too have bug bounty wins, swag and joys to share with other Bug Bytes readers, tag us on social media. We love hearing from you!