Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue is a special edition!
- Our very own Inti spoke at NahamCon about payloads in Phone numbers!
- We had another code challenge, this time with a docker config and the solution
- SSRF resource thread
From my notebook
Seasons greetings everyone! This week to celebrate the start of the Christmas, New Year, Hanukkah, Winter Solstice, Saturnalia,Yule or Saturday and Sunday, whichever you celebrate if at all I hope you all have a great week. Many people over this period will be thinking about new years resolutions or goals. Consider this a little gift from the Intigriti team and from me (@insiderphd), with an episode not full of this weeks content but where I follow to find all the content for Bug Bytes and what I think the best learning resources are.
There are a ton of really good infosec content creators who make a range of videos I’d like to first mention the website SecurityCreators.video run by Zeta Two which collates a bunch of us. Videos can be great learning resources because you get a mix of different learning resources.
- Bug Bounty Reports Explained – Fantastic creators who often dives deep into reports and his own experience armed with data and studying he walks us through some really fantastic bugs
- NahamSec – Need I say more? NahamSec recently went full time content creation/bug bounty and he’s back creating content on YouTube and Twitch, I really recommend his smart contract series if you don’t know where to start!
- Farah Hawa – Another familiar face she has a mix of vlogs and educational videos on web security bugs.
- The Cyber Mentor – TCM regularly posts full 5-12+ courses covering open-source intelligence, web application hacking, ethical hacking mixed with shorter videos.
- Hacking Simplified – One of those creators who is criminally unknown, he has created some fantastic interviews with hackers and tool creators with highly technical videos.
- PinkDraconian – Did you know he actually works at Intigriti? He doesn’t know he’s on this list though! Great mix of videos including a Bug Bounty Recap that he discontinued this year, maybe we could get him to bring it back?
- Day – Podcast channel but covered Bug Bounty, interesting exploits and bugs, honestly another really underrated creator well worth following
Did you know we have a YouTube channel too? @Intigriti
If you prefer more written content or curated resources you’re probably already following this newsletter, but there are a few more I think you’d enjoy.
- Tl;dr Sec – Want to keep up to date with security news but can’t get away with spending all day on Twitter? Tl;dr sec is a newsletter that distills the news into an easy to read format, easy to dive into but also easier to skip what doesn’t interest you!
- Hive Five Newsletter – Bee is a well known member of the community and he includes a ton of security news/new techniques, events and resources plus there are Bee facts in every issue, very community focused including news from individuals as well as more of the bug bounty/pentest news
- API Security Newsletter – I always recommend APIs as a great place to find your first bug and API security IO produces this fantastic newsletter aggregating API specific security resources, it’s a great place to learn about new bugs or just keep up to date
- Last Week in Security – Another weekly round up of all things security, but this includes write ups and techniques, but also tools and a ‘new to me’ section of things you (like the author) might have missed
- Unsupervised Learning – Yet another weekly round up but Daniel also highlights interesting ideas he’s come across and includes both tech news and human news to the list
Of course there’s always Bug Bytes.
Books are always hard to recommend, often they can be out of date or no longer 100% relevant and with the cost it can be really hard to suggest them, but here are some picks
- Hacking APIs: Breaking Web Application Programming Interfaces – Came out this year so still relevant, great place to start if you are not sure what an API is, but if you have some experience it’s probably better to check out something new
- Practical Iot Hacking – One of the pieces of advice I give a lot to finding unique bugs is to find a specialism, this book goes deep into IoT hacking including hardware and a little bit of API hacking
- Bug Bounty Bootcamp – Fairly recent book, good choice if you are still right at the start of your bug bounty journey, if you already know a fair amount you should probably grab…
- Real-World Bug Hunting: A Field Guide to Web Hacking – … This book instead, dives into a lot of vulnerability reports, the nice part is the commentary alongside each report, it’s older though so is dated
- The Tangled Web: A Guide to Securing Modern Web Applications – Once you feel like you know your way around a bug report or 2 this can be a great choice to dive more into how modern web applications and especially web browsers fundamentally work
Humblebundle often has sales of these books which come in a range of formats and are DRM free, right now they have Wiley, and O’Reilly bundles.
Blogs are another hard one to recommend, usually for Bug Bytes I trawl Medium looking for interesting articles, but rarely do I read the same blog. Honestly if you want to start something new in 2023 we really don’t have enough curated blogs!
- Infosec Writeups – if you follow one blog make it this one! Curated articles from hackers on Medium great way to keep up to date with write ups especially
- AssetNote – AssetNote is a fantastic research blog to follow and set email alerts for, their content is somewhere between novel research and really interesting write ups
- YesWeHack – Great blog for beginners which includes articles on common vulnerabilities
- Portswigger Research – Basically the GOAT of security research, you definitely need to subscribe to their blog or you might miss new, novel vulnerabilities!
- Troy Hunt – Creator of Have I Been Pwned talks data breaches and security news
Intigriti also has a blog and you’re reading it right now!
Twitter and Social Media are great ways to meet other hackers, share resources you’re learning and meet others in the community. There can be a lot of noise as people tend to share their life events as well as their hacking success, so if you’re just looking for content you should skip this section!
- Securibee’s Twitter List – Great list of some of the most influential bug bounty hunters for a high signal – low noise approach
- #bugbounty and #bugbountytips on twitter – Basically THE hashtags for bug bounty hunting on Twitter, if you’re doing anything in the bug bounty community definitely use these hashtags!
- Infosec.Exchange Mastodon Instance – If you’re looking for a smaller but still influential community most of the Infosec community seems to have made it’s way to this Mastodon instance
- Bounty Hunters Discord Server – If you use Discord I highly recommend this community, great mix of experienced and less experienced members, good opportunity for mentorship and community events
Come chat with us on the Intigriti Discord server!
Looking for something a bit more polished than a book or something you could share with your non-hacker friends that’s more accessible? Or maybe you want to keep up with hacking but don’t have the brain space for a technical write up. There are some really great infosec journalists who specialise in being informative but accessible!
- The Daily Swig – The infosec publication again if you subscribe to just one publication I highly recommend this one by Portswigger, great content, well written, and from people who really know security and the community
- Krebs on Security – Probably one of the more famous blogs, I struggled where to put it on this list, but ultimately the regular posts, in depth articles and journalism style brought it to here.
- Dark Reading – Specialist Security publications with accessible articles
- The Register, ZDNet – More general tech publications which have dedicated security tags but aren’t all about security, the kind of articles you can show your parents
The tool section is often the hardest part of Bug Bytes to write, I try and keep a tabs on what people are writing tutorials about and covering in their blogs but two great resources are
- Rebujito – Ippsec.Rocks inspired tool that allows you do to a fuzzy search on various hacking tools
- KitPloit – PenTest & Hacking Tools – Blog that covers a range of hacking tools for Windows, linux, and OSX
- GitHub – And when all else fails, there’s always GitHub
Challenges like CTFs and mini code reviews are great ways to interactively learn hacking without the pressure of feeling like you need to find a bug, plus they are often gamified and it doesn’t feel like learning if you’re having fun!
- Try Hack Me – Definitely the place to go for beginners, they have more structured lessons, tutorials, and videos on some rooms builds up your knowledge so you start from the basics
- Hack The Box – Looking on taking something more difficult? HackTheBox challenges you to find a way in without detailed instructions!
- Portswigger Web Academy – Great place to learn Web specific skills, also as you complete these challenges you’ll be more and more prepped for the burp certification exam!
- Pentester Lab – A paid CTF website, but sits at a unique intersection of all the above, with lessons, videos, challenges that focus on web security
- Intigriti Twitter account – We actually post a monthly XSS challenge and weekly code review challenges! We even give swag for best explanations!
- Conferences – Conferences will usually have a CTF running alongside them, for example NahamCon EU this weekend
- OWASP Vulnerable Web Applications Directory – A directory of projects that are intentionally vulnerable such as Juice Shop
There’s always a conference on in infosec that you’re currently missing because you had no idea it existed in the first place that you convince yourself not to feel fomo more because you couldn’t have gone anyway…
- OWASP Local Chapter – OWASP stands for Open Web Application Security Project and they do a few thing, one of which is the OWASP Top 10, the other thing they do is run local community groups where they will meet regularly and have talks or networking sessions, shoutout to the kind people at OWASP London who first got me into OWASP 🙂
- OWASP Events – In addition to the local chapters they also run global events such as AppSec Global
- BSides – Originally made up of rejected talks from BlackHat BSides events are community first infosec conferences
- NahamCon – Bug bounty & Hacking specific conference started by NahamSec, just had its European special so keep an eye out for NahamCon Global!
- H@cktivityCon – Run in the summer by HackerOne this conference is like the hacker version of their security@ conferences