By travisintigriti
April 26, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from April 17th to April 23rd
Intigriti News
From my notebook
This week I’ve put together some cloud security resources, starting with some “new to me” resources and some recent write ups, if you’re looking for somewhere to start check out NahamSec’s series!
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
Hundreds of companies’ internal data exposed: The Confluence Cloud misconfiguration
Identifying vulnerabilities in GitHub Actions & AWS OIDC Configurations
Other Amazing Things
Which tool should you use to find critical vulnerabilities frequently? (shorts)
Snapchat paid a hacker $15,000 (shorts)
The Top 5 Obstacles Newcomers Face in Infosec (And How to Overcome Them)
Struggling to prepare for a Smart Contract audit? Check how I prepared for Gravita protocol audit
Understanding Unrestricted Resource Consumption: A Comprehensive Guide | 2023
10 Common XSS Payloads and How to Use Them for Bug Bounty Hunting
SDLC (Software Development Lifecycle) | Tryhackme Writeup/Walkthropugh By | Md Amiruddin
Why Next.js is the Future of Web Development: A Comprehensive Guide for Developers
Path Traversal vs File Inclusion Vulnerability! How to Tell the Difference?
A Comprehensive Guide to Protecting Your Applications from XXE Vulnerabilities
Protecting Against Sensitive Data Exposure in Express.js: Best Practices and Example
The Ultimate SQLmap Tutorial: Master SQL Injection and Vulnerability Assessment!
Exploiting and Securing Jenkins Instances at Scale with GroovyWaiter
Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories
Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel
Data Exfiltration from Air-Gapped Systems: Exploring Covert Channels
XS-Leak: Deanonymize Microsoft Skype Users by any 3rd-party website
Turning Vulnerability into Bounty: How CVE-2020–17453 XSS Earned Me a $500 Bounty
Uncovering a Critical Vulnerability: My Journey of Discovering CVE-2021–31589
Privilege Escalation via Broken Authentication: A Story of $$$
$??? USD for Blind OS Command Injection via Account Activation Request
How careless default credentials impact to massive account takeover
My Report on How I got $$$ on 30 minutes {Information Disclosure }.
Grafana RCE via SMTP server parameter injection (Worth $5000)
Insecure Docker Registry API Leads To Pull All Private Docker Images
Bypassing Link Sharing Protection in Messenger Kids Parent’s Control Feature | Meta Bug Bounty
No Rate Limiting on Forget Password Page Leads to OTP Bypass and Account Takeover.
[BAC/IDOR] How my father credit card help me to find this access control issue
From payload to 300$ bounty: A story of CRLF injection and responsible disclosure on HackerOne
Sensitive Data Disclosure (Unauthenticated Calls on Endpoints)
XSpear Powerful XSS Scanning and Parameter analysis tool&gem.
tlsx Fast and configurable TLS grabber focused on TLS based data collection.