Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 8th to May 14th
Intigriti News
- Familiar huh? Let us show you how you can exploit this XSS case
- If you want to master SSTI exploitation, open this thread!
- The intigriti YouTube channel has officially passed the 15k milestone!
- We’ve got a few insecure file upload videos for ya’ll this week, covering practical labs from @WebSecAcademy
- Public program alert! We’re happy to announce the @PersonioHR program is now open to the public! Personio is a leading HR software company revolutionizing the way businesses manage their workforce
From my notebook
- I MADE $100,000 IN TWO MONTHS!
- 1 tip to improve your pentesting & bug bounty hunting
- My Internship Journey
- AI Village at DEF CON announces largest-ever public Generative AI Red Team
- Issue 219: Money Lover app exposes user data, most web API flaws missed by standard testing

- Hacking Complex Passwords with Rules & Munging
- Facebook’s TOP1 bounty hunter doesn’t bother reporting $4,000-$5,00 (shorts)
- Hack The Box – Gunship (“Very Easy”) – Live Walkthrough
- What is Clickjacking?
- Browser in the browser attack (shorts)
- Must-Follow Cybersecurity Content Creators (shorts)
- Getting Started in Firmware Analysis & IoT Reverse Engineering
- Securing AI – Prompt Injection Defense
- Magecart Hackers Perfect Fake Checkout Pages
- Hide a Hacker’s Reverse Shell in ONE Command
- FIVE Practical AI Uses for Cybersecurity
- Prerequisites || Penetration Testing Bootcamp

- Wireless Hacking with Hardware from the SME Kody Kinzie!
- The REAL Value of Cyber Threat Intel (And How To Get It)
- 296-The Argument for a Stock Browser
- The Right Amount of Trauma
- Episode 18: Audit Code, Earn Bounties
- 210 – TPMs and Baseband Bugs
- SN 922: Detecting Unwanted Location Trackers – Google Passkeys, Chrome lock icon, AI news sites, Vint Cerf
- 209 – Bad Ordering, Free OpenAI Credits, and Goodbye Passwords?
- What if AI could rebuild the middle class?
- EP120 Building Secure Cloud and Building Security Products: Finding the Balance
- Risky Biz News: DEFCON attendees will target AI models
- Episode 374 – The event we called left-pad, Episode 77 remaster part 1

- I did a few hours of bug bounty for a few nights last week to get a feel.
- Never get too proud to go back to the basics and LEARN like a beginner again.
- Me and my projects since GPT3 is accessible.
- Secret Tip – Keep checking your notes
- “We take our security very seriously.”
- I’m really baffled how y’all find SQL injections so effortlessly. All you SQLi experts, I’ll be in your DM’s today.

- Beginner
- Master the Art of Linux Firewall: Practical Guide to Iptables
- The Secrets Behind EC2 Takeovers
- Bug Bounty: Automate Blind SQLi
- Search for sensitive data using theHarvester and h8mail tools
- Kickstart Your Bug Bounty Hunting Journey
- Cross-Origin Resource Sharing (CORS).
- The Insider’s Guide to Detecting and Preventing XSS Attacks: Tips and Tricks for Web Developers
- What is path travelsal vulnerability?
- How to not get paid for your submission.
- Bug Bounty Mistakes I Made, So that You Can Avoid
- Intermediate
- Handlebars Templating: Security Best Practices
- SSRF: What is forgery, and what is exploitable information
- How I Cracked CEH Within 6 Months Only With Free Resources.
- Journey of a Script writer (Tool developer)
- What is a zero-day (0-day) exploit? Real-life examples
- What is insecure deserialization
- Bypass Rate Limit Request (fuzzing/etc…) With TOR
- Understanding LDAP Injection: Crafting Payloads and Mitigation Strategies
- Bypassing Protocol Concatenation in SSRF: Strategies for Testing Vulnerable Applications
- Populating Burp Suite’s Sitemap using SpiderSuite crawler
- Advanced

- Security Research
- Bypass IIS Authorisation with this One Weird Trick – Three RCEs and Two Auth Bypasses in Sitecore 9.3
- CVE-2022–26180:qdPM 9.2 CSRF Vulnerability in index.php/myAccount/update URI
- Breaking Down Barriers : CVE-2023–2227
- The printer goes brrrrr, again!
- Prompt injection explained, with video, slides, and a transcript
- Testing Zero Touch Production Platforms and Safe Proxies · Doyensec’s Blog
- Attacking APIs by tainting data in weird places
- Bugs
- Unveiling the Untold Secrets: Unearthing the Holy Grail of Bug Bounties — How I Hacked EC2
- Bypass SMS Authentication To Account Takeover (Indonesian)
- SQLi Using Google Dorks
- /Metrics Open Directory Bounty : 50$~200$
- Discovering a Hidden Security Loophole: Rent luxury Cars for a Single Dollar
- One Bug at a Time: My First Paid Bug ($1,000 IDOR)
- Hyperlink Injection Earned Me $200 within 10 minutes
- Automating XSS Detection: How My Setup Earned Me a Few Spots in various Hall of Fames
- RCE due to Dependency Confusion — $5000 bounty!
- Discovery of an XSS on Opera
- How I bypassed the registration validation and logged-in with the company email
- Hacking Chess.com: My Journey to Unlock Premium Bots on the Android App
- My First Bug: Accessing Admin Page via Blind XSS $1000
- Account Takeover via Signup Feature
- Full Account takeover (even for admins)
- Admin Account Takeover worth $5,657
- CTF challenges
- Bypass JWT Authentication | Access Admin Panel
- Network Services 2 — Enumerating and Exploiting More Common Network Services & Misconfigurations
- HTB: Interface
- OverTheWire Bandit: Solving Level 0
- TryHackMe — Res Room Simple Writeup
- Skynet — TryHackMe Room Simple Writeup
- PicoCTF asm3 challenge: Master the Art of Reverse Engineering — StackZero
- AI Hacking Games (Jailbreak CTFs)

- Indicator-Intelligence – Finds Related Domains And IPv4 Addresses To Do Threat Intelligence After Indicator-Intelligence Collects Static Files
- SpiderSuite – Advance Web Spider/Crawler For Cyber Security Professionals
- Domain-Protect – OWASP Domain Protect – Prevent Subdomain Takeover
- Lfi-Space – LFI Scan Tool
- DNSRecon – DNS Enumeration Script
- PwnFox – A Firefox/Burp Suite extension that provide usefull tools for your security audit.
- gitGraber – monitor GitHub to search and find sensitive data in real time for different online services such as: Google, Amazon (AWS), Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe, Twilio…

- Want to succeed in bug bounties? Follow these 10 tips!
- View the recon data for every amass scan that you’ve ever done by using the db subcommand
- Trouble figuring out which ASN belongs to a company?
- XSS WAF Bypass using location concatenation
- Add “ui_config.properties” and “http://config.properties” files to your wordlist, these files contain juicy info like secret tokens and passwords
- Reflected XSS via Google Dorking
- Want to start bug bounties but don’t know where to begin?
- If something is suspicious but SQLMap “thinks” it might/might not be vulnerable, manually confirm/deny before leaving.
- Found an interesting #XSS where I inject the payload within the image file name and got the alert!.
- Image upload path tip
