By travisintigriti
November 22, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from November 6th to November 19th
Intigriti News
From my notebook
Dan Rearden | The Write-Ups & Downs To Making A Great Write-Up | Simply Cyber Con 23
Bug bounty: year 2 – 0days, a $20k bounty and… laziness – bounty vlog #5
Potential vulnerability in AI chatbots feat. @rez0 #bugbounty #bugbountytips #bugbountyhunter (shorts)
Watch out for API use theft when implementing AI chatbots feat. @rez0 #bugbounty #bugbountytips (shorts)
How to monetise a scalable 0day in bug bounty? #bugbounty #bugbountytips #bugbountyhunter (shorts)
$3,200 client-side DoS in PayPal #bugbounty #bugbountytips #bugbountyhunter (shorts)
What types of DoS bugs will get you a bounty? Case study of 138 DoS bug bounty reports
Another Cisco 0-day discovered #cybersecurity #cisco (shorts)
Bug Bounty Stories: HACKING REDBULL again! (Tomcat + Jolokia Walkthrough)
It Wasn’t Easy to Print $250 Million of Counterfeit Cash🎙Darknet Diaries Ep. 102: Money Maker
One Click, $9 Million In Student Debt Erased🎙Darknet Diaries Ep. 139: D3f4ult
Why Was Puerto Rico’s Lottery Leaking Millions of Dollars a Month? 💸 Darknet Diaries Ep 101: Lotería
Beginner
Intermediate
Advanced
Security Research
Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions (2/3)
CrushFTP – CVE-2023-43177 – Unauthenticated Root-Level RCE Chain
Accessing Azure Kubernetes Service as Guest and Cross-Tenant
Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero
Android Kitchen Sink: Send BLE spam to iOS, Android and Windows at once using Android app
50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
Visual Studio Code Security: Deep Dive into Your Favorite Editor (1/3)
Post-exploiting a compromised etcd – Full control over the cluster and its nodes
Your printer is not your printer ! – Hacking Printers at Pwn2Own Part II
Bugs
Privilege Escalation: Unauthorized Low-Privilege Users Creating Feature Bundles
Default Credentials, P1 with $$$$ Reward in a Bug Bounty Program
OAuth Misconfiguration Leads To Pre-Account Takeover(snapchat)
$1000 Bounty: How I scaled a Self-Redirect to an XSS in a web 3.0 system at Hackenproof
How I got a $500 reward for finding an unacclaimed bucket on GitHub
Riding the Waves of API Versioning: Unmasking a Stored XSS Vulnerability, CSP Bypass Using YouTube…
How I hacked Google’s bug tracking system itself for $15,600 in bounties
Idor That allowed me to get access to sensitive users files and share them
1200$ IDOR Flaw: Allow Attacker To Approve Project Time Tracking
I created posts on the newsletter page dedicated to the program administrator
Subdomain takeover and Text injection on a 404 error page-$100 bounty
Unlocking Cash: Easy P1 Bug in Grafana Dashboard with Default Credentials = €€€€
Dutch T-Shirts for Dutch Hacks: A Tale of Four Vulnerabilities!!
Bypassing 2FA for Password Reset : By Request Manipulation 500$ Bug
Breaking Barriers: Unmasking the Easy Password Validation Bypass in Security Key Registration
$1800 Bounty: Exploiting Unpredictable Data that Leads to All Users PII Exposure in an IDOR
How I was able to find BAC on the University website leading to result dumping?
Cloudflare Bypass leads to RXSS[Reflected-Cross Site Scripting] in Microsoft
How I sent multiple payment requests on PhonePe, Paytm, and Google Pay
Discovering and Exploiting a XML External Entity (XXE) Vulnerability in a Public Bug Bounty Program
CTF challenges