Bug Bytes #122 – ReDoS demystified, PayloadAllTheThings inside Burp & An $18k Instagram OAuth misconfiguration

By Anna Hammond

May 12, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from May 3 to 10.

Intigriti News

Meet the hacker: Get to know sumgr0, The King of subdomain takeovers

Our favorite 5 hacking items

1. Tools of the week



HopLa is a Burp extension that adds payloads to Burp with autocompletion. By default, payloads used are from PayloadAllTheThings but you can customize them. This makes it so easy to create your own custom payload library inside Burp.

Versionshaker is a handy Python tool for fingerprinting the exact version of open source software used on a site. Let’s say for instance that you have trouble identifying the version of WordPress used on a site. Versionshaker takes the site’s URL, the WordPress GitHub repo’s URL and paths of static files to compares (e.g. JS or CSS files). It does its magic and returns which releases of WordPress have these exact files.

2. Writeups of the week

How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit (Google)

Account takeover of Instagram accounts due to unrestricted permissions of third-party application’s generated tokens (Facebook, $18,000)

The first writeup is about an RCE in Google App Engine that the author found in a week during their internship at Google.
To be honest, I did not understand any of it but maybe you will! In any case, it is interesting to see what other hackers are working on and different areas to explore (in this case hacking with low level Java byte code).

The second writeup is much easier to digest but also impactful. @Samm0uda noticed that an Instagram OAuth flaw returned an access token with more permissions that it should. This allowed for taking over Instagram accounts.
Simple, but the difficulty lies in detecting the change in the access token’s permissions.

3. Video of the week

Regular Expression DOS FOR BEGINNERS!

If you want to learn about RegEx and ReDoS, this is the best introduction to these complex topics. @Farah_Hawaa explains just what you need to understand their basics and a practical example of detection and exploitation.

4. Resource of the week

huntr hacktivity

This is a hacktivity for vulnerabilities found in open source software. More and more hackers are looking for bugs in 3rd-party software to leverage in bug bounties/pentest. So this is an interesting vulnerability database and collection of writeups on which to keep an eye.

5. Tutorial of the week

DNS Based Out of Band Blind SQL injection in Oracle — Dumping data

The first tutorial is all about DNS-based Out-of-Band SQL Injection. It explains techniques that are good to know in case you encounter this type of injection: How to ensure it is not a false positive, the type of backend database, how to dump data from the database and bypass limitations of exfiltrating via DNS (no spaces, max 253 characters, DNS cache…).

Other amazing things we stumbled upon this week






Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


Tips & Tweets

Misc. pentest & bug bounty resources


Bug bounty & Pentest news

Non technical

Community pick of the week

Awww such a cutie, well done @_sebd!

Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!

You may also like