Bug Bytes #136 – GraphQL fingerprinting, Building new SSTI payloads & A HTTP/2 request smuggling lab

By Anna Hammond

September 1, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from August 23 to 30.

Our favorite 5 hacking items

1. Video of the week

Dan Miessler Talks About Recon/Automation, Seclists, Certifications, Mental Health & More!

This interview with @DanielMiessler is a must watch if you are into hacking and personal growth. One of @NahamSec’s best interviews or like he says: “If you’re going to watch only one of my videos, this should be it”.

2. Writeup of the week

Vulnerability in Bumble dating app reveals any user’s exact location

@RobJHeaton discovered a way to disclose the exact location of Bumble users using trilateration. It is a nice read if you like creative findings and fun writeups (it’s written like a detective story).

3. Tutorials/Resources of the week

Python context free payloads in Mako templates & Python vulnerabilities : Code execution in jinja templates
How to set up Docker for Varnish HTTP/2 request smuggling & Repo

SSTI payloads for RCE can be complex and look like magic to beginners. If you wonder how they are constructed, the first couple of tutorials will be helpful. @podalirius_ created several new payloads for Mako and Jinja, and explains the methodology used to construct them.

The second tutorial and accompanying repository will be useful if you want to practice finding HTTP/2 request smuggling vulnerabilities. The dockerized lab deploys a local environment that is vulnerable to CVE-2021-36740 (HTTP/2 request smuggling in Varnish).

4. Article of the week

API Tokens: A Tedious Survey

You may have heard of OAuth 2.0, JWT, PASETO and Protobuf Tokens, but have you heard of Macaroons, Biscuits and Facebook CATS? This article compares these different types of API tokens from a security standpoint. It is addressing developers but knowing the weaknesses of each type of token provides good insights for anyone who has to test API security.

5. Tools of the week

Interactsh Collaborator

There is a common problem bug hunters face when fuzzing a list of URLs: How to avoid testing similar/duplicate or uninteresting URLs? @s0md3v released uro, a handy Python script that solves this issue using pattern matching (e.g. to remove blog pages) and extensions (to remove js/pdf/png… files).

@dftrace‘s graphw00f is a Python tool that takes a GraphQL endpoint as input and tries to fingerprint the server engine behind it. It doesn’t just return the detected engine’s name, but also its default defense mechanisms (useful to know when you’re trying to attack it!).

If you use Project Discovery’s Interactsh and Burp, you might love @wdahlenb‘s interactsh-collaborator. It is a Burp extension that acts as an Interactsh client. So, you get free out-of-band testing directly from Burp.


Other amazing things we stumbled upon this week






Medium to advanced

Beginners corner


Challenge writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • BatchQL & Intro: GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations

  • hakluke/dumpcn: Get all the CNs and SANs from a list of domains

  • A Bash wrapper for radamsa that can be used to fuzz exported activities and deep links

  • wmkick & Intro: MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes

Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

You may also like