Bug Bytes #145 – How to Make a Million in 4 Years, CookieMonster & Threats to CI/CD Pipelines

By Anna Hammond

November 3, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from October 25 to November 1.

Our favorite 5 hacking items

1. Resource of the week

Common Threat Matrix for CI/CD Pipeline & Attacking and Securing CI/CD Pipeline

We’ve seen some amazing writeups involving CI/DC pipelines recently. Their attack surface is large, they are trendy, and they can lead to serious suppy chain attacks which makes them a good target for attackers.
So, if you want to learn about CI/DC security (from both a defender and attacker standpoints), this new threat matrix by @rung is a great resource.

2. Writeup of the week

Tortellini in Brodobuf

While testing Web apps, you might encounter strings that seem to be base64 encoded but can’t be decoded properly because they’re actually Protobuf serialized data that is encoded in Base64. Not knowing about this serialization format can make you miss critical vulnerabilities.
That’s what this writeup is all about: An excellent introduction to Protobuf, how to decode and deserialize Protobuf data, exploit this entry point for SQL injection and how to create a SQLmap tamper script to automate the process.

3. Tools of the week

CookieMonster & Intro
jolokia-exploitation-toolkit (JET) & Tutorial

CookieMonster is a Go tool/API that automates testing for vulnerabilities in stateless authentication. It supports several frameworks and helped @iangcarroll find bugs in many large bug bounty programs.
If you want to automate your testing even further and mass-scan targets, @naglinagli suggests combining it with his Cookies-extractor.

@TheLaluka released Jolokia Exploitation Toolkit, a Python tool that helps exploit exposed Jolokia endpoints. The accompanying article goes over detail on how to use it to get RCE on a Tomcat/Catalina server. This can be handy if you want to escalate an SSRF that allows to reach an internal Jolokia endpoint, to RCE.

4. Tutorial of the week

Android security checklist: WebView

This is a great tutorial on how to attack and protext WebView on Android. It includes different exploitation techniques, ways to increase the impact of attacks, and lots of details.

5. Non technical items of the week

How to Start Bug Bounties 101 & How to Make a Million in 4 Years
Creativity, Self-Doubt & Doing Remarkable Work

If you wonder how hackers like @ozgur_bbh and @s0md3v do their magic, I recommend reading these articles they wrote.
The TL;DR is there is no magic, “Just work.”. However, it is still interesting to hear what they have to say on the topic, the mindset and steps they took that made all the difference.


Other amazing things we stumbled upon this week





Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

You may also like