Bug Bytes #149 – WordPress plugin confusion, Bug bounty automation & CTF tricks

By Anna Hammond

December 1, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from November 22 to 29.

Our favorite 5 hacking items

1. Resource of the week

@xvnpw has been sharing interesting research, writeups and tips on path traversal vulnerabilities. The blog is worth a read if you’re interested in this bug class, or in older articles on hacking Azure and SpEL.

2. Writeup of the week

WordPress Plugin Confusion: How an update can get you pwned, WordPress Plugin Update Confusion – The full guide how to scan and mitigate the next big Supply Chain Attack & Traffic Factory example

@vavkamil took the idea of dependency confusion and transposed it to WordPress themes and plugins. Then he partenered with @naglinagli to search for this new vulnerability at scale on bug bounty programs.
I love this type of research, both so clever and obvious AFTER you’ve read about it. Who would’ve thought that WordPress and package registries like NPM had anything in common?!

3. Challenge writeup of the week

The InfoSecurity Challenge 2021 Full Writeup: Battle Royale for $30k

@spaceraccoonsec solved all 10 levels in The InfoSecurity Challenge that involved web, mobile, cryptography, pwn, forensics, steganography, and more. He wrote a detailed walkthrough of all tasks and it is full of interesting techniques worth knowing.
With all the CTFs running this December, it might help to learn some of these advanced CTF tricks.

4. Tools of the week


These tools both perform common bug bounty taskd but with a twist.

@blegmore‘s cero scrapes domain names from SSL/TLS certificates. This sounds like something that tons of other tools already do, right? What makes cero interesting is that it can scrape certificates from any protocol that uses TLS, not just HTTPS.
Thank you @Six2dez1 for highlighting this awesome tool!

Scavenger by @0xDexter0us is a Burp extension that creates target-specific wordlists from Burp history. The cool part is that it can create a parameter wordlist (based on URL, body, cookie, and JSON parameters), an endpoint wordlist (based on URLs in the sitemap and JavaScript files) or a wordlist of JSON response keys.

5. Article of the week

Hakluke: Creating the Perfect Bug Bounty Automation

This reads like a short history of automation through the eyes of a bug hunter. @hakluke describes different types of architectures he tried, their limits, and how he plans on solving them.
If you’re thinking of building your first bug bounty automation solution, it can be useful to learn about someone else’s experience and mistakes.


Other amazing things we stumbled upon this week




Slides & Workshop material


Medium to advanced

Beginners corner


Challenge writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

You may also like