Bug Bytes #150 – CMS wordlists, Lesser known Python bugs & Containers learning path

By Anna Hammond

December 8, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from November 29 to December 6.

Intigriti news

Intel chooses Intigriti as its bug bounty vulnerability management platform

Our favorite 5 hacking items

1. Challenge of the week

Orange Tsai’s HITCON CTF 2021 Challenges

@orange_8361 published the code for some HITCON CTF 2021 challenges. I found Metamon-Verse really interesting, but I won’t say more to avoid spoiling it.
If you’re stuck, here is a writeup for Metamon-Verse and a hint for W3rmup-PHP.

2. Writeups of the week

SSRF vulnerability in AppSheet – Google VRP (Google, $6,267.4)
AWS SageMaker Jupyter Notebook Instance Takeover (Amazon)

@david_nechuta shared a cool SSRF on Google AppSheet, with an interesting bypass involving HTTP headers.

The other noteworthy writeup is about self-XSS that can be chained with CSRF to completely take over AWS SageMaker Jupyter Notebook instances. The technique is similar to @S1r1u5_‘s Cookie Tossing to RCE on Google Cloud JupyterLab .

3. Tutorial of the week

10 Unknown Security Pitfalls for Python

This article is about ten lesser known bad coding practices that SonarSource researchers encounter when doing Python code review assessments.
Before diving into the article, make sure to try solving this code review challenge that is related.

4. Tools of the week

csg (“Credential Storage with Go”) & Intro
Proxy Agent & Intro

csg is a Go tool that helps organize and store credentials. Think of it like a password manager in command line, for credentials that you only need temporarily for the duration of a CTF for instance.

Another handy tool is Proxy Agent. If you find yourself often needing to set up Burp on your rooted Android device, it will help speed up the process.

5. Resources of the week

Learning Containers From The Bottom Up: Efficient Learning Path to Grasp Containers Fundamentals
webapp-wordlists & @podalirius_’s Cyber Advent 2021

After years spent studying containers, @iximiuz created a learning path to walk us through this complex topic. Whether you want to hack containers or just use them in your day-to-day life, check out the first resource. It is amazing, both informative and dealing with advanced topics yet beginner friendly.

@podalirius_ has been posting one new article or tool everyday, and will continue doing so until Christmas.
One of them is webapp-wordlists, a repository of path and directory wordlists for many CMSs. Having this collection of endpoints is valuable for fingerprinting CMSs when testing Web apps.
The Python scripts used to generate the wordlists are also included, so you can tweak them to generate wordlists for any missing CMS.


Other amazing things we stumbled upon this week




Slides & Workshop material



Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • Eval Villain & Intro: ZAP / Firefox add-on to inspect arguments to arbitrary native JavaScript functions (similar use cases to DOM Invader in Burp but with more configuration options)

  • pip-audit & Intro: A tool for scanning Python environments for known vulnerabilities

  • Cracken: A fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in Rust

  • ipsourcebypass: Python script that checks for IP source restrictions bypass using HTTP headers

Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

You may also like