Bug Bytes #158 – postMessage XSS tips, API testing toolbox & Finding 100+ bugs in WordPress plugins

By Anna Hammond

February 9, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from January 31 to February 07, 2022.

Intigriti news

Intigriti 1337UP LIVE 2022

Intigriti’s February XSS challenge By @aszx87410

Our favorite 5 hacking items

1. Tutorial of the week


This is worth a read if you’re interested in postMessage XSS. @oliverrickfors shares a methodology to easily find addEventListener in JS files (given a list of hosts as input), then what to do next to test and exploit them for XSS.

2. Writeups of the week

Solving DOM XSS Puzzles
CVE-2022-21703: cross-origin request forgery against Grafana

Can’t get enough of postMessage XSS? Check out @spaceraccoonsec‘s writeup on two XSS vulnerabilities he found on bug bounty programs. They involve interesting bypasses and advanced tips worth adding to any DOM XSS methodology.

Another interesting finding is a CSRF found on Grafana by @jub0bs and @theabrahack. It could basically make a Grafana Admin unwittingly send you a user invite to become admin of their instance, demonstrating that CSRF is definitely not dead.

3. Video of the week

My API Testing Automated Toolbox

Testing a small intentionally vulnerable API is one thing, but where to start when you’re looking for bugs in a large API with thousands of requests on a hardened bug bounty target?
Watch @InsiderPhD explain a sensible approach that combines automation and a manual workflow, with details on the tools she recommends.

4. Article of the week

A technique to semi-automatically find vulnerabilities in WordPress plugins

What is better than finding a vulnerability in a WordPress plugin? Finding over 100 vulnerabilities in dozens of popular WordPress plugins!
@kazet1234 details a semi-automatic approach used to scan for multiple vulnerability classes including XSS, SQL injection, CSRF, arbitrary file read and more. Amazing research that is interestingly transferable to other CMSes.

5. Tool & Tip of the week

35 bytes PHP backdoor that’s protected by a password & supports arbitrary function calls

@s0md3v just dropped these two beautiful gems. The first one is a Go tool that tells you whether a string is machine-generated or human readable. I’m not sure which use case he has mind, but I’d use this to programatically extract potential secrets from code.

The second tool is a neat PHP webshell that is protected by a password and supports arbitrary function calls despite being very short. From now on, this is my go-to PHP webshell!


Other amazing things we stumbled upon this week





Slides & Workshop material



Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups


  • LFIDump: A simple python script to dump remote files through a local file read or local file inclusion web vulnerability

  • Aerides & Intro: An implementation of infrastructure-as-code scanning using dynamic tooling

  • SMBSR: Lookup for interesting stuff in SMB shares

  • SMBeagle: SMB fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written (useful for lateral movement and privilege escalation)

  • EvilSelenium: A C# tool that weaponizes Selenium to attack Chrome

Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

You may also like