Bug Bytes #16 – Session fixation on Shopify by @filedescriptor, Keyhacks & How to Hunt Bugs in SAML

By intigriti

April 30, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 19 to 26 of April.

Our favorite 5 hacking items

1. Challenge of the week

CTF Challenge

I haven’t had the time yet to do this CTF, but it’s on my todo list because it seems different. It’s a Web CTF that involves multiple subdomains, directory bruteforce, and different attack vectors.
So it’s a nice opportunity to practice recon. But make sure to respect the rules (attacking the infrastructure/ports other than 443 is not allowed).

2. Writeup of the week

Session fixation on Shopify ($5,000)

This is an excellent session fixation report. It is well-written, detailed and a good example of a real-life session fixation attack. So it’s a goodread if you want to learn about this kind of bugs.
Also, it’s interesting to see how @filedescriptor found the bug and chained it with an out of scope vulnerability: He found an XSS but XSS was out of scope. So he kept playing with the apps and noticed that some session IDs generated didn’t change after logging in, which meant session fixation. So he leveraged the XSS to exploit the session fixation.

3. Article of the week

“CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter
A list of the most common [secure] variables from 5,302,677 build logs on Travis CI

This is awesome research and collaborative work! I loved reading about:

  • How they came up with this research topic

  • How they started with a list of bug bounty programs, found their Github organizations (using Google), then their Travis CI projects (using a bookmarklet)

  • How they grepped through the sizeable data retrieved (using Ripgrep)

  • How the tools they used to fetch build logs were created with availability in mind (to avoid causing any service disruption)

  • Which kind of information to look for when analyzing Travis CI logs

  • Several examples of bugs found on bug bounty programs

4. Resource of the week


Keyhacks is a Github repo listing ways in which API keys can be checked to see if they’re valid.
It can be handy to quickly show the impact of API keys leaked by bug bounty targets. It’s particularly interesting after reading the research about finding sensitive information in Travis CI logs.

5. Tutorial of the week

How to Hunt Bugs in SAML; a Methodology – Part I, Part II & Part III

If you’ve come accross SAML during testing and didn’t know which kinds of bugs to look for, these tutorials are for you!
They’re a good introduction including how SAML works, common vulnerabilities, tools, a testing methodology, and resources.
5. Tutorial of the week

6. Intigriti News

6.1 XSS Challenge

After the big succes of the Twitter CTF, Intigriti published a new challenge. This time it is a XSS challenge.  Are you able to execute javascript on

CHALLENGE: Can you find the XSS? 🧐 Earn a Burp License, cool swag & private invites! 👉

— Intigriti (@intigriti) April 29, 2019

6.2 Program of the Week

Torfs – the well-known shoe retailer in Belgium – is still a 100% family business today. This family character guarantees a number of important values within the company where employees are central. With more than 80 stores in Flanders, 2 shops in the French part of Belgium and a growing online shop in Belgium, The Netherlands and several marketplaces, Torfs wants to be and remain the most customer-friendly optichannel shoe store chain. They pay up to €5000  and have their full online store in scope. Go have a look!

Other amazing things we stumbled upon this week



Webinars & Webcasts

Slides only


Medium to advanced

Beginners corner



Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • X41 BeanStack & Introduction: Java Fingerprinting using Stack Traces

  • SmartProxy: SmartProxy will automatically enable/disable proxy for the sites you visit, based on customizable patterns

  • BugHunter: A Bug management project for Bug Hunters

  • RCEvil.NET & Slides: A tool for signing malicious ViewStates with a known validationKey

  • Viewgen: ASP.NET ViewState generator, When to use it & Related research

  • Thief: Subdomain hijack automation. Wrapper around Sublist3r & Subjack

  • Findomain: A tool that use Certificate Transparency logs to find subdomains

  • Reverie: Wrapper around pentest tools with automated reporting (for Parrot Linux)

  • GitHacker: A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers’ mind

  • Python script that displays the Content-Security-Policy of a given url

  • Netmap.js: Fast browser-based network discovery & port-scanning module

  • Termshark: A terminal user-interface for tshark

  • SAP Gateway RCE exploits

Misc. pentest & bug bounty resources





Bug bounty news


Breaches & Attacks

Other news


Non technical


Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019.

Curated by Pentester Land & Sponsored by Intigriti

Subscribe to the newsletter here! Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like