Bug Bytes #166 – Double-edged SSRF, ToolTime & Fun hackers stories

By Anna Hammond

April 6, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from March 28 to April 4.

Our favorite 5 hacking items

1. Writeup of the week

Exploiting a double-edged SSRF for server and client-side impact

This is the story of an SSRF that @Yassineaboukir discovered on a private bug bounty program.
It is a beautiful example of mixing several techniques to maximize the impact of a bug, for example GitHub recon to find internal subdomains, exploiting the SSRF to enumerate internal subdomains, exploiting the same bug both server-side (as internal SSRF) and client-side (as information disclosure via CSRF)…

2. Tweets of the week

@hacker_’s SSRF story, Bug hunters’ “Oh Sh*t” moments & Ironic vulnerabilities
Fun hacker stories by @infosec_au & @Jhaddix

If you love fun hacker stories, make sure to follow @hacker_. He’s been very active on Twitter, sharing cool stories and mini-writeups, and inspiring other hackers to do the same, for our delight.

3. Video of the week

ToolTime – FeroxBuster (Content Discovery)

@Jhaddix is another hacker to follow if you are into Web hacking. He’s been very sharing a lot of tips on Twitter lately, co-hosts Bounty Thursdays Live, and started this new show, ToolTime, where he reviews hacking tools.

4. Tool of the week

TruffleHog v3 & Critical Bounties via Leaked API Keys (FT TruffleHug)

@trufflesec released TruffleHog V3 which is way faster that the previous versions, detects 639 key types, automatically validates all secrets it supports with dynamic checks, and supports not only Git but also S3 buckets, STDin, file systems and more.

5. Conference of the week

Insomni’hack 2022

Recording from Insomni’hack 2022 are out, and they include many great talks on offensive security.
The ones I’m prioritizing watching are @scannell_simon‘s “A Common Bypass Pattern To Exploit Modern Web Apps”, @abhaybhargav‘s “Hook, Line And Sinker: Pillaging API Webhooks”, @sachinnthakuri and @1lastBr3ath‘s “Exploiting WebKit To Break Authentication And Authorization” and @swapgs‘s “Two Bugs To Rule Them All: Taking Over The PHP Supply Chain”.


Other amazing things we stumbled upon this week







Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Spring4Shell corner

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • Dome: Subdomain enumeration tool in Python

  • Difftastic: An experimental diff tool that compares files based on their syntax

  • Docker-OSX: Run macOS VM in a Docker! Run near native OSX-KVM in Docker

  • s3sec: Check AWS S3 instances for read/write/delete access

  • Scanmycode (Community Edition): Code scanning/SAST/Static Analysis/Linting using many tools/scanners with one report

Tips & Tweets

Misc. pentest & bug bounty resources


Bug bounty & Pentest news

Non technical

You may also like