Bug Bytes #168 – Behind The Tool, NotGitBleed & Custom Transport Encoding in Burp

By Anna Hammond

April 20, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the week from April 11 to 18.

Intigriti news

Intigriti’s April XSS challenge By @aszx87410

Our favorite 5 hacking items

1. Video of the week

Live Recon | @IppSec Talks About Hacking, His Favorite Tools, HackTheBox and More!
FFUF by @joohoi (Behind The Tool #1)

@NahamSec‘s Lire Recon show is baaaack! It has a new format and two new co-hosts, @Jhaddix and @stokfredrik.
This first episode is must watch if you enjoy hacking or want to hear @ippsec talk about programming, recon, CTF, etc.

Another new show is Intigriti’s Behind The Tool, hosted by @hacksplained.
The first episode is so-o-o good! @joohoi shares a lot about ffuf, how to pronounce it, the context behind its creation, his favorite functionalities, and more.

2. Writeup of the week

NotGitBleed (GitHub)

Just when I start thinking that it may be getting harder to find leaked secrets on GitHub… MDSec‘s Aaron Devaney shows that not only there are still GitHub leaks to be found, there are so many that he collected them at scale with automation.

3. Tools of the week


Wister is a wordlist generation tool. It takes a list of words as input, and can output variants with different encodings, casings, homographs, etc.

Another handy tool is NMAP-Formatter, a Go tool that can convert NMAP’s XML output to HTML, CSV, JSON and markdown.
There are many other tools to convert Nmap output, but I’m personally starting to use this one because it supports many formats including JSON, so it makes it easy to chain Nmap with jq and other recon tools.

4. Vulnerability of the week

CVE-2022-26809 MS-RPC RCE:

CVE-2022-26809 is an integer overflow in MSRPC. It does not have a public exploit but is worrisome for its 9.8 CVSS score, and its wormable potential as an unauthenticated zero-click RCE.

5. Tutorial of the week

Teaching Burp a new HTTP Transport Encoding

If you encounter a HTTP client/server that use custom Transport Encoding or encryption, this tutorial could save you a lot of headache.
@pentagridsec demonstrates how to solve the problem by writing a Burp extension.


Other amazing things we stumbled upon this week


Slides & Workshop material

Podcasts / Audio




Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Known vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • SecretScanner: Find secrets and passwords in container images and file systems

  • KnockKnock: A simple reverse whois lookup tool which returns a list of domains owned by people or companies

  • linWinPwn: Bash script that automates Active Directory enumeration and vulnerability checks

Tips & Tweets

See more tips on this week’s Twitter collection.

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

You may also like