Bug Bytes #170 – Evasive vulnerabilities, Hacking Swagger UI & Reverse engineering REST APIs

By Anna Hammond

May 18, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.


This issue covers the weeks from May 9 to 16.

Intigriti news

Intigriti invites cybersecurity players to join its global Partner Program initiative

Our favorite 5 hacking items

1. Conference of the week

Keynote Day 2 | Hunting Evasive Vulnerabilities: Finding Flaws That Others Miss by James Kettle, Slides

I’ve been waiting for this talk recording for weeks, even more that @albinowax‘s previous talks. The reason is that it is not about a single vulnerability, but about broad principles and techniques that @albinowax uses to discover new attack classes and bugs that everyone else misses.
I think we all want to know how he does it, so do not miss this talk if you are interested in Web research.

2. Tool of the week


mitmproxy2swagger is a very useful tool for both developers and hackers. It automatically reverse-engineers REST APIs based on traffic captured while browsing an app.
More specifically, it takes a mitmproxy capture or a HAR file (exported from browser DevTools) as input, and returns an OpenAPI 3.0 specification for the REST API.

3. Videos of the week

Bug Bounty Redacted #3: Hacking APIs & XSS, SQLi, WAF Bypass in a regional web application
Q: How to write a BUG BOUNTY report that actually gets paid?
XSSHUNTER by @IAmMandatory (Behind The Tool #2)

I know it is supposed to be just one “video of the week”, but I want to celebrate three of my favorite shows that are true gifts for bug hunters.

In this Bug Bounty Redacted, @infosec_au covers two bug bounty findings. Although the reports are old, the tips for testing Swagger UIs and regional assets are very relevant today.

@stokfredrik‘s Bounty Thursday is, as usual, so enjoyable and full of insightful tips, with a focus on reporting this time.

Last but not least, Behind The Tool features @IAmMandatory. If you like XSSHunter, this is a great discussion to know more about its author and the behind the scenes of its creation.

4. Writeups of the week

Multiple bugs chained to takeover Facebook Accounts which uses Gmail. (Meta / Facebook, $44,625)
Hacking Swagger-UI – from XSS to account takeovers (Shopify, Paypal, GitLab, Atlassian, Yahoo, Microsoft, Jamf & others)

@samm0uda‘s fantastic writeup shows how he chained client-side vulnerabilities to take over Facebook accounts, turning an “intended-by-design XSS in a Facebook sandbox domain” into a $44+ bug bounty.

The other writeup is about a DOM XSS that @kannthu1 found in Swagger UI and reported to several bug bounty programs. This is excellent research and a good resource if you want to learn more about hacking Swagger APIs (after watching Bug Bounty Redacted #3 on the same topic).

5. Challenge / Resource of the week

Gin and Juice Shop: put your scanner to the test

“Gin and Juice Shop” is a new intentionally vulnerable web app by PortSwigger. It is intended to be used to test Burp Scanner. I think it also provides a good training ground to practice manual Web hacking after finishing the other Web Security Academy labs and courses.


Other amazing things we stumbled upon this week


Podcasts & Audio



Slides & Workshop material


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • pipe-intercept: Intercept Windows Named Pipes communication using Burp or similar HTTP proxy tools

  • badkeys: Tool and library to check cryptographic public keys for known vulnerabilities

  • Skanuvaty: Dangerously fast DNS/network/port scanner

  • Fastsub: A custom built DNS bruteforcer with multi-threading, and handling of bad resolvers

Tips & Tweets

Misc. pentest & bug bounty resources



Bug bounty & Pentest news

Non technical

You may also like