Bug Bytes #177 – Hackers descend on Ahmedabad, the hardest CTF and tales of easy P1s

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the weeks from October 2nd until October 8th.

CLICK HERE TO SUBSCRIBE

Intigriti News

• Intigriti wants to know what you want from a researcher-centric API, so let us know your thoughts by answering a short survey

• Monthly leaderboard released; congratulations to our top 3: Oct0pus7, araselmir and bruhbey

• Intigriti reaches 10,000 subscribers on Youtube! Join them

From my notebook

Hackers this week descended on the city of Ahmedabad in India for BSides, now I’ve never been myself, but I will admit to some FOMO seeing all the hackers on twitter, thankfully IamVaaman has us covered with his video sharing some of the highlights while we wait for the official videos!

• While the videos for BSides Ahmedabad 2022 are not out yet, we do have some slides from various creators. Here are the ones I could find on Twitter this week:

  • Bug Bounty on Steroids

  • Chaining Bugs for Account Takeovers

  • PHP EAR to SQLi

  • Smart Contract Security 101

  • How to write your first Nuclei Template

  • Pwning Android apps at scale

  • Videos from 2021

• Wondering what it was like on the ground? Check out this vlog: This is what hackers do at a hacker con – IamVaaman

• Inspired by BSides? pmnh reflects on 2 years of Bug Bounty hunting – This is a great article with some great advice for would-be bounty hunters

Other Amazing Things

• Making $$$ with Clickjacking – Farah Hawa

• IT WAS A SCAM – John Hammond

• NullCon Cybersecurity Interview: Rohit (Security Zines) – Hacking Simplified

• Waybackurls – Sathvik Techtuber

• The origins of Cross-Site Scripting (XSS) – LiveOverflow

• The hardest CTF task I’ve ever done – Bug Bounty Reports Explained

• BUG BOUNTY: ACCOUNT TAKEOVER ON LIVE WEBSITE – BePractical

• Open Source Security –  Let’s chat about Let’s Encrypt with Josh Aas

• Cloud Security Podcast – Kubernetes best practices

• The Hacker Factory Podcast – From Developer To Cybersecurity 

• Smashing Security – Trussterflucks and eBay stalking

• Darknet Diaries – 125 Jeremiah

• Humble Bundle launches Cloud Infrastructure bundle (includes cloud security books)

• Breach notification done right (Telstra breach)

• d0nut reflects on the difficulty of data anonymisation

• Hacker Origin Stories

• Share the mic in cyber

• Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style

• Tale of easy P1 bugs in the wild

• Full company building takeover

• Hacking WordPress

• $40,000 Bounty, Authentication Bypass Techniques, Cache Poisoning, IDORs, Password Recovery, and much more…

• Tale of multiple misconfigurations

• HTTP-Host Header Attacks

• Top SSRF bug bounty reports

• Reading ASP secrets for $17,000

• CVE-2022–35405: Critical ManageEngine RCE

• Methods for bypassing XSS detection in WAFs in 2022

• IDOR in GraphQL Query Leaking Private Photos of a Million $ App

• Bug Bounty: Hunting Open Redirect Vulnerabilities For $$$

• How I Found A P1 Bug

• Sn1per – Recon and asset discovery

• JSON Crack Visual JSON

• Bellingcat OSINT Hackathon Tools

• Buildkit build docker files

• Hookbin – Alternative to Burp Collaborator

• AWSome Pentesting Cheat Sheet

• BlindXSS with User Agent

• API fuzzing

• Access Control Vulnerabilities

• Googledork operators

• AWS Cloud Security 101 CTF

• 247CTF REVERSING185

• DoD ‘Hack Us’ Bug Bounty Program Pool Exhausted

• Malwarebytes modernises its bug bounty program

• Binance hit by $100 million blockchain bridge hack.