By travisintigriti
October 19, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from October 9th until October 15th.
Intigriti News
We spoke to Kuromatae666 about going full-time bug hunting
From my notebook
This week’s theme is about finding those unique bugs no one has ever found, bug bounty is competition with the reward only given to the first to find a bug. I often recommend what I call low-competition bug bounty hunting, so my top 5 for this week are all thoughts/advice on how to stop competing with everyone else and start finding new unique bugs.
If you’re looking in the same place as other people, you’re now in a race against the clock rather than one of skill
The prerequisites: Things you need to learn before getting into Web hacking/bug bounties by Manas Harsh – Manas shares the fundamentals of web security, programming, networks, Linux, cloud, and databases, this is a great blog post that really breaks down the need to know of bug bounty
Rhynorater shares his tips from Live Hacking events – After competing in many live hacking events against and alongside some of the best hackers in the world, he gives some advice about collaboration, choosing targets and more
NahamSec’s Smart Contract Series – This series was released while we were on hiatus but it’s a great introduction to web 3 hacking, and of course, new tech is often less explored!
[Hacking Banks] Broken Access Control Vulnerability in Banking application [PART I] and [Hacking Bank] Broken Access Control Vulnerability in Banking application [PART II] – Broken access control seems like a really simple vulnerability, but this series by protostar0 shows how deep he went to find some on a banking application
Other Amazing Things
Naked Security S3 Ep104: Should hospital ransomware attackers be locked up for life? [Audio + Text]
How Penetration Testing Reporting is Evolving with Shaun Peapell & Tom Ellson CyberTech Talks
We Hack Purple Podcast Episode 58 with Guest Anshuman Bhartiya
Between Two Nerds: Using Offensive Capabilities Against Criminals
Gone in 60 {Seconds,Minutes,Hours}: Learning from Real-World Breaches
Tips, Advice and Recommendations for Computer Science Students
The easiest bug to get a Hall of fame from a Billion dollar company.
CVE-2022–41040 Microsoft Exchange vulnerable to server-side request forgery
Broken Access Control leads to full team takeover and privilege escalation
Cyberattackers Spoof Google Translate in Unique Phishing Tactic
Public Bug Bounty and Vulnerability Disclosure programs with less competition.
CVE-2022–33077: IDOR to change address of any customer via parameter pollution in nopCommerce <= 4.5
Exceptional Tool? Nginxpwner to Test and Run for Nginx Security and Bug Bounty
SteaLinG – Open-Source Penetration Testing Framework Designed For Social Engineering
GitHub – nvbn/thefuck: Magnificent app which corrects your previous console command.
Former Uber Security Chief Found Guilty of Data Breach Coverup
Optus data breach prompts pincer movement of twin regulatory probes
Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug