By travisintigriti
December 28, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from December 12th until December 25th.
Intigriti News
From my notebook
NahamCon EU 2022: A Free Virtual Offensive Security Conference – NahamCon’s first regional conference, focusing on the EU/India timezones and hosted by InsiderPhD and Farah Hawa. Tons of great talks but here are the 3 available at the moment!
IWCon 2022 – IWCon was just the week after and again a fantastic conference, no videos yet but some speakers have shared their slides!
I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS. When is copy-paste payloads not self-XSS? – Technically this was a talk at NahamCon so this is kinda a 2-for-1 but this write up by SpaceRacoon looks at event listeners and stored XSS
CVE-2022-42710: A journey through XXE to Stored-XSS – Follow Omar as they find CVE-2022-42710
Hacker Gift Giving ideas by insiderPhD – I put together some threads if anyone is looking for last minute gifts for their hacker friends, I’ve summarised it in 3 categories, IRL stuff you can wrap, virtual gifts and books
Other Amazing Things
Ethical Hacking in 15 Hours – 2023 Edition – Learn to Hack! (Part 2)
HackTheBox Certified Penetration Testing Specialist (CPTS) – Review.
How I connect my automation to a database! (Automation Series)
How I scale my containerized bug bounty automation! (Automation Series)
Bug Bounty – Hackerone Hacktivity / Bug Bounty Platforms / How to find more Bug Bounty Programs
Write-up: SQL injection with filter bypass via XML encoding @ PortSwigger Academy
Portswigger Lab: JWT authentication bypass via algorithm confusion with no exposed key
How To Exploit File Inclusion Vulnerabilities: A Beginner’s Introduction. — StackZero
How to Informe an Organization about a Security Vulnerability
How Capabilities actually Work ? | Exploitation | Privilege Escalation
Katana Framework: How To Use It To Scan And Mass Collect Website Data
Bypass Apple’s redirection process with the dot (“.”) character
IDOR allows updating user profiles, leading to full account takeover. | Part 02
Doing it the researcher’s way: How I Managed to Get SSTI (Server Side Template Injection)
Privilege escalation leads to deleting other user’s account and company Workspace [Access Control]
Bypass Admin Panel Using Google & fetch all Users Data [Data Breach]
Simple CORS misconfig leads to disclose the sensitive token worth of $$$
How I was able to steal users credentials via Swagger UI DOM-XSS
[GraphQL IDOR]Leaking credit card information of 1000s of users
In this article, I’ll tell you how I got a 4 digits(₹) bounty from an Indian company.
0 click Account Takeover and Two-Factor Authentication Bypass
How these IDOR vulnerability earned 5000$ | Hackerone Reddit Bug Bounty
CRLF Injection — xxx$ — How was it possible for me to earn a bounty with the Cloudflare WAF?
S3Crets_Scanner – Hunting For Secrets Uploaded To Public S3 Buckets
10 Practical Recon & vulnerability Scanners for bug hunters (part two)
Advent of Cyber 2022: Day 15 Santa is looking for a Sidekick
Advent of Cyber 2022: Day 16 SQLi’s the king, the carolers sing
Advent of Cyber 2022: Day 17 Filtering for Order Amidst Chaos
Do You Need Attack Surface Reduction? (Advent of Cyber Day 22 2022)
Start Hacking with the HEARTBLEED vulnerability: NahamCon CTF
HackTheBox UniCTF 2022 Talk – Variable is what you make of It