By travisintigriti
January 10, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from January 2nd to January 8th
Intigriti News
From my notebook
It’s been a quiet week in the offensive security community, this week I’ve put together a must read list on more advanced resources shared this week. From a look into the world of automotive security and household names, to the nitty gritty of Java Deserialisation, scaling up a neat website idea into a search engine and proxying encrypted traffic.
Image Stacks and iPhone Racks – Building an Internet Scale Meme Search Engine
Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys
Other Amazing Things
#NahamCon2022EU: I Hope This Sticks: Analyzing ClipboardEvent Listeners
Reflective XSS via Link Click / SSRF [Hackvent 2022 – Day 14]
#NahamCon2022EU: Hunting for Amazon Cognito Security Misconfigurations
Would you prefer a password-less login? #cybersecurity #shorts
LevelUpX – Series 13: SPI Flash for Bug Bounty Hunters with Nerdwell
I hacked a large company (70k+ employees) through social engineering. Legally of course.
Hacking is a mentality that can be applied to much more than computers.
Automated and Continuous Recon/Attack Surface Management — Amass Track and DB
simple Python script that can scan a URL for a Remote Code Execution (RCE) vulnerability.
Python script that will get a search term from the user and search for related articles on Medium…
How to perform dynamic analysis of a smart contract with Myth
How to automate your initial recon and extend ASM using Sub-Scout
CVE-2022-38627: A journey through SQLite Injection to compromise the whole enterprise building
India’s Aadhar card source code disclosure via exposed .svn/wc.db
Access to page with default credentials that require authenticate $$$.
Logic Bug Can Create Multiple User Accounts with 1 Phone Number (Reward $150)
JNDI Injection Series: RMI Vector – Insecure Deserialization