By travisintigriti
January 18, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from January 9th to January 15th
Intigriti News
From my notebook
The rough theme for this week is cloud security, honestly this is a must learn skill for bug bounty hunters in 2023, at least the basics of how to deploy to AWS. I’ve walked right past a valid AWS key without realising it, thankfully now I use TruffleHog if I’m looking at open source but it’s definitely a skill worth picking up even with tools.
Other Amazing Things
$1 mln bounty in Aurora blockchain for no input sanitisation bug
An Adversaries Approach to Smart Contracts (with @hackermate_)
Live Recon Sundays – Interview a Hacker: @gf_256 – Smart Contract
Unlock the boundless possibilities of ChatGPT: Hunt down pesky bugs and enjoy seamless automation!
JWT Security 101: How to defend against common attacks on JSON Web Tokens
Brute-force attacks Cheat Sheet (FTP, POP3, SNMP, SSH, VNC, …)
Clear communication is crucial: why writing effective vulnerability reports matters
Bug Hunting 101: Directory Enumeration & Authentication Bypass
Bypass mysql_real_escape_string and addslashes from Injection Attacks
How I Found AWS API Keys using “Trufflehog” and Validated them using “enumerate-iam” tool
Uploading the Webshell using filename of Content-Disposition Header Story!
bypass two-factor authentication in Android apps and web 1000$ TikTok
How I Earned $1000 From Business Logic Vulnerability (account takeover)
A Newbie’s Guide to Bug Bounty Hunting: Navigating the World of Subdomain Enumeration
JNDI Injection Series: RMI Vector — The Final Piece of The Puzzle
How Browser’s Save As Feature might lead to Code Execution (CVE-2022–45415)
India’s Aadhar card source code disclosure via exposed .svn/wc.db
API based IDOR to leaking Private IP address of 6000 businesses