By travisintigriti
January 25, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from January 16th to January 22nd
Intigriti News
From my notebook
Chopin’s Series on heap exploitation and memory
The toddler’s introduction to Heap exploitation — Overflows(Part 3)
The toddler’s introduction to Heap exploitation, Use After Free & Double free (Part 4)
The toddler’s introduction to Heap Exploitation, FastBin Dup Consolidate (Part 4.2)
The toddler’s introduction to Heap Exploitation, Unsafe Unlink(Part 4.3)
The toddler’s introduction to Heap Exploitation, House of Spirit(Part 4.4)
The toddler’s introduction to Heap Exploitation, House of Lore(Part 4.5)
Microsoft bug reports lead to ranking on Microsoft MSRC Quarterly Leaderboard (Q3 2022)
Other Amazing Things
The Billion Dollar Vulnerability Forcing a Major Fork On The Ethere…
LevelUpX – Series 14: Finding and Exploiting Hidden Functionality
179 – Client-Side Path Traversal and Hiding Your Entitlement(s)
Risky Biz News: Google Search and Ads have a major malware problem
Srsly Risky Biz: LockBit ripe for disruption, Russians throw kitchen sink at Ukraine
found a pre-auth xss 0day today that affects over 5M hosts on the internet lol
True greatness lies not in the attainment of knowledge, but in the eternal pursuit of it.
Firestore Security Testing Guide — Go Beyond *.firebaseio.com/.json
Setting up Playwright & VSCode for hacking headless browsers
Software Development Lifecycle (SDLC), DevSecOps, SAST, DAST And IAST Concepts
How I found 130+ Sub-domain Takeover vulnerabilities using Nuclei
Another major flaw this time in the TransUnion that allows bypassing security by Jenya Kushnir
DOMAIN ADMIN Compromise in 3 HOURS | by Ignatius Michael | bug bounty
From Error_Log File(P4) To Company Account Takeover(P1) and Unauthorized Actions On API
How I passed the AWS security specialty certification in 2023
How I identified and reported vulnerabilities in Oracle and the rewards of responsible…
How I found 40+ Directory Listing Vulnerabilities of Source Code Disclosure via Exposed WordPress
How I was able to hack into anyone’s account on an Institute Portal
Exploitation of CVE-2022–21500: Oracle E-Business Login Panel
Reflected XSS Leads to 3,000$ Bug Bounty Rewards from Microsoft Forms
How i was able to get critical bug on google by get full access on [Google Cloud BI Hackathon]
PimpMyBurp #7: How HaE Burp Suite extension can help you in your daily hunting session
Weaponised XSS Payloads – XSS payloads designed to turn alert(1) into P1.
CyberChef – A web app for encryption, encoding, compression and data analysis.
MagicRecon – A powerful shell script to maximize the recon and data collection process.
LeakLooker-X – Discover, browse and monitor database/source code leaks.
Creating your own tools to hunt bugs, a power often neglected
The best way to succeed in bounties and research is knowing the tech