Bug Bytes #23 – 20K IDOR Trick, Bug Bounty Vloggers everywhere & Persistent Burp Collaborator

By intigriti_inti

June 18, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 07 to 14 of June.

intigriti news

  • The European Commission launched a public bug bounty program for DSS (Digital Signature Services)

  • @MattiBijnens shows how he and his team earned €20.000 at an intigriti live hacking event with an IDOR trick:

MUST-READ: learn how @MattiBijnens and his team earned a whopping €20K with one IDOR trick at an @intigriti live hacking event! #HackWithIntigriti #BugBounty #WriteUp

— Intigriti (@intigriti) June 14, 2019

Our favorite 5 hacking items

1. Conference of the week

BSides London 2019, especially:
Understanding Stress, Anxiety And Depression And How To Cope

Stress, anxiety and depression are three health risks that we should all be aware of and have strategies to avoid. This talk is a perfect reminder of their distinctions, why they affect us and what to do to avoid them or to get better.
This is very helpful especially for us, hackers, who can spend days in front of our computers, forgetting to exercise, sleep or eat properly.

2. Writeup of the week

How spending our Saturday hacking earned us 20k ($20,000)

This is the writeup of an unsual kind of IDOR found during a live hacking event.
Arne Swinnen, Matti Bijnens & Jeroen Beckers were able to bypass several defense mechanisms including encrypted parameters. The thought process is very detailed and so interesting that I can’t summarize it in a few lines. Check out the article, it’s worth it!

3. Video of the week

Live mentoring with zseano

To be honest, last week was so crazy busy that I haven’t had the time to watch this video yet. But it is on the top of my list!
Apart from the technical details, getting advice from one of the top bug hunters is perfect for getting you into the right hacking mindset.
Live mentoring is an awesome opportunity especially if you’re just starting out.

4. Tool of the week


BurpJSLinkFinder is a Burp Suite plugin that passively detects JS files and scans them for endpoint links.
If you are planning to do some JavaScript code analysis/ bug hunting on Web apps, you really want to try it.
It is very helpful because until now you had to export JS files then run a tool like LinkFinder on them to find new endpoints. Such a time saver!

5. Tutorial of the week

Achieving Persistent Access to Burp Collaborator Sessions

If you have played with Burp Collaborator before, you know that Collaborator sessions are closed as soon as you close Burp. That’s not very practical if you need to shut down your laptop and resume tests later.
This tutorial shows a way around this. Basically, you launch Wireshark and sniff out communications between Burp and the Collaborator server. You should see a secret key pertaining to your Collaborator session. This is what will allow you to query the Collaborator server at any time even after closing Burp.
This solution is not perfect but it is a workaround until Portswigger releases a new feature to save Collaborator sessions.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs

  • BKScan: BlueKeep scanner supporting NLA (Network Level Authentication)

  • BurpTabEssentials: This changes the style of Burp Suite’s Repeater tabs to help the testers

  • Blue: A web-panel designed to make reconnaissance faster and easier accessible

  • Deeplack: Deeplack is a python script designed for comparing images (screenshots) using DeepAI to detect changes on websites & push notifications to Slack

  • Yaazhini: Free Android APK & API Vulnerability Scanner

More tools, if you have time

Misc. pentest & bug bounty resources




Bug bounty / Pentest news



Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/31/2019 to 06/07/2019.

Subscribe to the newsletter here!

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

Curated by Pentester Land & Sponsored by Intigriti

You may also like