Bug Bytes #50 – Null Bytes Worth $40K, Getting Your First Bug & Tab Tricks

By intigriti_inti

December 24, 2019

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 13 to 20 of December.

intigriti news

.@Randstad just launched a responsible disclosure program with an a-ma-zing scope! Check it out 😎
👉 👈 #HackWithIntigriti

— Intigriti (@intigriti) December 19, 2019

Our favorite 5 hacking items

1. Tutorials of the week

From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13
Anyone Can Check for Magecart with Just the Browser
Ngrok your DockerSploit

These are excellent tutorials to learn about:

  • iOS app pentesting. It’s THE tutorial you were waiting for. Everything is explained: Jailbreak with checkra1n, installing Frida and Objection, proxying traffic with Burp, bypassing certificate pinning with SSL Kill Switch 2, bypass Jailbreak detection, etc.

  • Detecting Magecart. Useful for penetration testers who want to know which indicators to keep an eye for to detect infected sites.

  • The poor man’s VPS setup. Useful for tests involving reverse shells and out of band vulnerabilities. No credit card required.

2. Writeup of the week

Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty ($40,000)

I have a bad memory of buffer overflows from my university days. But this writeup describes a type of overflows that is relatively easy to understand and exploit remotely on Web apps.

@samwcyo was trying to re-register existing usernames. He tried adding special characters (like null byte, CRLF characters, spaces, Unicode…) hoping that they would be removed during the registration process.

The vulnerability is that each null byte inserted was replaced with random data, e.g.:

  • Request: POST /register?

  • Response: username

So, injecting multiple null bytes ( made the server return chunks of memory that contained very sensitive data (SSH keys, passwords, usernames, etc).

3. Videos of the week

Finding Your First Bug: Getting Started on a Target (Part 1) & Part 2

@InsiderPhD continues to delight us with new video tutorials on “Finding your first bug”. This series is excellent for anyone starting out in bug bounties or who wants to get into Web app penetration testing.
A lot of things are covered from creating your own testing methodology to recon, note taking, what to look for, etc.

4. Tip of the week

Nine tips for better tab management

This is for firefox users, especially those of us who always have 20+ tabs open. The 9 features mentioned include synchronization between devices, sending tabs to another device, muting tabs, etc.
I find this very helpful for organizing tabs (and reducing anxiety).

5. Tools of the week

Flumberbuckets & Introduction

Two cool Python tools to help with recon automation. Silver by @s0md3v is a wrapper around Masscan, Nmap and Vulners. Flumberbuckets by @fellchase is for S3 bucket hunting.

Other amazing things we stumbled upon this week



Webinars & Webcasts



Medium to advanced

Beginners corner


Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

More tools, if you have time

  • Online Generate Test Data in CSV or JSON

  • SecretX: Extracting APIs and keys from a list of URLs using regex

  • Cypher Injection Scanner: Burp Suite Extension that detects Cypher code injection in applications using Neo4j databases

  • Dnstwister: Online domain name permutation engine

  • Credcheck & Introduction: Credentials Checking Framework

  • Scout: URL fuzzer in Go for discovering undisclosed files and directories on a web server

  • Koala Toolkit: Bug bounty toolkit for Docker

  • alpyntest: A Docker image embedding modern Python3 pentest tools (impacket, pypykatz, lsassy, ntlmrecon, enum4linuxpy, ldapsearch-ad, CrackMapExec…) to avoid dependencies wreckage on your system

  • Rubeus2ccache: Generates ccache files directly from Rubeus dump output

  • Search-SMB: A wrapper shell script for CrackMapExec that will grab all the SMB shares and search readable ones for your search term

Misc. pentest & bug bounty resources




Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/13/2019 to 12/20/2019.


The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.
Curated by Pentester Land & Sponsored by Intigriti

You may also like