Bug Bytes #89 – What $635,387.47 of bounties in 4 years looks like, A 14-year-old’s impressive Instagram XSS & The ultimate ffuf guide

By Anna Hammond

September 23, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 11 to 18 of September.

Intigriti News

Intigriti wins ‘Cybersecurity Innovator of the Year’

Inti De Ceukelaire voted “IT Person of the Year”

Our favorite 5 hacking items

1. Videos of the week

How to Master FFUF for Bug Bounties and Pen Testing & Everything you need to know about FFUF

Finding Hidden Files and Folders on IIS/.NET (Recon), Hacking IIS (APIs and using BigQuery) (Part 2) & Finding Hidden Files and Folders on IIS using BigQuery

These are two very informative videos with accompanying blog posts. Michael Skelton (@codingo_)’s guide to ffuf is so good that the tool’s creator, @joohoi, is linking to it from the main ffuf repo!

Shubham Shah (@infosec_au) shares cool explanations on bruteforcing IIS hidden files and folders, and leveraging BigQuery (without ruining yourself!).

2. Writeups of the week

$25K Instagram Almost XSS Filter Link — Facebook Bug Bounty (Facebook, $25,000)

When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number

Bug bounty amounts aren’t everything, but they’re often an indicator of the seriousness of a vulnerability. Andres Alonso’s (@al0nnso) finding is impressive considering not only the bounty but also the hardened target and his young age. He found an open redirect on Facebook that could be escalated to XSS. WAF bypass was possible by injecting code to change the page’s charset and encoding the XSS payload.

The second writeup is a fun vulnerability disclosure story. @mangopdf found a former Australian Prime Minister’s boarding pass on Instagram and could use it to obtain his passport and phone numbers. Followed an entertaining crusade to report this without getting arrested.

3. Tool of the week


Graphtage is a command line utility and library for semantically comparing and merging tree-like structures (e.g. JSON, JSON5, XML, HTML, YAML, TOML and CSV). It’s a great tool for diffing files and automating recon data analysis.

4. Non technical item of the week

Hacking on Bug Bounties for Four Years

This is an illuminating read for anyone who is doing bug bounties who aspiring to. @infosec_au shares his past four years experience as a part-time bug hunter. This includes the type of bugs he reported, bounty amounts for each, total earnings, his methodology, collaboration experience… Amazing insights of a seasoned bug hunter’s life!

5. Tutorial of the week

Bypassing WAF by Playing with Parameters

This is an introduction to HTTP Parameter Fragmentation, and how it can be leveraged to bypass WAFs and exploit SQL injection. A nice read to get familiar with this technique!

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides & Workshop material


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • kb: A minimalist knowledge base manager

  • Arsenal: Quick inventory, reminder and launcher for pentest commands

  • Mapboxapiscanner: Python script to determine whether a leaked/found Mapbox API Key is vulnerable to unauthorized access by other applications or not

  • query-json: Faster and simpler implementation of jq in Reason Native

More tools, if you have time

  • nvd-scrapper: Pull data from the national vulnerability database and push it to a GCP bucket

  • OneFuzz: A self-hosted Fuzzing-As-A-Service platform by Microsoft

  • GKE Auditor: A tool by Google to detect a set of common Google Kubernetes Engine misconfigurations

  • LambScan & Offensive Security Testing Using Cloud Tools: AWS Lambda-based port scanner

  • wordlist_generator: Unique wordlist generator of unique wordlists

  • Tafferugli: Twitter Analysis Framework #OSINT

  • Darkshot: Lightshot scraper on steroids with OCR #OSINT

  • mzap: Multiple target ZAP Scanning

  • Bantam: A PHP backdoor management and generation tool/C2 featuring end to end encrypted payload streaming designed to bypass WAF, IDS, SIEM systems

  • crlfmap: Go tool to find HTTP Splitting vulnerabilities

  • MIDNIGHTTRAIN & Intro: A Covert Stage-3 Persistence Framework weaponizing UEFI variables

Misc. pentest & bug bounty resources




Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/11/2020 to 09/18/2020.

You may also like