BugBytes #18 – Information disclosure on Shopify, Awesome Asset Discovery & How To Work Smarter Not Harder with Bug Bounty

By intigriti

May 14, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 3 to 10 of May.

Our favorite 5 hacking items

1. Challenge of the week

Authentication Lab (online), Source code & Walkthroughs

This is a great lab if you want to practice finding authentication vulnerabilities. There are 5 bugs: IP based authentication bypass, Timing attack, Client side auth, Leaky JWT and JWT Signature Disclosure (CVE-2019-7644).
Also, if stuck, check out the walkthroughs. I don’t want to read them before doing the challenges but they seem detailed (like 5 articles in 1!).

2. Writeup of the week

Information disclosure on Shopify ($802.20)

This is a fun report! The vulnerability is that a GraphQL endpoint reveals sensitive information without authentication: that’s the internal beer consumption (brands & quantities left) at Shopify’s offices.
What’s interesting is how @eraymitrani found the vulnerable GraphQL endpoint. I highly recommend reading the summary where he explains it.
Basically, he saw in a previous report by @rijalrojan that Shopify had an exposed GraphQL endpoint. So he set out to find other exposed endpoints, following these steps:

  • Subdomain enumeration

  • Request /graphql on all subdomains using wfuzz

  • Filter by 200 responses

  • Send introspection queries to all of them in Burp Repeater

  • Got “query string not present” error

  • Solve it by adding the “content-type:” header to the post request

  • Look for a domain that leaks private information

3. Article of the week

Bug Chain Tales: P5+P5=P3

If you’re always hearing about chaining bugs and wondering how to do it in practice, this is a good example.
Self-XSS and login CSRF are generally not paying bugs by themselves. But, combined, they become more dangerous and worthy of a bounty.
The attack scenario in this case is to enter the XSS payload in the address details of the attacker’s account, and make the victim open this account using the login CSRF. When the victim buys something and wants to select the delivery address, the XSS payload is triggered.

4. Resource of the week


As its name indicates, this is an awesome asset discovery list. In other words, it’s a list of resources to help find all kinds of assets for organization: IP addresses, (sub)domains, emails, open ports, cloud infrastructure, business communication infrastructure, data leaks, source code aggregators, and more.
Some of the tools mentioned are classics that you probably already use, but you might also discover something new!

5. Slides of the week

Bug bounty – Work smarter not harder

This is a nice introduction to bug bounty. But even if you’re not a beginner, some resources mentioned might be helpful. Personally, I didn’t know of dkimsc4n (a DKIM scanner) and can’t wait to try it.
Also, thanks for mentioning Pentester Land @vavkamil!

6. Intigriti News

6.1 Platform Updates

We’ve added several new features to our platform:

  • The submission title length is increased up to 50 characters.

  • Researchers are now able to specify a preferred payment method (invoice, wire, Payoneer, Paypal) and enter their details. This setting is made available in the payout overview

  • Researcher are now able to start their vetting procedure by one click via the profile view.

A blogpost about the platform’s new features will be posted soon!

 6.2 New Bug Bounty Tips

This week we received two bug bounty tips:

  • Use Exiftool to extract metadata from documents. It might reveal vulnerable htmlopdf generators.

A PDF file can tell more than you think! Great advice from @QuintenBombeke! #BugBountyTip #HackWithIntigriti #BugBounty

— Intigriti (@intigriti) May 9, 2019

  • The Birthday Trick: If you sign up for a target, set your birthday to today or tomorrow! Then use birthday discount vouchers in your inbox to buy gift cards. Repeat!

BOUNTY TIP: Get yourself a nice bounty present by buying giftcards with birthday discounts 🎁! Repeat & recycle your gift cards to generate infinite money. 💰🤑Thanks, and happy (real) birthday, @securinti! 👑🎂#BugBountyTip #HackWithIntigriti

— Intigriti (@intigriti) May 14, 2019

Other amazing things we stumbled upon this week




Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • awesome-jenkins-rce-2019: There is no pre-auth RCE in Jenkins since May 2017, but this is the one!

  • Natlas: Scaling Network Scanning

  • Check for public Google groups given a list of domains

  • Horn3t: Powerful Visual Subdomain Enumeration at the Click of a Mouse

More tools, if you have time

  • Bash wrapper for nmap scans

  • Final Recon: OSINT Tool for All-In-One Web Reconnaissance

  • Determines if there is an AWS account associated with a given email address

  • Initial recon automation (masscan + nmap import into metasploit db)

  • wpBullet Build Status: A static code analysis for WordPress Plugins/Themes (and PHP)

  • autOSINT: Recon tool. Uses recon-ng &

  • ReconT: Reconnaisance, footprinting & information disclosure

  • Shiva: An Ansible playbook to provision a host for penetration testing and CTF challenges

  • QRGen: Simple script for generating Malformed QRCodes

  • Jalesc: Just Another Linux Enumeration Script: A Bash script for locally enumerating a compromised Linux box

  • LDAP_Search: Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.

  • SharpClipHistory: A .NET application written in C# that can be used to read the contents of a user’s clipboard history in Windows 10 starting from the 1809 Build

Misc. pentest & bug bounty resources




Bug bounty / Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/03/2019 to 05/10/2019.

Subscribe to the newsletter here!Disclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land & Sponsored by Intigriti

You may also like