Researchers’ Blog

NoSQL injections are relatively easier to exploit than classic SQL injections. However, developers often overlook these vulnerabilities, mainly due to limited awareness. Additionally, false beliefs among software engineers that NoSQL databases inherently resist injection attacks further increase the

Vibe coding is the latest trend sweeping through developer communities. It’s the art of describing a concept, feeding it to an AI, and letting the LLM (Large Language Model) manifest the code based purely on vibes. The quote states, "You fully give in to the vibes, embrace exponentials, and forget t

Hello Hackers 👋 Spring is in the air, and so is the sweet scent of freshly reported bugs. Intigriti’s blooming too—each month, we squad up with elite hackers to drop hot tips, platform news, shiny new programs, and community events you won’t want to miss. Let’s make this bug season one for the boun

Subdomain takeovers are a well-documented security misconfiguration. Despite widespread awareness, developers still frequently forget to remove DNS records pointing to forgotten and unused third-party services, allowing these vulnerabilities to be present even today. In this article, we will learn w

So, you've found a valid security vulnerability in one of your bug bounty programs, now it's time to write the report. Finding the vulnerability was half the story. Writing effective reports is also an essential phase in bug bounty. Clear, well-written, and to-the-point bug bounty reports often get

Hey hackers, Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community events—all to help you find more bugs! Product updates New Feature: Gain Deeper Insights into Researcher Activity We're excited to introduce a new way for researc

XML External Entity (XXE) vulnerabilities are one of the most overlooked yet impactful vulnerabilities in modern web applications. Although they've become seemingly harder to detect and exploit, their impact remains severe, often allowing attackers to read internal files, reach internal-only network

Hey hackers, Each month, we round-up insights, platform updates, new programs, upcoming community events and more to help you master your hacking skills.  Check out February’s edit below: BlueSky We’ve landed on BlueSky, follow us to access the latest programme updates, challenges, blogs, event news

Over half a billion websites are powered by WordPress as of today. Unfortunately, not every instance deserves the same security attention as the other. The chances of coming across a bug bounty target that has a vulnerable instance is quite probable. However, some bug bounty hunters get intimidated

Pentesting-as-a-Service is your next crucial layer of security For businesses dedicated to their security, they’ll know that truly mature infrastructure doesn’t involve just one kind of protection. Vulnerability scanners, firewalls, periodic penetration tests, and bug bounties are all independent la

Everyone understands the importance of custom wordlists in bug bounties, and how they can be deployed in targeted bruteforcing attacks to help discover new hidden endpoints. Custom wordlists can also help reduce the number of requests sent and even prevent unnecessary aggressive scanning of bug boun

PDF generators are commonly implemented in applications. Developers tend to use these components to generate documents based on dynamic data provided from the database for example. Unfortunately, not every developer is also aware of the potential risks that he/she might introduce when integrating th

Open URL redirect vulnerabilities are easy to find as they are quite common in applications. This vulnerability type is also often considered a low-hanging fruit. However, as modern applications get more complex, so do the vulnerabilities. And that also makes it possible to escalate these lower-hang

Reconnaissance is an important phase in bug bounty and in pentesting in general. As every target is unique and as we often do not have access to the code base, we'd need to come up with unique methods to gather useful and accurate data about our target to help us find vulnerabilities. In this articl

Welcome to the first Bug Bytes of 2025! Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community events—all to help you find more bugs! Latest Platform Updates Altera, an Intel company, has officially opened its public bug bounty pr

Cross-site scripting (XSS) vulnerabilities are quite common and fun to find. They also carry great impact when chained with other vulnerabilities. But there's another variant of this vulnerability type that's not as easy or common to find as the other XSS types. Especially with the delayed execution

You've with no doubt heard or seen other fellow bug bounty hunters find critical vulnerabilities thanks to JavaScript file enumeration, right? This article is all about the importance of testing and examining JavaScript files for bug bounty hunters. We will guide you on what exactly to look for and

As 2024 comes to a close, we want to take a moment to reflect on an incredible year filled with growth, challenges, and achievements. This year has been a testament to the power of collaboration between our hackers, customers, and the entire Intigriti team.  In January 2024, we returned to our roots

File upload vulnerabilities are fun to find, they are impactful by nature and in some cases even result in remote code execution. Nowadays, most developers are educated on insecure file upload implementations but in practice, it can still happen that a potential vulnerability is introduced. In this

Bug Bytes is finally back! Each month we sit down with experienced bug bounty community members to deliver this new insightful newsletter to help you find more bugs, keep you updated with the latest platform updates and programs on Intigriti and share upcoming community events! If you haven't subscr