Bug Bytes #187 – NahamCon, IWCon, Hacking Misconceptions, Scaling Recon and Jason’s Pentest
By travisintigriti
December 28, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from December 12th until December 25th.
Intigriti News
From my notebook
NahamCon EU 2022: A Free Virtual Offensive Security Conference – NahamCon’s first regional conference, focusing on the EU/India timezones and hosted by InsiderPhD and Farah Hawa. Tons of great talks but here are the 3 available at the moment!
IWCon 2022 – IWCon was just the week after and again a fantastic conference, no videos yet but some speakers have shared their slides!
I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS. When is copy-paste payloads not self-XSS? – Technically this was a talk at NahamCon so this is kinda a 2-for-1 but this write up by SpaceRacoon looks at event listeners and stored XSS
CVE-2022-42710: A journey through XXE to Stored-XSS – Follow Omar as they find CVE-2022-42710
Hacker Gift Giving ideas by insiderPhD – I put together some threads if anyone is looking for last minute gifts for their hacker friends, I’ve summarised it in 3 categories, IRL stuff you can wrap, virtual gifts and books
Other Amazing Things
Ethical Hacking in 15 Hours – 2023 Edition – Learn to Hack! (Part 2)
HackTheBox Certified Penetration Testing Specialist (CPTS) – Review.
How I connect my automation to a database! (Automation Series)
How I scale my containerized bug bounty automation! (Automation Series)
Bug Bounty – Hackerone Hacktivity / Bug Bounty Platforms / How to find more Bug Bounty Programs
Write-up: SQL injection with filter bypass via XML encoding @ PortSwigger Academy
Portswigger Lab: JWT authentication bypass via algorithm confusion with no exposed key
How To Exploit File Inclusion Vulnerabilities: A Beginner’s Introduction. — StackZero
How to Informe an Organization about a Security Vulnerability
How Capabilities actually Work ? | Exploitation | Privilege Escalation
Katana Framework: How To Use It To Scan And Mass Collect Website Data
Bypass Apple’s redirection process with the dot (“.”) character
IDOR allows updating user profiles, leading to full account takeover. | Part 02
Doing it the researcher’s way: How I Managed to Get SSTI (Server Side Template Injection)
Privilege escalation leads to deleting other user’s account and company Workspace [Access Control]
Bypass Admin Panel Using Google & fetch all Users Data [Data Breach]
Simple CORS misconfig leads to disclose the sensitive token worth of $$$
How I was able to steal users credentials via Swagger UI DOM-XSS
[GraphQL IDOR]Leaking credit card information of 1000s of users
In this article, I’ll tell you how I got a 4 digits(₹) bounty from an Indian company.
0 click Account Takeover and Two-Factor Authentication Bypass
How these IDOR vulnerability earned 5000$ | Hackerone Reddit Bug Bounty
CRLF Injection — xxx$ — How was it possible for me to earn a bounty with the Cloudflare WAF?
S3Crets_Scanner – Hunting For Secrets Uploaded To Public S3 Buckets
10 Practical Recon & vulnerability Scanners for bug hunters (part two)
Advent of Cyber 2022: Day 15 Santa is looking for a Sidekick
Advent of Cyber 2022: Day 16 SQLi’s the king, the carolers sing
Advent of Cyber 2022: Day 17 Filtering for Order Amidst Chaos
Do You Need Attack Surface Reduction? (Advent of Cyber Day 22 2022)
Start Hacking with the HEARTBLEED vulnerability: NahamCon CTF
HackTheBox UniCTF 2022 Talk – Variable is what you make of It
You may also like
November 21, 2025
Intigriti Bug Bytes #230 - November 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Finding an RCE using AI in GitHub CORS exploitation cheat sheet Scanning codebases with AI Bypassing paywalls SSTIs in AI models And so much more! Let’s dive in! We are thrilled to announce that Inti
October 31, 2025
Intigriti Bug Bytes #229 - October 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Cool trick to find disclosed secrets in internal web extensions A repository full of WAF bypasses Hacking Intercom misconfigurations Wayback Machine for hackers And so much more! Let’s dive in! October’s
September 12, 2025
Intigriti Bug Bytes #228 - September 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: A common (yet unknown) SSRF attack vector in Next.js Middleware Exploiting PDF processors by generating and uploading malicious PDF payload files A full reconnaissance breakdown on how to approach any target