Bug Bytes #191 – Heaps of Bugs
By travisintigriti
January 25, 2023
Last updated on March 6, 2025
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from January 16th to January 22nd
Intigriti News
From my notebook
Chopin’s Series on heap exploitation and memory
The toddler’s introduction to Heap exploitation — Overflows(Part 3)
The toddler’s introduction to Heap exploitation, Use After Free & Double free (Part 4)
The toddler’s introduction to Heap Exploitation, FastBin Dup Consolidate (Part 4.2)
The toddler’s introduction to Heap Exploitation, Unsafe Unlink(Part 4.3)
The toddler’s introduction to Heap Exploitation, House of Spirit(Part 4.4)
The toddler’s introduction to Heap Exploitation, House of Lore(Part 4.5)
Microsoft bug reports lead to ranking on Microsoft MSRC Quarterly Leaderboard (Q3 2022)
Other Amazing Things
The Billion Dollar Vulnerability Forcing a Major Fork On The Ethere…
LevelUpX – Series 14: Finding and Exploiting Hidden Functionality
179 – Client-Side Path Traversal and Hiding Your Entitlement(s)
Risky Biz News: Google Search and Ads have a major malware problem
Srsly Risky Biz: LockBit ripe for disruption, Russians throw kitchen sink at Ukraine
found a pre-auth xss 0day today that affects over 5M hosts on the internet lol
True greatness lies not in the attainment of knowledge, but in the eternal pursuit of it.
Firestore Security Testing Guide — Go Beyond *.firebaseio.com/.json
Setting up Playwright & VSCode for hacking headless browsers
Software Development Lifecycle (SDLC), DevSecOps, SAST, DAST And IAST Concepts
How I found 130+ Sub-domain Takeover vulnerabilities using Nuclei
Another major flaw this time in the TransUnion that allows bypassing security by Jenya Kushnir
DOMAIN ADMIN Compromise in 3 HOURS | by Ignatius Michael | bug bounty
From Error_Log File(P4) To Company Account Takeover(P1) and Unauthorized Actions On API
How I passed the AWS security specialty certification in 2023
How I identified and reported vulnerabilities in Oracle and the rewards of responsible…
How I found 40+ Directory Listing Vulnerabilities of Source Code Disclosure via Exposed WordPress
How I was able to hack into anyone’s account on an Institute Portal
Exploitation of CVE-2022–21500: Oracle E-Business Login Panel
Reflected XSS Leads to 3,000$ Bug Bounty Rewards from Microsoft Forms
How i was able to get critical bug on google by get full access on [Google Cloud BI Hackathon]
PimpMyBurp #7: How HaE Burp Suite extension can help you in your daily hunting session
Weaponised XSS Payloads – XSS payloads designed to turn alert(1) into P1.
CyberChef – A web app for encryption, encoding, compression and data analysis.
MagicRecon – A powerful shell script to maximize the recon and data collection process.
LeakLooker-X – Discover, browse and monitor database/source code leaks.
Creating your own tools to hunt bugs, a power often neglected
The best way to succeed in bounties and research is knowing the tech
You may also like
May 30, 2026
Intigriti Bug Bytes #236 - May 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Earning $148K via RCE in Google Cloud How public Google API keys became Gemini credentials Our first official Burp Suite extension Two new bypasses for Chrome's Sanitizer API One-click account takeover from a
April 24, 2026
Intigriti Bug Bytes #235 - April 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Compromising an NPM package with 40M weekly downloads Bypassing Cloudflare WAF for a full ATO 20-part series on exploiting JWT vulnerabilities First Intigriti Bug Bounty Meetup And so much more! Let's dive
March 27, 2026
Intigriti Bug Bytes #234 - March 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Earning $180K via SSRFs Free Burp Suite Pro licenses for top hackers Bypassing tricky file upload restrictions Injecting malicious code into AI coding assistants And so much more! Let’s dive in! We've team