Bug Bytes #201 – Path Traversal, Prompt Injection, and GitHub Actions
By travisintigriti
May 23, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 15th to May 21st
Intigriti News
From my notebook
Exposing iCloud user’s Name, phone numbers, and email addresses
the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond : pi3 blog
From GitHub to Account Takeover: Misconfigured Actions Place GCP & AWS Accounts at Risk – Rezonate
Here’s a quick look at a path to becoming a webapp pentester! (shorts)
Information Gathering(Part-2) || Penetration Testing Boot camp
Getting Started with GeoGuessr and OSINT | UMDCTF 2023 (OSINT)
Beginner
Intermediate
Unveiling Smart Contract Vulnerabilities: Challenges and Best Practices for Bug Bounty Hunters
Insecure Deserialization: Unraveling the Hidden Vulnerabilities
Digging Deeper: Unearthing Business Logic Vulnerabilities in Advanced Web Applications
Lateral Movement : Navigating the Intricate Web of Network Protection
Automating Adversary Emulation for my Lab Using MITRE Caldera
Advanced
How I Built My 4th Level Deeper Subdomain Enumeration VAPT Automation Script Tool
Advanced Bug Bounty Reporting: Mastering the Art of Persuasive Details
Combining Python + ChatGPT + Payload Processor (burp) for brute forcing OTP
From Theory to Reality: Explaining the Best Prompt Injection Proof of Concept
Security Research
Bugs
Stored Iframe Injection & Permanent Open Redirection – Zero Day
How improper OTP implementation could lead to Account Take Over (Part 2)
Reflected Cross-Site Scripting Vulnerability in Ellucian Ethos Identity CAS Logout Page
How ChatGPT exposes conversations from other users without being considered a vulnerability
Behind the Scenes: Discovering an OTP Leakage Bug in a Leading Broadband Service’s Website
Uploading the Webshell using filename of Content-Disposition Header Story!
CTF challenges
TryHackMe — Steel Mountain Simple Writeup by Karthikeyan Nagaraj | Mr. Robot | 2023
Network Services — Enumerating and Exploiting variety of network services and misconfiguration & Network Services 2 — Enumerating and Exploiting More Common Network Services & Misconfigurations
Crack the Code: A Guide to Defend the Web CTF Crypt Challenges 1–5
OverTheWire Bandit: Solving Level 4 — Dealing with Hidden Directories
How to Pass the APIsec University — API Penetration Testing Certificate
C2 and the Docker Dance: Mythic 3.0’s Marvelous Microservice Moves
Bypass-403 – A Simple Script Just Made For Self Use For Bypassing 403
nuclei-burp-plugin – A Burp Suite plugin intended to help with Nuclei template generation
Nginxpwner – Simple tool to look for common Nginx misconfigurations and vulnerabilities
SubDomainizer – A tool to find subdomains and interesting things hidden inside.
How to use Amass to find ASNs and CIDRs and then enumerate subdomains with them!
Extract all URL endpoints from an application and dump them to the command-line with hakrawler
You may also like
November 21, 2025
Intigriti Bug Bytes #230 - November 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Finding an RCE using AI in GitHub CORS exploitation cheat sheet Scanning codebases with AI Bypassing paywalls SSTIs in AI models And so much more! Let’s dive in! We are thrilled to announce that Inti
October 31, 2025
Intigriti Bug Bytes #229 - October 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Cool trick to find disclosed secrets in internal web extensions A repository full of WAF bypasses Hacking Intercom misconfigurations Wayback Machine for hackers And so much more! Let’s dive in! October’s
September 12, 2025
Intigriti Bug Bytes #228 - September 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: A common (yet unknown) SSRF attack vector in Next.js Middleware Exploiting PDF processors by generating and uploading malicious PDF payload files A full reconnaissance breakdown on how to approach any target