Bug Bytes #209 – The only graphQL wordlist you need, ML bug hunting and VDP submissions
By travisintigriti
August 23, 2023
Last updated on April 4, 2025
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from August 14th – August 20th
Intigriti News
From my notebook
graphql-wordlist – The only graphql wordlists you’ll ever need.
Google Online Security Blog: AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
DEFCON 31
Risky Biz News: PowerShell’s official package repo is a supply chain mess
NO. 394 — Vegas Recap, CISA MS Alert, China/US AI Fight, Deceased Kid AI, Following vs. Leading
EP134 How to Prioritize UX and Security in the Cloud: UX as a Security Capability
Beginner
Intermediate
Advanced
Security Research
SQL injection in Apache Airflow MySQL provider (CVE-2023–22884) — PoC + exploit
Podman API service listening on TCP can be used from websites
LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab
Third-Party GitHub Actions: Effects of an Opt-Out Permission Model
A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition
Creating Fully Undetectable JavaScript Payloads to Evade Next-Generation Firewalls
NetModule Router Software Race Condition Leads to Remote Code Execution – Pentest Blog
A phishing attempt on Steam that became a Qrljacking research
emptynebuli/StealthBunny: Gadget IoC removal from HAK5’s BashBunny
Bugs
CTF challenges
Xsubfind3R – A CLI Utility To Find Domain’S Known Subdomains From Curated Passive Online Sources
HackBot – A Simple Cli Chatbot Having Llama2 As Its Backend Chat AI
Redeye – A Tool Intended To Help You Manage Your Data During A Pentest Operation
InfoHound – An OSINT To Extract A Large Amount Of Data Given A Web Domain Name
You may also like
June 26, 2026
Intigriti Bug Bytes #237 - June 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we are featuring: A 10-year-old pre-auth RCE in phpBB Earning $500K hacking Google with AI Reading any Salesforce Marketing Cloud account's emails New DOMPurify sanitizer bypass Mapping abandoned S3 buckets to redo SolarWinds at
May 30, 2026
Intigriti Bug Bytes #236 - May 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Earning $148K via RCE in Google Cloud How public Google API keys became Gemini credentials Our first official Burp Suite extension Two new bypasses for Chrome's Sanitizer API One-click account takeover from a
April 24, 2026
Intigriti Bug Bytes #235 - April 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Compromising an NPM package with 40M weekly downloads Bypassing Cloudflare WAF for a full ATO 20-part series on exploiting JWT vulnerabilities First Intigriti Bug Bounty Meetup And so much more! Let's dive