Bug Bytes #211 – Hacking Casinos, Microsoft’s Key Mishap, Read the Docs and ImageMagick Strikes Again
By travisintigriti
September 13, 2023
Last updated on April 4, 2025
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 5th to September 10th
Intigriti News
We’ve got 2 spare tickets for @nullcon Goa 2023, courtesy of @redbull
Let’s see how we can solve the first JWT “expert” lab, focusing on algorithm confusion
From my notebook
Bug Bounty Stories (EP1): Hacking An Online Casino – Slightly different format of video, but a really interesting look into NahamSec’s process
Results of Major Technical Investigations for Storm-0558 Key Acquisition – Oops from Microsoft
API Security Testing using AI in Postman – Really good guide on using Postman for API hacking, instead of or with Burp
Tricky Unauthenticated RCE on WordPress Media Library Assistant Plugin using a good old Imagick – Oh ImageMagick my old friend what you have you done this time
Episode 35: King of Collaboration: Douglas Day – ArchAngelDDay talks about how he finds bugs, his approach and auth testing
Risky Biz News: Microsoft explains how it lost its signing key
Powerlifting and PowerShell: A Discussion with Jake Hildreth
Risky Business #720 — How cloud identity provider federation features can get you mega-owned
EP137 Next 2023 Special: Conference Recap – AI, Cloud, Security, Magical Hallway Conversations
Beginner
Intermediate
The Hidden SQL Injection Techniques That Google Doesn’t Want You To Know
CVE-2023-38831 – WinRAR Zero-Day Vulnerability manually Exploit
A Comprehensive approach for testing for SQL Injection Vulnerabilities
Understanding SSTI and Building Payloads in Jinja2 Introduction
For Newbies: Simple Examples of LDAP Injection Vulnerabilities
Advanced
Security Research
Spoof iOS devices with Bluetooth pairing messages using Android
BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild
Nagios Plugins: Hacking Monitored Servers with check_by_ssh and Argument Injection: CVE-2023-37154
Paranoids Vulnerability Research: Ivanti Issues Security Alert
Boot Unguarded: x86 Trust Anchor Downfalls to The Leaked OEM Internal Tools and Signing Keys
A tale about a Red Team exercise and the Forcepoint Endpoint One DLP client
Apache Superset Part II: RCE, Credential Harvesting and More
eBPF Offensive Capabilities – Get Ready for Next-gen Malware – Sysdig
Android 14 blocks all modification of system certificates, even as root
Uncovering Web Cache Deception: A Missed Vulnerability in the Most Unexpected Places
Bugs
A casual hunt of the day : Open Redirect at one of the largest MNCs
Finding Loose Comparison in the wild (Unga Bunga Bugs Part-1)
Information Disclosure exposes The Correct Answers through Debug in Quiz Scoring
How I was able to find an information disclosure on the Google Tag manager
My debut with a Critical Bug: How I found my first bug (API misconfiguration)
The Art of Brute force with Facebook (Oculus) White-Hat Security Team
How I ethically hacked one of the domains of the United Kingdom
CTF challenges
Quick-Lookup-Ptrun – Quick Lookup Plugin For PowerToys Run (Wox)
securisec/chepy: Chepy is a python lib/cli equivalent of the awesome CyberChef tool.
Exploring Narrowlink: Your Swiss Army Knife for Secure Networking
You may also like
April 24, 2026
Intigriti Bug Bytes #235 - April 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Compromising an NPM package with 40M weekly downloads Bypassing Cloudflare WAF for a full ATO 20-part series on exploiting JWT vulnerabilities First Intigriti Bug Bounty Meetup And so much more! Let's dive
March 27, 2026
Intigriti Bug Bytes #234 - March 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Earning $180K via SSRFs Free Burp Suite Pro licenses for top hackers Bypassing tricky file upload restrictions Injecting malicious code into AI coding assistants And so much more! Let’s dive in! We've team
February 20, 2026
Intigriti Bug Bytes #233 - February 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vul