Bug Bytes #211 – Hacking Casinos, Microsoft’s Key Mishap, Read the Docs and ImageMagick Strikes Again
By travisintigriti
September 13, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 5th to September 10th
Intigriti News
We’ve got 2 spare tickets for @nullcon Goa 2023, courtesy of @redbull
Let’s see how we can solve the first JWT “expert” lab, focusing on algorithm confusion
From my notebook
Bug Bounty Stories (EP1): Hacking An Online Casino – Slightly different format of video, but a really interesting look into NahamSec’s process
Results of Major Technical Investigations for Storm-0558 Key Acquisition – Oops from Microsoft
API Security Testing using AI in Postman – Really good guide on using Postman for API hacking, instead of or with Burp
Tricky Unauthenticated RCE on WordPress Media Library Assistant Plugin using a good old Imagick – Oh ImageMagick my old friend what you have you done this time
Episode 35: King of Collaboration: Douglas Day – ArchAngelDDay talks about how he finds bugs, his approach and auth testing
Risky Biz News: Microsoft explains how it lost its signing key
Powerlifting and PowerShell: A Discussion with Jake Hildreth
Risky Business #720 — How cloud identity provider federation features can get you mega-owned
EP137 Next 2023 Special: Conference Recap – AI, Cloud, Security, Magical Hallway Conversations
Beginner
Intermediate
The Hidden SQL Injection Techniques That Google Doesn’t Want You To Know
CVE-2023-38831 – WinRAR Zero-Day Vulnerability manually Exploit
A Comprehensive approach for testing for SQL Injection Vulnerabilities
Understanding SSTI and Building Payloads in Jinja2 Introduction
For Newbies: Simple Examples of LDAP Injection Vulnerabilities
Advanced
Security Research
Spoof iOS devices with Bluetooth pairing messages using Android
BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild
Nagios Plugins: Hacking Monitored Servers with check_by_ssh and Argument Injection: CVE-2023-37154
Paranoids Vulnerability Research: Ivanti Issues Security Alert
Boot Unguarded: x86 Trust Anchor Downfalls to The Leaked OEM Internal Tools and Signing Keys
A tale about a Red Team exercise and the Forcepoint Endpoint One DLP client
Apache Superset Part II: RCE, Credential Harvesting and More
eBPF Offensive Capabilities – Get Ready for Next-gen Malware – Sysdig
Android 14 blocks all modification of system certificates, even as root
Uncovering Web Cache Deception: A Missed Vulnerability in the Most Unexpected Places
Bugs
A casual hunt of the day : Open Redirect at one of the largest MNCs
Finding Loose Comparison in the wild (Unga Bunga Bugs Part-1)
Information Disclosure exposes The Correct Answers through Debug in Quiz Scoring
How I was able to find an information disclosure on the Google Tag manager
My debut with a Critical Bug: How I found my first bug (API misconfiguration)
The Art of Brute force with Facebook (Oculus) White-Hat Security Team
How I ethically hacked one of the domains of the United Kingdom
CTF challenges
Quick-Lookup-Ptrun – Quick Lookup Plugin For PowerToys Run (Wox)
securisec/chepy: Chepy is a python lib/cli equivalent of the awesome CyberChef tool.
Exploring Narrowlink: Your Swiss Army Knife for Secure Networking
You may also like
November 21, 2025
Intigriti Bug Bytes #230 - November 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Finding an RCE using AI in GitHub CORS exploitation cheat sheet Scanning codebases with AI Bypassing paywalls SSTIs in AI models And so much more! Let’s dive in! We are thrilled to announce that Inti
October 31, 2025
Intigriti Bug Bytes #229 - October 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Cool trick to find disclosed secrets in internal web extensions A repository full of WAF bypasses Hacking Intercom misconfigurations Wayback Machine for hackers And so much more! Let’s dive in! October’s
September 12, 2025
Intigriti Bug Bytes #228 - September 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: A common (yet unknown) SSRF attack vector in Next.js Middleware Exploiting PDF processors by generating and uploading malicious PDF payload files A full reconnaissance breakdown on how to approach any target