Bug Bytes #212 – XSS Payloads, IDOR prediction and Cloud Security
By travisintigriti
September 27, 2023
Last updated on April 4, 2025
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 18th to September 24th
Intigriti News
From my notebook
How is cloud pentesting different to config review? (shorts)
Michael Taggart’s Journey in Education and Information Security
GCP Service Account explained! (shorts)
Authentication Vulnerabilities – Lab #10 Offline password cracking | Short Version
How to Stop an Army of 14 Million Zombie Computers🎙Darknet Diaries Ep. 94: Mariposa Botnet
Cloud Pentesting: AWS vs GCP (shorts)
Directory Traversal / File Read Into Zip with Python [HackTheBox Snoopy]
How “Mimikatz” works (shorts)
Tesla insiders leaked tons of data! #shorts #cybersecurity #infosec (shorts)
UK changing laws to stop security patches to software to make spying easier! #cybersecurity #privacy(shorts)
Start doing cloud pentesting in GCP? (shorts)
Do not forget about this attack scenario #bugbounty #bugbountytips #bugbountyhunter (shorts)
Beginner
Intermediate
Advanced
Security Research
Exploit Analysis: Request-Baskets v1.2.1 Server-side Request Forgery (SSRF)
CVE-2023–39612: CSP bypasss + XSS to achieve Admin Account Takeover + Remote Command Execution
Critical DICOM Server Misconfigurations Lead to Exposure of 1.6M Medical Records
The indomitable maintainer spirit versus the indifferent cruelty of JavaScript
Wind River VxWorks tarExtract directory traversal vulnerability
Bugs
Reverse Search IDOR approach to Exposure of all Organizational Sensitive Information.
Discovering 7 Open Redirect Bypasses and 3 XSS Bypasses Within a Single Program
Cross-site Scripting (XSS) On Small Crm Portal CVE-2023–43331
How I Earned My Place Among Ferrari’s Elite-16 in the Hall of Fame
Uncovering a Critical Vulnerability in Samsung Mobile Security: A Bug Bounty Journey
My debut with a Critical Bug: How I found my first bug (API misconfiguration)
My $1000 Bounty Bug: How I Stopped Companies from Losing Money with an IDOR Flaw
Discovering PII with Google Dorking: My Journey of Finding Vulnerabilities in Government Website
Unlocking Premium CV Features: My Journey to Downloading CVs for Free
How I Got 4 SQLI Vulnerabilities At One Target Manually Using The Repeater Tab
One click Account Takeover & IDOR leaks all user information
API Information Disclosure Leading to Admin Account Takeover
Privilege Escalation: How I Earned $500 by Discovering the Ability to Delete Documents as a Student
Bypassing ML based phishing and spam detection using evasion
CTF challenges
Haylxon: Take screenshots of urls/websites from terminal new release 🦊
Automating Reconnaissance with Sling Shot R3con — powered by project Discovery tools
HTMLSmuggler – HTML Smuggling Generator And Obfuscator For Your Red Team Operations
SMShell – Send Commands And Receive Responses Over SMS From Mobile Broadband Capable Computers
Surf – Escalate Your SSRF Vulnerabilities On Modern Cloud Environments
You may also like
April 24, 2026
Intigriti Bug Bytes #235 - April 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Compromising an NPM package with 40M weekly downloads Bypassing Cloudflare WAF for a full ATO 20-part series on exploiting JWT vulnerabilities First Intigriti Bug Bounty Meetup And so much more! Let's dive
March 27, 2026
Intigriti Bug Bytes #234 - March 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Earning $180K via SSRFs Free Burp Suite Pro licenses for top hackers Bypassing tricky file upload restrictions Injecting malicious code into AI coding assistants And so much more! Let’s dive in! We've team
February 20, 2026
Intigriti Bug Bytes #233 - February 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vul