Bug Bytes #212 – XSS Payloads, IDOR prediction and Cloud Security
By travisintigriti
September 27, 2023
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 18th to September 24th
Intigriti News
From my notebook
How is cloud pentesting different to config review? (shorts)
Michael Taggart’s Journey in Education and Information Security
GCP Service Account explained! (shorts)
Authentication Vulnerabilities – Lab #10 Offline password cracking | Short Version
How to Stop an Army of 14 Million Zombie Computers🎙Darknet Diaries Ep. 94: Mariposa Botnet
Cloud Pentesting: AWS vs GCP (shorts)
Directory Traversal / File Read Into Zip with Python [HackTheBox Snoopy]
How “Mimikatz” works (shorts)
Tesla insiders leaked tons of data! #shorts #cybersecurity #infosec (shorts)
UK changing laws to stop security patches to software to make spying easier! #cybersecurity #privacy(shorts)
Start doing cloud pentesting in GCP? (shorts)
Do not forget about this attack scenario #bugbounty #bugbountytips #bugbountyhunter (shorts)
Beginner
Intermediate
Advanced
Security Research
Exploit Analysis: Request-Baskets v1.2.1 Server-side Request Forgery (SSRF)
CVE-2023–39612: CSP bypasss + XSS to achieve Admin Account Takeover + Remote Command Execution
Critical DICOM Server Misconfigurations Lead to Exposure of 1.6M Medical Records
The indomitable maintainer spirit versus the indifferent cruelty of JavaScript
Wind River VxWorks tarExtract directory traversal vulnerability
Bugs
Reverse Search IDOR approach to Exposure of all Organizational Sensitive Information.
Discovering 7 Open Redirect Bypasses and 3 XSS Bypasses Within a Single Program
Cross-site Scripting (XSS) On Small Crm Portal CVE-2023–43331
How I Earned My Place Among Ferrari’s Elite-16 in the Hall of Fame
Uncovering a Critical Vulnerability in Samsung Mobile Security: A Bug Bounty Journey
My debut with a Critical Bug: How I found my first bug (API misconfiguration)
My $1000 Bounty Bug: How I Stopped Companies from Losing Money with an IDOR Flaw
Discovering PII with Google Dorking: My Journey of Finding Vulnerabilities in Government Website
Unlocking Premium CV Features: My Journey to Downloading CVs for Free
How I Got 4 SQLI Vulnerabilities At One Target Manually Using The Repeater Tab
One click Account Takeover & IDOR leaks all user information
API Information Disclosure Leading to Admin Account Takeover
Privilege Escalation: How I Earned $500 by Discovering the Ability to Delete Documents as a Student
Bypassing ML based phishing and spam detection using evasion
CTF challenges
Haylxon: Take screenshots of urls/websites from terminal new release 🦊
Automating Reconnaissance with Sling Shot R3con — powered by project Discovery tools
HTMLSmuggler – HTML Smuggling Generator And Obfuscator For Your Red Team Operations
SMShell – Send Commands And Receive Responses Over SMS From Mobile Broadband Capable Computers
Surf – Escalate Your SSRF Vulnerabilities On Modern Cloud Environments
You may also like
February 20, 2026
Intigriti Bug Bytes #233 - February 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: How a read-only Kubernetes permission turned into full cluster takeover AI agent autonomously finds a 1-click RCE Race condition in blockchain infrastructure worth billions Finding over 500 high-severity vul
January 16, 2026
Intigriti Bug Bytes #232 - January 2026 🚀
Welcome to the latest edition of Bug Bytes (and the first of 2026)! In this month’s issue, we’ll be featuring: Hijacking official AWS GitHub repositories New anonymous bug bounty forum Finding more IDORs & SSRFs using a unique methodology New JavaScript file scanner to find hidden endpoints
December 18, 2025
Intigriti Bug Bytes #231 - December 2025 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: React2Shell scanner (with WAF bypasses) Identifying server origin IP to bypass popular WAFs CSRF exploitation cheat sheet Finding vulnerabilities in sign-ups And so much more! Let’s dive in! November’s In