Intigriti teams with NVIDIA to launch bug bounty and VDP

Learn more about this partnership

Intigriti Bug Bytes #227 - August 2025 馃殌

By Intigriti

August 15, 2025

Table of contents

Hi hackers,

Welcome to the latest edition of Bug Bytes! In this month鈥檚 issue, we鈥檒l be featuring:聽

  • Evading WAFs like Cloudflare, Akamai & AWS Cloudfront聽

  • Creating your complete bug bounty automation system聽

  • A powerful, targeted backup file scanner聽

  • Bypassing CSP to achieve XSS via a cool trick with PDF files聽

聽聽

And so much more! Let鈥檚 dive in!

INTIGRITI 0725 results are in

With only 7 confirmed solves, our latest XSS聽challenge by聽@J0R1AN聽proved to be one of the toughest challenges ever to be featured on Intigriti.

Quick recap:聽

  • 7 hackers reported the correct flag聽

  • First blood went to聽@dr_brix

  • And 3 hackers wrote a nice聽writeup

INTIGRITI 0725 Challenge

View all write-ups

Blogs & videos

Identifying the server's origin IP

Identifying the server's origin IP behind popular reverse proxies Cover Image

Finding a possible SQL injection point only to be stopped by a WAF can feel daunting... But what if you could bypass this same WAF and still achieve SQLi?聽In our technical聽article, we covered multiple ways to identify the origin IP of your target behind CDNs & WAFs.

  • GitHub dorking is mostly overlooked...聽Yet, it is the place where developers accidentally commit API keys, database credentials, and other secrets (almost every single day). In our detailed聽article, we鈥檝e documented how you can use GitHub dorking to find more vulnerabilities.

  • Throwback to our previous article: File uploads are everywhere...聽Sometimes, a simple validation mistake can result in a high-severity finding (such as RCEs). In our technical聽article, we documented a few cool tricks you could try next time you're testing a file upload feature.

Tools & resources

Tools

Fuzzuli

Fuzzuli backup file scanner

In need of a quick way to check for accidentally uploaded backup files on your target? Fuzzuli by聽@musana聽is a blazing-fast backup file scanner. It also includes features like dynamic wordlist generation for generating more accurate results. Learn more about using targeted wordlists to find more vulnerabilities in our technical聽article.

  • DOM-based XSS vulnerabilities are one of the most overlooked XSS types.Domloggerpp聽by聽@kevin_mizu聽is a simple web extension to help you trace JavaScript DOM sinks leading to DOM-based vulnerabilities (such as XSS).

  • WAFs (such as Cloudflare, Akamai, and AWS Cloudfront) are tough to bypass.聽Luckily, we have tools like聽Hackoriginfinder聽by聽@hakluke, a simple tool to help identify the server origin IP behind reverse proxies.聽If you require a more in-depth view on how to identify the server origin IP behind popular reverse proxies, give our detailed聽article聽a read.

Resources

Find more vulnerabilities with favicon hashes

One-liner to calculate favicon hash

Favicon hashes can help expand your attack surface by finding similar in-scope targets. Check out our recent聽post聽where we shared a simple, one-liner to calculate the favicon hash and use it in Shodan. Let us know if you found it helpful by following us聽@INTIGRITI!

  • Looking to level up your bug bounty automation? Rs0n shares in this聽video聽his methodology and approach to automating bug bounty hunting.

  • Log4Shell (Log4J) is still present in 2025, while most researchers have moved on, some are still scoring critical bugs with it. In our technical聽thread, we share how you can identify and exploit Log4Shell in 2025.

  • Bypassing WAFs can be a tricky, time-consuming task. @coffinxp7聽shares聽how to find the server鈥檚 origin IP of any target.

  • This researcher scored a nice bounty on Intigriti by submitting a bug in GraphQL. If you want to learn more about hacking GraphQL targets and also start to hunt for critical GraphQL bugs, we鈥檝e prepared a short聽thread聽for you with all the resources you need to get started.

  • Blocked by CSP? @xssdoctor聽shares聽a cool trick in his thread to bypass CSP using PDF files.

Intigriti at DEF CON

DEF CON 33 was incredible! The energy, the brilliant minds, and the conversations with our community made it unforgettable.

Quick recap:

  • Our Chief Hacker Officer, Inti De Ceukelaire, presented the Magical Hacks show, packed with both mind-blowing hacking and magic tricks.

  • We hosted a Friday morning meet-up with coffee and fresh food to kick off the second day of DEF CON.

  • Our private suite provided a relaxed space for in-depth conversations with our CEO and team throughout the event.

聽聽

Don't miss our next hacker gathering, follow us on聽LinkedIn聽and聽Twitter/X聽for upcoming event announcements.

DEF CON 33 - Magical Hacks show by Inti

Feedback & suggestions

Before you click away:聽Do you have feedback, or would you like your technical content to get featured in the next Bug Bytes issue? We want to hear from you! Feel free to send us an email at聽support@intigriti.com聽or聽DM聽us on X/Twitter, and we鈥檒l take it from there.

Did you like this Bug Bytes issue? Consider sharing it with your friends and tagging us along on X/Twitter, Instagram, or LinkedIn.

Wishing you a bountiful month ahead,

Keep on rocking!

Join 125,000+ Security Researchers Getting Monthly Bug Bounty Tips & Insights!

You may also like

Intigriti Bug Bytes #226 - July 2025 馃殌

July 18, 2025

Intigriti Bug Bytes #225 - June 2025 馃殌

June 13, 2025

Intigriti Bug Bytes #224 - May 2025 馃殌

May 23, 2025