Hey hackers,

Each month, we round-up insights, platform updates, new programs, upcoming community events and more to help you master your hacking skills. 

Check out February’s edit below:

We’ve landed on BlueSky, follow us to access the latest programme updates, challenges, blogs, event news, hacking tips and more!

Can you spot where the developer made a mistake? 🔍

Comment on this post for a chance to win an Intigriti hoodie. Competition closes on 17th February. The winner will be selected and contacted on 18th February – best of luck 👀

Blogs and Videos

Exploiting PDF file generators for bug bounty hunters!

PDF file generators are used by several of your targets, but do you also test for these vulnerability types commonly present in PDF generators?

• Do you know how to generate a custom wordlist to find untouched assets, files and directories? Explore our latest article to learn more! 

• Are you aware of these 7 reconnaissance techniques that most bug bounty hunters don’t try? 

• Open URL redirect vulnerabilities don't have to be reported as low-severity bugs. Read our article on exploiting and escalating open URL redirect vulnerabilities! 

• Hidden parameters are often untested and can lead to vulnerabilities. Are you aware of this trick in Burp Suite to reveal hidden parameters in your browser?  

Tools

DOM Invador

Check out DOM Invador, a web extension that simplifies identifying and exploiting DOM-based vulnerabilities!

• Azure DevOps Services support! is a CI/CD often used by enterprise targets. Check for Azure DevOps instances to enhance your initial finding! 

• Explore @black2fan’s research on content types that can lead to several vulnerabilities such as CSRF & XSS! 

• Monitoring JavaScript files can help you stay on top of the latest changes to your target! Jsmon by @robre is a tool to help monitor your target’s JavaScript files! 

• Check out CeWL by @digininja, a quick tool that crawls your target and tokenizes responses to help you generate custom wordlists!

Resources

Top 10 web hacking techniques of 2024

The top 10 web hacking techniques of 2024 by Port Swigger Research are now available!

• @zhero___ writes how he discovered cache poisoning vulnerabilities in Next.JS, a widely used React framework, and got CVE-2024-46982 assigned! 

• @travisgoodspeed documents how he discovered a remote code execution vulnerability in a... Yamaha piano! 

• Have you just started your bug bounty journey? Check out @zseano’s methodology, a perfect guide for beginners to help find their first bug! 

• 2-FA vulnerabilities are often considered impactful vulnerabilities! Here’s a checklist to help you bypass insecure 2-factor authentication implementations! 

• BSides Galway, 22nd February, 08:30am – 18:00 (local time). Swing by our booth, meet Mike from the Intigriti team and grab some swag 😎

• BSides Limburg, 14th March 2025, 09:00 – 16:00 (local time). Our founder, Stijn is the keynote speaker! Head here for tickets and more information on Stijn's talk.

Preview further events we will be attending this year here 👀

We wrapped up January with our annual kick-off, bringing the entire team together in one place with three key objectives: reflect, inspire and connect. 

Over two days, we explored our 2025 strategy and celebrated new company values to ensure we continue to build a world class bug bounty platform. 

After looking up to the future, we had to bring the balance by sliding (and tumbling) down the slopes... 🫠 

After recovering from the hype of the kick-off event we’re energized and inspired ready to hit the ground running for the year ahead! 

Watch the kick-off event highlights video here 📺 

Please be encouraged to share our newsletter with fellow ethical hackers.

If you have feedback or suggestions to help us build and grow, we want to hear from you! Pop a note over to [email protected] and we’ll take it from there!

Wishing you a bountiful month ahead, 

Keep on rocking!