“Exploiting random number generators requires math, right? Thanks to C#’s Random, that is not necessarily the case!” So begins Dennis Goodlett’s ‘Trivial C# Random Exploitation’ writeup, which started with a HTTP 2.0 web service issuing password reset tokens from a custom encoding of (new Random()).Next(min, max) output and finished with a critical account takeover. He also managed to achieve his exploit in a black-box scenario with no source code access and using neither mathematical analysis nor custom scripting. The article concludes with a bonus section on optimising and inverting Random. “Wow”. 🔑
In ‘Intel Outside: Hacking every Intel employee and various internal websites’, Eaton Z recounted four ways to “download the details of every Intel employee”, including a corporate-login bypass for an internal business-card ordering website. The vulnerabilities have now been fixed, he said. The r/netsec community was impressed with Eaton’s exploits, although some expressed surprise that a bounty was not forthcoming. 💻
HTTP/1.1, be gone!
“In practical terms, it's nigh on impossible to consistently and reliably determine the boundaries between HTTP/1.1 requests, especially when implemented across the chains of interconnected systems that comprise modern web architectures,” wrote PortSwigger’s Andrzej Matykiewicz in summarising claims made by James Kettle in his latest groundbreaking DEF CON talk and writeup, HTTP/1.1 must die: the desync endgame. The ramifications are clear to PortSwigger: HTTP/1.1 must be eradicated. It must exist no more. It must cease to be, expire and go to meet its maker! In the meantime, Bug Bounty hunters should ‘make hay while the sun shines’ with the help of actionable payloads, confirmed exploit paths, and methodology that works against live targets, courtesy of James. 🌐
It’s been a busy couple of months for PortSwigger’s stable of talented researchers, with writeups including Inline Style Exfiltration: leaking data with chained CSS conditionals by Gareth Heyes; Cookie Chaos: How to bypass Host andSecure cookie prefixes by Zakhar Fedotkin; and Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling by James Kettle. 🔥
Bad news for good faith bug reporting?
A US court ruling could have a chilling effect on responsible vulnerability disclosure, according to Jerry Archer, co-founder of the Cloud Security Alliance. Archer was referring to how the conviction of former Uber CISO Joe Sullivan was upheld by an appeals court in March, on charges relating to an attempted data-breach cover-up. Sullivan and his team had made the hackers responsible for the breach sign a non-disclosure agreement and paid them what they characterised as Bug Bounty payments. “The ruling takes power away from private organizations to manage their own computer systems by interpreting the federal Computer Fraud and Abuse Act (CFAA) to prohibit them from retroactively authorizing access to their systems,” wrote Archer in Infosecurity Magazine. He therefore envisaged that good-faith reporting of vulnerabilities might be delayed (as time-to-exploitation only shrinks) by efforts to obtain pre-authorisation – or deterred altogether by the threat of prosecution. 🧑⚖️
Want to earn your first bug bounty faster? Amr Elsagaei aka ArmSec has put together a clear roadmap that shows what to learn and in what order, plus the best tools and practice resources (which just so happens to include Dojo). Whether you’re just starting out or want to structure your learning path, this guide will save you time and keep you focused.💰
Before we move on to new content and hunting opportunities from YesWeHack, let’s round up the rest of the notable writeups we’ve spotted since the last edition in a microscope-pointed list:
🔬New DOM clobbering technique: blocking property assignments – Mizu (one our registered and active hunters!)
🔬One token to rule them all - obtaining global admin in every Entra ID tenant via actor tokens – Dirk-jan Mollema
🔬Copilot broke your audit log, but Microsoft won’t tell you – Zack Korman
🔬Hosting a website on a disposable vape – Bogdan Ionescu
🔬DOM-based extension clickjacking: Your password manager data at risk – Marek Tóth
🔬Using AI agents for code auditing: full walkthrough on finding security bugs in a Rust REST server with Hound – Bernhard Mueller
🔬You already have our personal data, take our phone calls too (FreePBX CVE-2025-57819) – Sonny & Piotr Bazydlo, Watchtowr Labs
🔬LG WebOS TV path traversal, authentication bypass and full device takeover – SSD Secure Disclosure technical team
🔬How we exploited CodeRabbit: from a simple PR to RCE and write access on 1m repositories - Nils Amiet, Kudelski Security
🔬XSS-leak: leaking cross-origin redirects – Salvatore Abello
Why rabhi rules our leaderboard
The YesWeHack leaderboard has been dominated by one hunter in particular since 2019. 🏆 So there could hardly be a better source of hacking advice than rabhi. Naturally, then, we asked him for an interview, and he kindly obliged… 🚀 Read our latest hunter Q&A to learn the secrets of rabhi’s years-long and ongoing success and some invaluable tips for aspiring and up-and-coming hunters. 🧠
When we published the last edition Rabhi was in an unfamiliar position on the quarterly leaderboard –second place – but he finished Q3 back in his customary position. However, the gap was a mere 55 points, so kudos to the impressive Italian Drak3hft7 (all-time #6) for running rabhi close. Philippines-based Xavoppa came third (all-time #33), Swiss hunter Xel fourth (all-time #2) and Supr4s (based in France). The podium for 2025 as a whole reads: #1 rabhi, #2 Xel, #3 Xavoppa. 🔥 It’s early days for Q4, but the podium positions are currently occupied by: rabhi (#1), bytehx (#2), SecurityReapers (#3). 🏆
We’ve published a Q&A to accompany our video interview with Adrián Pedrazzoli aka ‘lemonoftroy’. As well as reflecting on his best bug discovery, the Argentine hunter revisited the moment that sparked his interest in hacking and discussed his methodology in an interview filmed at Ekoparty, Buenos Aires. 🐞
Highlights from our most recent live hacking event, by the way, have now landed on YouTube. The scopes in Berlin were provided by TeamViewer, whose remote access/control software has been installed on more than 2.5 billion devices worldwide. If that has piqued your interest in TeamViewer targets, you might want to check out the company’s public Bug Bounty Program, or read our interview with the company's senior project manager for security. 💎
Fresh Bug Bounty opportunities
New target alert! ProConnect, an online authentication application that uses the OIDC protocol, is the latest public Bug Bounty Program launched by DINUM, which oversees digital transformation within the French state. Max €5,000 rewards for critical findings. 💰
🔐 Enjoy hacking IoT? Are you a hardware hacker? Smart home vendor Ezviz has temporarily boosted (until 15 November) rewards up to $5,000 for all scopes, which include Wi-Fi security cameras, video doorbells, and even robot vacuums. 📟
Congratulations to… ourselves!
We’re delighted to reveal that we are the European Commission’s new preferred provider of bug bounty services under a cascade model. The European Union’s main executive branch has run bug bounty programs to harden open source assets used across EU servers and systems since 2019. A new tender was launched this year to relaunch an expanded initiative. Having outscored rival platforms, YesWeHack has signed a four-year framework contract potentially worth up to €7,679,875 as the most-favoured provider of bug bounty services. 🇪🇺
📢Another milestone for YesWeHack: we’ve been authorised as a CVE Numbering Authority (CNA) by the CVE Program! 🎉 This of course means that YesWeHack can now assign CVE IDs to vulnerabilities and publish related information in the corresponding CVE Record. 🔎
Continuing our immodest boasting about our own achievements, we’ve just acquired high performer and ‘Users love us badges’ on G2. 💖 Our average review rating remains super-high at 4.8/5. ⭐
Ultimate guides to SQLi, CSRF, race conditions, hacking Android
We’ve launched a ‘Vulnerability Vectors’ series that explains how to uncover, exploit and mitigate various common bug types, featuring hands-on walk-throughs of common hacking techniques. The first three instalment are:
💉SQL injection 💻 CSRF 🏎️Race conditions
Want to hack mobile applications? We’ve also published the ultimate guide to building an Android Bug Bounty lab with emulators, real devices and proxies. This super-deep dive explains the pros, cons and use cases for Genymotion, Android emulator, Magisk, Burp, Frida and Medusa. 📱
Dojo revamp
So much to catch up on with our Bug Bounty and CTF training platform, Dojo – not least a vibrant visual refresh. 🤩
The currently active monthly challenge, Chainfection, is open for submissions until 26 October, and invites hunters to “upload your files, share them with the world, and enjoy unlimited safe cloud storage directly from your favourite browser. Free antivirus scans that run on good vibes. What could possibly go wrong?” 📂
Since our last edition, we’ve published winners-plus-best-writeup for #43, ‘CCTV Manager’ and #44, ‘Hardware Monitor’. The former challenge was also solved in Talkie Pwni #8, in which our in-house hunter Pwni showed how a weak token generation mechanism in Python could be abused to predict authentication tokens, and leveraged unsafe YAML deserialization to achieve remote code execution (RCE). 🪪
Argentinian hacker and popular YouTuber El Mago of Hacking Nights also discussed Dojo challenges in a trio of his videos (in Spanish) that we cross-posted on our own YouTube channel – specifically exploring Dojo overall, a walk-through of challenge #42, ‘Hex Color Palette’ and a live recon on ATG’s public Bug Bounty program. 🎥
🤘Hang with YesWeHack and bag some swag
Well done for getting this far... Just one final section: upcoming conferences we’re participating in (or helping to organise in the case of the first item).
📍 SPIRITCYBER 2025 IoT Hackathon – Singapore, four-week qualifying round: 15 September-15 October (online) | Live finals: 22-23 October (Singapore) | registration open for anyone who wants to participate
📍 it-sa Expo&Congress – Nuremberg, Germany | 7 - 9 October | booth 7-446
📍 Les Assises de la cybersécurité – Monaco | 8-11 October | booth KO5
📍 INDOSEC – Jakarta, Indonesia | 13-14 October | booth E8
📍Cyber Security Nordic – Helsinki, Finland |4-5 November | booth G12
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
