“The best thing I've read in months,” is how PortSwigger researcher Gareth Heyes described the latest research from our in-house hunter Alex Brumen, aka Brumens. “Outstanding research,” he added. 🔬 The writeup in question – ‘The minefield between syntaxes: exploiting syntax confusions in the wild’ – details innovative ‘syntax confusion’ techniques exploiting how two or more components can interpret the same input differently due to ambiguous or inconsistent syntax rules. Alex Brumen provides step-by-step guidance, supported by practical examples, on crafting payloads to confuse syntaxes and parsers – enabling filter bypasses and real-world exploitation. This research was originally presented at NahamCon 2025. ⚔️
What happens when you combine the hacking prowess of Sam Curry with that of the similarly estimable Shubs Shah? Well, this auspicious collab produced an impressive vulnerability that potentially exposed the back-office application used for all admin functionality for online poker site ClubWPT Gold, operated by the World Poker Tour. Had it been maliciously exploited, the flaw “could have been used to retrieve drivers’ licenses, passport numbers, IP addresses, transactions, game history, and more”, writes Curry, who praised the ClubWPT Gold team for fixing ”everything in just a few hours”. 🔥
Hacking wi-fi in the sky
That’s not the only big-brand hack we have for you this edition. Allow me to present saxrag’s piece on ‘unlocking free WiFi on British Airways’, Ramsay Leung’s tale about ‘bypassing Air Canada's in-flight network restrictions’, and how Pixelmelt reversed Amazon's Kindle web obfuscation “because their app sucked”. ✈️
Eaton Zveare is a reliable source of writeups that score high on brand-name recognition as well as ambitious, sometimes large-scale exploits. It’s been a prolific few weeks for the researcher, with how I hacked over 1,000 car dealerships across the US perhaps garnering the most attention. 🚗 First presented at DEF CON 33, this hack exploited the absence of two elements: an invite token verification on an invite-only, centralised dealer portal, and privilege check in the internal account creation system. Zveare has also dropped writeups on ‘Taking remote control over industrial generators’, Hacking India’s largest automaker: Tata Motors and a zeitgeist-hitting vulnerability in Cracker Barrel. 💥
Leaderboard – the final stretch
Just three weeks to go before 2025 expires and the race for top spot on 2025’s final leaderboard is surely already a ‘done deal’. However, while rabhi looks almost certain to top the rankings for the seventh year in a row, the margin of victory looks likely to be his smallest yet. For that, credit must go to Xel, our all-time #2, who long ago blew past his 2024 points total, and trails the pacesetter by about 2,200 points. Kudos is also due to noam (#2 so far in the Q4 rankings) and drak3hft7 (#3 in Q4) for their dramatic year-on-year improvements, and an impressive debut year for xavoppa, currently in fifth for 2025. 📈
Fresh scopes and bounty boosts
A promising avenue for juicing your own points totals and boosting your bank balance are the 30 scopes of European betting and gaming operator FDJ United, which has just increased rewards on its public program from €7,000 to €15,000 for critical findings and from €2,500 to €5,000 for high-severity ones. 💸 As for fresh targets, Singapore-based blockchain service provider Memento has just launched a public program offering up to US$4,000, with a web application and a pair of APIs in scope. 🎯
🔍 Want to play a part in strengthening the technology behind one of the world’s leading VPN company? ExpressVPN’s public program is offering up to US$2,500 for criticals, with a one-time US$100,000 bonus for the first critical finding on their VPN server technology, TrustedServer.
You can also earn leaderboard points (albeit not bounties) by successfully solving our monthly Dojo challenges. We’ve now published a winners-plus-best-writeupfor challenge #44, ‘Chainfection’, and for #45, ‘Ghost Whisper’, . 🏆 The currently active challenge, ‘APICrash’, is described thus: “A new API has been developed in Python. The developers have placed great emphasis on the API's speed and load balancing, but at what cost?” The challenge is active until 9 January. 🗓️
How Ruby resolves templates
A couple of noteworthy writeups to flag on the Critical Thinking podcast’s blog now. First up, Diyan Apostolov examines how Ruby resolves templates, supported by a cheatsheet showing how different languages and frameworks handle similar view/template resolution mechanisms. Second, Tang Cheuk Hei pioneers what he coins ‘nested response splitting, whereby an attacker who achieves CRLF injection in HTTP headers can often add a second CRLF to break into the response body and inject HTML – thus enabling reflected XSS and even bypassing strict CSP by using response splitting as a CSP gadget. 🛡️
Adam Logue managed to craft a Microsoft Office document that triggered an indirect prompt injection when Microsoft 365 Copilot was asked to summarise the document, causing Copilot to fetch sensitive tenant data (such as recent emails) and hex-encode it. Recounting an attack variously described (complimentarily) as “sick” and “crazy”, the researcher noted how Copilot then produced a mermaid diagram styled as a login button containing a hyperlink to the attacker’s server with the hex-encoded data embedded. When the user clicked the fake button, the data was sent to the attacker, who could decode it from their server logs. 🤖
And now for something a little leftfield: can you thrive as a security researcher if you’re bad with numbers? Bernhard Mueller says you don’t have to be good at maths, but being “math-pilled” certainly helps. In ‘The security researcher’s guide to mathematics’, he introduces “fields of math that, while not always strictly ‘essential’, are high-leverage for modern security researchers. Be warned however that I’ll take some detours into machine learning and physics.” You have been warned. ⚛️
That just leaves another 10 writeups to flag before we recap the rest of our own writeups:
🔬 Racing and fuzzing HTTP/3: open-sourcing QuicDraw(H3) – Maor Abutbul, CyberArk
🔬 Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984) – David Leadbeater
🔬 How a fake AI recruiter delivers five staged malware disguised as a dream job – Shantanu Ghumade
🔬 The security paradox of local LLMs – Jacek Migdal, Quesma
🔬 Unseeable prompt injections in screenshots: more vulnerabilities in Comet and other AI browsers – Artem Chaikin and Shivan Kaul Sahib, Brave Software
🔬 No leak, no problem: Bypassing ASLR with a ROP chain to gain RCE – Michael Imfeld, Modzero
🔬 How I found the worst ASP.NET vulnerability: A $10K bug (CVE-2025-55315) – Siddhant Kalgutkar, Praetorian
🔬 Deanonymizing users at scale: When blocking becomes an oracle – Jorge Cerezo Dacosta
🔬 Who needs a blind XSS? Server-side CSV injection across support pipelines – Hx01, in collaboration with Todayisnew and Sajeeb Lohani
🔬 ‘Stop putting your passwords into random websites (yes, seriously, you are the problem)’ – Jake Knott, watchTowr Labs
Mobile recon
We’ve published the second article in our Android hacking series, which explains the recon process in depth – from extracting APKs to building a prioritised attack list ready for exploitation testing. 🚀 Relatedly, the author of this series, Pwnii, has produced a companion video to the first instalment, where she demonstrates how to build your mobile Bug Bounty lab from scratch, including installing and configuring essential tools like Android Studio, Genymotion and Magisk. 📱
Hunter stories: Aituglo & Wlayzz
Let’s take a break from the technical stuff and check out some human stories in the form of our latest hunter interviews: with Aituglo, who is thriving despite professing to finding bugs hard to come by when he started out, and Wlayzz, a prolific hunter despite combining Bug Bounty with a pentesting and red teaming role. 💪
Want to sharpen your hunting skills around SSTI, cache poisoning or business logic error bugs? The hunters who topped our 2024 leaderboards for these CWE categories – supr4s, Codejump and Kto94 – kindly shared their best-practice tips with us. 🧠
The latest instalment in our ‘Vulnerability Vectors’ series is the ultimate Bug Bounty guide to HTTP request smuggling vulnerabilities, which explores a rejuvenated field of security research, beginning with the basics and progressing to more advanced detection, exploitation and mitigation techniques. 🛡️
EU contract signed
In case you missed the announcement shortly after the last edition of this newsletter: YesWeHack is now the European Commission’s preferred provider of Bug Bounty services. 🐛The EU’s main executive branch has run Bug Bounty Programs to harden open source assets used across EU servers and systems since 2019. The latest phase of the Commission’s Bug Bounty strategy expands the scope to a wider range of open source projects, as well as any EU institutions wishing to leverage crowdsourced security testing to harden their own applications. Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack, said: “We’re honoured that the European Commission has entrusted us with securing assets of such critical importance – not only to EU institutions but also to millions of citizens. It’s a testament to the spectacular progress we’ve made since launching a decade ago that the world’s largest trading bloc chose YesWeHack after an exhaustive tender process.”
🤘Hang with YesWeHack and bag some swag🤘
Just two events left on our schedules for 2025. First up, we’re at Black Hat Europe in London, today and tomorrow (10-11 December). You can find us (and the latest YesWeHack merch) on booth 621. 📆
After that it’s NahamCon2025’s Winter Edition, an online-only event taking place on 17 and 18 December. We’re proud sponsors of the conference, which will feature a talk from our very own research enablement analyst, Alex Brumen, on ‘Python Pitfalls: Turning Developer Mistakes into Vulnerabilities’. The workshop will showcase how common functions with a simple pitfall can lead to critical vulnerabilities such as SSRF, file read, code injection and more. We’ll publish six related hands-on Dojo labs, each dedicated to a specific Python pitfall, in the wake of the presentation. Alex and colleague/fellow hunter Pwnii have also crafted three exclusive CTF challenges for NahamCon attendees to tackle. 👾
Merry Christmas and all that jazz!
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
