The 5 Hacking NewsLetter 41

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 08 of February to 15 of February.

T5HN41.png

Our favorite 5 hacking items

1. Tool of the week

Dnsgrep & Tutorial

This is a great new tool for quickly searching large DNS datasets like those from the Rapid7 Project Sonar.

It’s like grep except it can search dozens of gigabytes of data really fast.

You can either install it and use it locally, or use the online version. But the author said he will likely take down the online service in the future.

More …

The 5 Hacking NewsLetter 40

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 01 to 08 of February.

T5HN40.png

Our favorite 5 hacking items

1. Video of the week

A $7.500 BUG Bounty Bug explained, step by step. (BLIND XXE OOB over DNS)

Another great video by @stokfredrik! It’s a writeup for a blind XXE OOB over DNS using a PDF file upload.

Classic file upload payloads & attacks didn’t work, so the last thing that @stokfredrik tried was sneaking XML entities through PDF files. He was able to trigger a DNS request from the target server (using Burp Collaborator). He then escalated the attack over multiple stages until he got a full blind XXE.

This is pretty advanced stuff but every stage is detailed and well explained, including tools and references.

More …

The 5 Hacking NewsLetter 39

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 25 of January to 01 of February.

T5HN39.png

Our favorite 5 hacking items

1. Conference of the week

BSides Leeds 2019, especially:

I love these four talks. They’re respectively about:

  • Questions & tips from a bug bounty triager for both bug hunters & companies/triagers;
  • Advice for anyone looking for a pentester job from the CEO of a pentesting company;
  • Differences between bug bounty & pentesting;
  • Ideas from a pentester on how to integrate pentesting into the development process. Automating some tests helps detect vulnerabilities early in the development lifecycle.
More …

The 5 Hacking NewsLetter 38

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 18 to 25 of January.

T5HN38.png

Our favorite 5 hacking items

1. Article of the week

A More Advanced Recon Automation #1 (Subdomains)

If you want to automate some of your recon tasks but don’t know where to start, this is an excellent beginning.

A recon workflow chart is given as an example. This is the first article of a series. It explains how to automate subdomains enumeration using a Bash script, and includes commands, tools plus tips like how to check for wildcard resolution (i.e. false positive subdomains).

Looking forward to the sequel(s)!

More …

The 5 Hacking NewsLetter 37

Hey hackers! Before diving into the meat of this newsletter, I first want to thank all of you who send us emails regularly and who answered our questions on which topics you would like addressed in a podcast.

I haven’t yet had the opportunity to answer all of you. But your input, queries and suggestions are well received and will be taken into account. Keep’em coming!
Life gets in the way with plenty of obstacles and projects. So change is slow but steady. I’m sure you can relate to this…

That said, here are our favorite resources shared by pentesters and bug hunters last week. This issue covers the week from 11 to 18 of January.

Big thanks to Intigriti for sponsoring this newsletter!

T5HN37.png

Our favorite 5 hacking items

1. Tool of the week

bugbounty.link

This is a URL shortening service. What’s great about it is that it supports any protocol (file, gopher, etc). So it can be useful to test for SSRF or open redirects, and bypassing filters on certain URI schemes.

More …