The 5 Hacking NewsLetter 74

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 27 of September to 04 of October.

T5HN74.png

Our favorite 5 hacking items

This time, exceptionally, we’re featuring way more items than usual… Why limit ourselves to 5 if both quantity and quality are there?

The following links are all really worth checking out if you are into Web application security.

1. Articles of the week

HTTP Desync Attacks: what happened next
Karim Rahal: Security Features of Firefox
The Top 8 Burp Suite Extensions That I Use to Hack Web Sites
5 Subdomain Takeover ProTips

These articles are, in order, about:

  • New research by @albinowax on HTTP Request Smuggling
  • 3 Firefox security features explained by @KarimPwnz, with good tips on how to use the “Multi-Account Containers” extension for hacking
  • A list of 8 Burp extension worth using, with everything you need to know about them in one page (what they do, installation & usage tips)
  • 5 tips by subdomain takeover master @0xpatrik
More …

The 5 Hacking NewsLetter 73

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 20 to 27 of September.

T5HN73.png

Our favorite 5 hacking items

1. Slide/Tool of the week

Manual JavaScript Anaylsis Is A Bug & MetaSec.js

I hope this talk’s video will be released soon. But even without it, this presentation is very helpful in understanding what to look for in JavaScript files, existing tools for automation, and what can/cannot be automated.

Techniques mentioned include endpoint discovery, reversing source maps, technology fingerprinting, detecting sources and sinks, detecting ReDoS, detecting secrets, detecting vulnerable third-party components, etc.

As a bonus, LewisArdern provides MetaSec.js, a wrapper around several open source tools to automate JS file analysis.

More …

The 5 Hacking NewsLetter 72

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 13 to 20 of September.

T5HN72.png

Our favorite 5 hacking items

1. Tutorial of the week

How to find more IDORs

This tutorial explains how to find IDORs that are less obvious than just incrementing an ID. The techniques mentioned can be very helpful especially in the context of bug bounty.

Some of them are testing encoded & hashed IDs, adding an ID to the request even if the app didn’t ask for it, changing the request method, etc.

Also, IDOR and self-XSS combined can lead to stored XSS, increasing the impact of the IDOR.

More …

The 5 Hacking NewsLetter 71

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 06 to 13 of September.

T5HN71.png

Our favorite 5 hacking items

1. Video of the week

Hacking Gotham University

Watch @uraniumhacker hack a fake university for 2 hours. The vulnerable subdomains (and ports) don’t seem to be up anymore, but it’s an excellent walkthrough on hacking Web apps and APIs.

@uraniumhacker explains his methodology, what to look for at each step, how to exploit bugs like SSRF on Jira, IDOR, RCE, how to take notes with screenshots and proofs during the whole pentest process, etc.

More …

The 5 Hacking NewsLetter 70

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 30 of August to 06 of September.

T5HN70.png

Our favorite 5 hacking items

1. Conference of the week

DerbyCon 9, especially:

DerbyCon 9 had so many good talks! I’m particularly interested in the ones on CORS, Kerberoasting, WebSOckets, GraphQL, Serverless, API security & red teaming, but many other topics were discussed.

Too bad, this was the last DerbyCon conference!

More …