The 5 Hacking NewsLetter 71

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 06 to 13 of September.

T5HN71.png

Our favorite 5 hacking items

1. Video of the week

Hacking Gotham University

Watch @uraniumhacker hack a fake university for 2 hours. The vulnerable subdomains (and ports) don’t seem to be up anymore, but it’s an excellent walkthrough on hacking Web apps and APIs.

@uraniumhacker explains his methodology, what to look for at each step, how to exploit bugs like SSRF on Jira, IDOR, RCE, how to take notes with screenshots and proofs during the whole pentest process, etc.

More …

The 5 Hacking NewsLetter 70

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 30 of August to 06 of September.

T5HN70.png

Our favorite 5 hacking items

1. Conference of the week

DerbyCon 9, especially:

DerbyCon 9 had so many good talks! I’m particularly interested in the ones on CORS, Kerberoasting, WebSOckets, GraphQL, Serverless, API security & red teaming, but many other topics were discussed.

Too bad, this was the last DerbyCon conference!

More …

The 5 Hacking NewsLetter 69

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 23 to 30 of August.

T5HN69.png

Our favorite 5 hacking items

1. Non technical item of the week

Economics of the bug bounty hunting

This is a great read about how @dmi3sh uses specific metrics to increase his hourly rate as a full-time bug hunter.

The main takeaway for me is that he relies on a list of criteria to decide on which target, functionality and bug type it is best to focus. These are things like: Probability of finding a bug, payout, chance of being duped, of getting N/As and out of scope, chances of being paid, etc.

Using these objective elements helps make decisions about what to focus on a lot easier.

More …

The 5 Hacking NewsLetter 68

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 16 to 23 of August.

T5HN68.png

Our favorite 5 hacking items

1. Article of the week

SSRF in the Wild

This article is an analysis of publicly disclosed SSRF writeups.

@vickieli7 curated 76 unique reports, then read each one and categorized them following criteria like: vulnerable feature, presence of SSRF protection, criticality/impact, type of fix implemented…

She gives interesting statistics on each category. For example, 27 of the 76 bugs affected an image/file upload feature.

I love this idea of studying a vulnerability class by producing statistics based on specific criteria. This can be scaled to include other bug types and more writeups.

It’s also a great idea to look for bypasses each time you read a writeup. This is what allowed @vickieli7 to find one bug while learning about SSRF!

More …

The 5 Hacking NewsLetter 67

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 09 to 16 of August.

T5HN67.png

Our favorite 5 hacking items

1. Tips of the week

Bounty hunters: how do you organize your notes on targets, especially when switching targets back and forth and doing it for a long time?

This is a cool Twitter thread. Fisher (@Regala_) prompted the question about how other bug hunters organize their notes, and many hunters responded.

Tools mentioned include a private Github repo, simple notes and folders, SwiftnessX, OneNote, a whiteboard for logic flaws, Google Docs, XMind, etc.

It’s nice to get a peak at what others are using!

More …