The 5 Hacking NewsLetter 94

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 14 to 21 of February.

T5HN94.png

Our favorite 5 hacking items

1. Video of the week

Low Competition Bug Hunting (What to Learn) - ft. #AndroidHackingMonth

If you are discouraged by bug bounty and think all the bugs are gone, watch this. @InsiderPhD gives an awesome explanation of why it is not true, and what you need to do to start finding bugs.

I love her way of thinking. She deconstruct the question into several chunks and tackles one after the other: Which targets/industry to choose? Which assets and bugs to focus on? Which techniques to learn? How to interpret and use bug bounty statistics?

More …

The 5 Hacking NewsLetter 93

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 07 to 14 of February.

T5HN93.png

Our favorite 5 hacking items

1. Video of the week

@zseano Talks About BugBountyNotes.com, Recon, Reading Javascript, WAF, Wayback Machine, and more!

Lately, @zseano has been quieter than before. So, it is nice to hear him share insights on his recon process (e.g why he runs subdomain tools last), his hacking methodology, why he closed Bug Bounty Notes, and much more.

More …

The 5 Hacking NewsLetter 92

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 31 of January to 07 of February.

T5HN92.png

Our favorite 5 hacking items

1. Tools of the week

The first tool tries to solve the inconvenience all bug hunters and pentesters face: Having to use so many different tools, to remember their command line options, to juggle between terminals and note-taking apps, copy-pasting commands…

Quiver allows you to run recon scripts or single commands organized into categories with auto-completion, and to access markdown notes from the terminal. This last feature is really interesting. It makes it possible to manage a markdown knowledge base that can be accessed from both GUI (with an app like Joplin) and CLI.

The second tool is handy for Android application tests. It helps download APKs directly from the Google Play Store using the command line. Practical if you want to automate APK downloads.

More …

The 5 Hacking NewsLetter 91

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 24 to 31 of January.

T5HN91.png

Our favorite 5 hacking items

1. Tip of the week

Hacker tip: when you’re looking for IDORs in a model that references another model, try storing IDs that don’t exists yet. I’ve seen a number of times now that, because the model can’t be found, the system will save the ID. Because authorization checks often only happen on write, you can come back after the ID was created. Because the model references a model that isn’t yours, you may be able to bypass authorization, often leading to information disclosure.

Awesome IDOR technique by @jobertabma! The idea is to replace an ID with one that does not exist yet (e.g. ID+1). Wait for ID+1 to exist and see if you can access its information.

Now to revisit old programs to test for potentially missed IDORs/info disclosures…

More …

The 5 Hacking NewsLetter 90

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 17 to 24 of January.

T5HN90.png

Our favorite 5 hacking items

1. Conference of the week

Frans Rosén Keynote at BSides Ahmedabad

This is a talk I’ve been impatiently waiting for since it was announced. @fransrosen shares his methodology for breaking Web apps/APIs by using fuzzing and information disclosure.

He uses an imaginary app to show practical examples of building custom API wordlists, finding hidden endpoints, etc. An absolute must watch if you’ve ever come accross tips on Web app fuzzing and did not know how to apply them in practice.

More …