The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on July 16, 2018
Hey hackers! These are our favorite pentest & bug bounty related resources for the week from 6 to 13 of July.
SteelCon 2018 - , particularly:
- What I’ve Learned From Billions Of Security Reports Every Month by Scott Helme
- Breaking Into Information Security by Andy Gill
- Can’t Hack, Love To Lurk: Sharing Academic Research by Helen Thackray
- The Dark Arts by Neil Lines
- Opening by Robin Wood
- Exploiting Screen Recording And Automated Input On Android by Amar Menezes
- GDPR For Hackers by Carl Gottlieb
- You’ve Got Mail! by Dan Caban and Muks Hirani
- Not A Hacker, Yet. by Chris Ratcliff
- Profiling The Attacker by James Stevenson
I would have loved to go to SteelCon 2018 and see all these talks live! They are not all technical but when I’m looking for something to watch/pass the time, I usually prefer watching conference videos like these to TV shows. They teach me new technical skills/information and help put me in a hacker’s mindset and motivate me for better bug hunting.
https://buckets.grayhatwarfare.com/: The Shodan of Amazon S3 buckets
This is a searchable database of open Amazon S3 buckets. I haven’t had the time to try it yet, but I love the idea of an equivalent of Shodan for S3 buckets!
70 000 buckets are listed, you can easily search for company names or domain names, and browse the contents of buckets.
#BugBounty — Compromising User Account- ”How I was able to compromise user account via HTTP Parameter Pollution(HPP)” by Avinash Jain
This is a good real-life example of HTTP Parameter Pollution. Avinash first detected it on a social sharing button, then tested for the same issue on the password reset functionality of the same site and was able to reset the password of any user, escalating from HPP to account takeover.
Any tutorial by Patrick Hudak is a great tutorial! They are always detailed, informative and easily understandable.
In this one, he explains how to find information related to a given domain, like its owner, reputation, DNS settings…
Finding a domain’s owner can be very useful for bug hunters, to avoid attacking an out of scope domain that does not belong to your target.
Basic security tips for the layman. This is a page to share with your relatives, co-workers, neighbors, etc, to help them protect themselves from black hats.
You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.
We created a collection of our favorite pentest & bug bounty related tweets shared this week. You’re welcome to read it directly on Twitter.
Have a nice weekend folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…