The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on July 29, 2018
Hey hackers! These are our latest favorite resources related to pentest & bug bounty.
This issue exceptionally covers two weeks, from 13 to 27 of July.
Under the Hoodie Videos: True Stories from Rapid7 Pen Testers Under the Hoodie - Lessons from a Season of Penetration Testing
I absolutely loved watching these videos, especially “The Bank Job”!
Having only conducted technical “classic” penetration testing and never social engineering or red team engagements, I find these tales mind-blowing. It’s like watching a good action movie made by real hackers.
The Daily Swig by the creators of Burp Suite
If I had to choose only one news site to follow, it would be The Daily Swig.
I added it to my RSS feed and what I like about it most compared to other news sites is that it doesn’t flood you with tens of articles everyday about who hacked who, who was arrested, etc.
It presents only few IT sec news which are relevant to me as a pentester / bug hunter, in very concise & well written words.
I stumbled upon this blog post just as was researching the best way to automate the process of monitoring bug bounty target assets.
Many successful bug hunters strongly recommend doing that especially if you are a full time bug hunter, to gain an advantage over hunters who are not monitoring their targets’ assets (subdomains, acquisitions, TLDs, new functionalities…).
This webinar is a nice complement to Jason Haddix’s Bug hunters methodology talk. It is great for anyone starting in bug bounty or just to learn more about Jason’s process.
Common Crawl is an open repository of web crawl data that can be accessed and analyzed by anyone for free.
Cc.py extracts URLs of the target you give it from the Common Crawl dataset. It allows you to quickly and passively obtain a list of URLs available on your target domain, that have been gathered by Common Crawl.
Needless to say that I’ve already added it to my arsenal & methodology!
You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.
Demonstrating the full impact of #XSS vulnerabilities often pays off… alert() can't compete with full organization takeover https://t.co/SvF7PbwdTT
If you’ve ever used snallygaster or bfac to find back up files, or other interesting assets on a target, here is a quick utility to merge their results because we dont have a standard format (yet) for storing results from open source tools - https://t.co/KgyVb9kGbZ
We created two collections of our favorite pentest & bug bounty related tweets shared these last two weeks. You’re welcome to read them directly on Twitter:
Have a nice weekend folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…