Sponsored by

The 5 Hacking NewsLetter 13

Posted in Newsletter on July 29, 2018

The 5 Hacking NewsLetter 13

Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue exceptionally covers two weeks, from 13 to 27 of July.

Our favorite 5 hacking items

1. Non technical item of the week

Under the Hoodie Videos: True Stories from Rapid7 Pen Testers Under the Hoodie - Lessons from a Season of Penetration Testing

I absolutely loved watching these videos, especially “The Bank Job”!

Having only conducted technical “classic” penetration testing and never social engineering or red team engagements, I find these tales mind-blowing. It’s like watching a good action movie made by real hackers.

2. Writeup of the week

The Daily Swig by the creators of Burp Suite

If I had to choose only one news site to follow, it would be The Daily Swig.

I added it to my RSS feed and what I like about it most compared to other news sites is that it doesn’t flood you with tens of articles everyday about who hacked who, who was arrested, etc.
It presents only few IT sec news which are relevant to me as a pentester / bug hunter, in very concise & well written words.

3. Tutorial of the week

The poor man’s bug bounty monitoring setup by EdOverflow

I stumbled upon this blog post just as was researching the best way to automate the process of monitoring bug bounty target assets.

Many successful bug hunters strongly recommend doing that especially if you are a full time bug hunter, to gain an advantage over hunters who are not monitoring their targets’ assets (subdomains, acquisitions, TLDs, new functionalities…).

4. Video of the week

Bug Hunting as a Second Income & Slides

This webinar is a nice complement to Jason Haddix’s Bug hunters methodology talk. It is great for anyone starting in bug bounty or just to learn more about Jason’s process.

5. Tool of the week

cc.py by Si9int

Common Crawl is an open repository of web crawl data that can be accessed and analyzed by anyone for free.
Cc.py extracts URLs of the target you give it from the Common Crawl dataset. It allows you to quickly and passively obtain a list of URLs available on your target domain, that have been gathered by Common Crawl.

Needless to say that I’ve already added it to my arsenal & methodology!

Other amazing things we stumbled upon this week

Stuff to watch/listen to





Medium to advanced

Beginners corner


You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.


If you don’t have time

  • Photon: Incredibly fast crawler which extracts urls, emails, files, website accounts and much more
  • h1-cli by EdOverflow: A CLI tool to interact with hackerone.com. This was my submission for HackerOne’s Summer 2018 Hack Day.
  • merge-snallygaster-bfac: Merging and Sorting the URLs/backupfiles obtained from Snallygaster and BFAC
  • Dirhunt: Find web directories without bruteforce

More tools, if you have time

Misc. pentest & bug bounty resources


Non technical

Tweeted this week

We created two collections of our favorite pentest & bug bounty related tweets shared these last two weeks. You’re welcome to read them directly on Twitter:

Have a nice weekend folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…