Sponsored by

The 5 Hacking NewsLetter 19

Posted in Newsletter on September 17, 2018

The 5 Hacking NewsLetter 19

Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue exceptionally covers two weeks, from 31 of August to 14 of September.

Our favorite 5 hacking items

1. Tutorial of the week

A practical guide to testing the security of Amazon Web Services (Part 1: AWS S3)

There is so much to learn to become a successful pentester/bug hunter. I can’t remember which famous bug hunter once said that it used to take him 9 month to learn about a new vulnerability!

That’s why I love this kind of comprehensive guides. It goes from the basics as if you’ve never heard of AWS S3 to advanced concepts on their security and how to test them for misconfigurations.

2. Tool of the week

Script for gathering domains/subdomains with IPRanges of organization

I am currently trying to improve my recon process, mainly to find new targets (domains & subdomains) as quickly as they become available. So this script comes very handy and complements other more known tools.

It resolves each IP in a given IP range by checking if port 443 is open, retrieves the SSL certificate from port 443 and scrapes it for domains & subdomains.

3. Resource of the week

Global scan - exposed .git repos

I stumbled upon this article right after discovering a .git folder exposed on a bug bounty target. I was amazed at how easy it was to retrieve parts of the company’s source code and was wondering about the extent of this vulnerability.

This research answers the question and gives a great example of how to scale your hunt for such simple bugs.

4. Writeup of the week

Account Takeover in Periscope TV

Host headers attacks are usually associated with reset password pages or cache poisoning. From what I understood, this is a new way to exploit host headers attacks: it targets the OAuth implementation used to log into Periscope via Twitter.

Here is how I understand the attack:

  • Go to https://www.periscope.tv/ & click login with twitter
  • Intercept the request with Burp & change the host header to hackerone.com/www.periscope.tv (instead of www.periscope.tv)
  • A URL is returned: https://twitter.com/oauth/authenticate?oauth_token=... Send it to the victim
  • The victim opens it and has already authorized the Periscope app in Twitter
  • He/she is redirected to <https://www.example.com/www.periscope.tv/i/twitter/loginComplete?oauth_token=[attacker’s oauth token]&oauth_verifier=[victim’s oauth verifier]>
  • So the attacker receives on his/her server the victim’s oauth_verifier. He/she can takeover the victim’s account by reusing the same oauth_token & oauth_verifier

5. Conference of the week

Bounty Hunters by J Wolfgang Goerlich (GrrCon 2018)

I started this blog as a penetration tester, but I confess that I have been obsessed with bug hunting for months.

This is a nice talk about some bugs found by bug hunters on big companies and how to protect against them. The way the stories are narrated made me feel like I was sitting around a campfire with other bug hunters, hearing about their stories…

Other amazing things we stumbled upon this week

Videos, Conferences & Podcasts

Slides only


Medium to advanced

Beginners corner


You can find the latest bug bounty writeups in our dedicated page: [List of bug bounty writeups]({{ site.url }}{{ site.baseurl }}/list-of-bug-bounty-writeups.html).
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.


If you don’t have time

  • Vulmon: a vulnerability search engine. It includes cve id, vulnerability types, vendors, products, exploits, operating systems and anything related with vulnerabilities.
  • Sploitus: Vulnerability/exploit search engine, using multiple source feeds
  • Datasploit: An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.
  • pwnedOrNot: Python Script to Find Passwords for Compromised Email Accounts using haveibeenpwned API

More tools, if you have time

  • HackBar: plugin for Burpsuite v0.2 beta & JAR
  • Activity Trail Log: BURP extension to record every HTTP request send via BURP and create an audit trail log of an assessment
  • Retire.NET: CLI extension to check your project for known vulnerable dependencies
  • nmapburp.sh: NMap a network and send all open web servers to Burp
  • sploitus.py: Python wrapper to search sploitus.com locally
  • twa: A tiny web auditor with strong opinions
  • getValidDNS.sh: A little bash script to gather valid AND fast DNS Resolvers from public-dns.info (useful if using MassDns)
  • badKarma: advanced network reconnaissance toolkit
  • Headless Burp: Provides a suite of Burp extensions and a maven plugin to automate security tests using BurpSuite. https://netsoss.github.io/headless-burp/
  • htrace.sh: Simple shell script to debugging http/https traffic tracing, response headers and mixed-content. Scanning domain using Nmap NSE Library. Support external security tools: Mozilla Observatory and SSL Labs API.
  • nmap-bootstrap-xsl: A Nmap XSL implementation with Bootstrap

Misc. pentest & bug bounty resources


Non technical

Tweeted this week

We created two collections of our favorite pentest & bug bounty related tweets shared these last two weeks. You’re welcome to read them directly on Twitter:

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…