Sponsored by

The 5 Hacking NewsLetter 20

Posted in Newsletter on September 25, 2018

The 5 Hacking NewsLetter 20

Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across recently.

This issue covers the week from 14 to 21 of September.

Our favorite 5 hacking items

It’s weird how often I face a new challenge and, while preparing this newsletter, come across relevant resources without looking for them specifically! This is the case for all 5 items of this week, so I hope that you find them as informative as they were for me.

1. Tutorial of the week

Discovering GraphQL endpoints and SQLi vulnerabilities by @localh0t

I read more and more bug bounty writeups like this one or this one that mention misconfigured GraphQL endpoints and these bugs seem to pay really well.

GraphQL is an alternative to Web services like REST. This tutorial is a great introduction to understand their differences, how to find hidden GraphQL endpoints and exploit them to detect SQL injection.

2. Writeup of the week

How I XSS’ed Uber and Bypassed CSP by @mefkansec

I love the creativity of the recon work that led to this XSS: @mefkansec looked for Uber invitation links mentioned everywhere on forums & social media. Then he used a google dork to find a lot more invitation links in order to gather new GET parameters until he found one that was vunerable to a simple reflective XSS.

But the PoC didn’t work because of the CSP! The list of whitelisted domains showed that Uber subdomains are allowed. So in his working PoC, he used an Uber subdomain (found in VirusTotal) which redirects to a Marketo subdomain. By adding a callback parameter, he could execute Javascript:

https://partners.uber.com/p3/referrals/ms?i=bq6ew1w9ue&m=ANNIVERSARY&v=1"><script src=”https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>

3. Tip of the week

How to get source code of any electron application

@Yassineaboukir recommends reverse engineering and analyzing the source code of Electron apps, as an easy way to find hardcoded secrets. The tutorial he mentions is very concise and should help you get started quickly.

Also, @0xibram recommends in the comments using this guide once you have the source code: Electron Security Checklist - A guide for developers and auditors.

4. Resources of the week

@gwendallecoguic suggests 4 blog posts that helped him learn how to bypass Cloudflare. Try the different techniques until you find one that works on your target.

5. Tool of the week


This tool helps monitor Certificate Transparency logs for new subdomains, when you’re targeting a specific bug bounty program or during a long term pentest engagement.

It uses the API of Entrust Datacard’s Certificate Transparency Search Tool.

Other amazing things we stumbled upon this week

Videos, Conferences & Podcasts

Slides only


Medium to advanced

Beginners corner



  • CertStreamMonitor: Monitor certificates generated for specific domain strings and associated, store data into sqlite3 database, alert you when sites come online
  • cookie-decrypter: A Burp Suite Professional extension for decrypting/decoding various types of cookies
  • TruePolyglot: Polyglot file generator project. This means that the generated file is composed of several file formats. The same file can be opened as a ZIP file and as a PDF file for example.
  • terraform-burp-collaborator: Terraform configuration to build a Burp Private Collaborator Server
  • Upload Scanner: HTTP file upload scanner for Burp Proxy (Burp extension)
  • SimpleshoT: simple screenshot generator
  • TIDoS Framework: The Offensive Web Application Penetration Testing Framework

Misc. pentest & bug bounty resources

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/14/2018 to 09/21/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…