The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on October 8, 2018
Hey hackers! These are our favorite resources pertaining to pentesting and bug hunting for last week.
It covers the period from 28 of September to 05 of October.
This is an awesome guide on mobile security testing! I’ve been reading through it because I’m preparing a training on Android hacking and it is very good quality information on hacking Android & iOS apps for both beginners and experienced testers.
Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature by japz
What an amazing finding! By chaining two features, it is possible to create a business logic bug that allows anyone to receive all private invites without any user interaction:
If you can only read one writeup this week, this is an excellent candidate for 2 reasons: It demonstrates real out-of-the-box thinking, and I love how the researcher politely questioned hackerone’s decision to close it as a duplicate and how @jobertabma took the time to explain their decision. So the bug went from dup to triaged with $2,500 and swag!
Gurp by @joan_bono
This is a Golang command-line interface to Burp Suite’s REST API.
I haven’t yet played with Burp’s new REST API, because of so many projects lined up and things to learn. But it like the idea of using the API from a command line. Sometimes, many URLs or apps have similar endpoints. So I’d create scripts for some specific tests (to detect open redirects, bruteforce Basic authentication, etc), and run them against the list of targets. It could be done using the API directly, but I’m more comfortable with the CLI.
DerbyCon 2018, especially:
- Extending Burp to Find Struts and XXE Vulnerabilities
- Android App Penetration Testing 101
- Web app testing classroom in a box - the good, the bad and the ugly
- Hacking Mobile Applications with Frida
- Ninja Looting Like a Pirate
- Web App 101: Getting the lay of the land
- Breaking Into Your Building: A Hackers Guide to Unauthorized Access
There are so many interesting talks in Derbycon 2018! Some are technical, some fun, with a huge variety of topics (red teaming, pentesting, web apps security, mobile security, active directory hacking, buffer owerflows, physical security, social engineering…). I couldn’t list all talks I find interesting here as usual, so check the playlist. You will surely learn something!
Application Security Wiki by @exploitprotocol & @abhibundela
This is a new wiki which compiles resources on many subjects related to Web application security: books, vulnerable apps for training, recon, and tutorials, tools & writeups for each type of vulnerability…
I like going through this kind of sites because they gather a lot of information and good references in the same place, categorized by subject which saves a lot of time. It’s kind of what I do with this weekly newsletter but presented differently!
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/28/2018 to 10/05/2018
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…