Sponsored by

The 5 Hacking NewsLetter 26

Posted in Newsletter on November 5, 2018

The 5 Hacking NewsLetter 26

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 26 of October to 02 of November.

OMG, this is a spooky one! The story of a whitehat hacker (maybe) wrongfully convicted, CIA agents killed because of Google dorking, researchers theorizing about human memory hacking… Plus the quantity of items listed this time!

There was so many good things shared that I could hardly choose, so this newsletter is even longer than usual. But of course, you don’t have to consume everything if you’re short on time. Just start with what interests you more, as many different topics are covered.

Enjoy and you can share feedback, suggestions, questions, likes… whatever you feel like.

Our favorite 5 hacking items

1. Tutorial of the week

How to perform the static analysis of website source code with the browser — the beginner’s bug bounty hunters guide

If you can only check one item from this newsletter, this is it! Reading and analyzing HTML & JavaScript code when testing web applications is a must. But it can be difficult for non-developers, especially because the best bugs are generally found manually.

This guide explains everything: the tools you need, what to look for and where, how to use a JS debugger, etc.

So if you’ve been wondering how to get better at bug bounties, drop everything and read this.

2. Video of the week


This is an amazing explanation of uXSS and how URLs work. Here are my takeaways, but I highly encourage you to still watch the video because it has many more interesting details:

  • If a browser fails to enforce the Same Origin Policy (SOP), any malicious site can steal data from any other site you log into
  • uXSS is an XSS due to a browser weakness, which bypasses the SOP
  • Example of uXSS in Chrome on iOS

3. Writeup of the week

2FA bypass on HackerOne

It wasn’t easy to select a single writeup this week. Many are impressive either for the technique and/or the bounty. You’ll find them all listed below.

As THE writeup of the week, I chose this one because it shows that the most dangerous/ impressive bugs are not always the most complicated. Sometimes, some observation and thinking are enough (and pay well, $10,000 exactly). But maybe THIS is the difficulty…

Anyway, it’s a 2FA bypass: The “Submit Report” button requires 2FA. But a URL mentioned in the program’s policy page didn’t. That’s it!

4. Challenge of the week

Typhoon Vulnerable VM & Practical White hat hacker training material

This is an intentionally vulnerable VM to train for many types of tests: network and web app security testing, password cracking, privilege escalation attacks, post exploitation, information gathering and DNS attacks.

There are already dozens of such VMs out there, but what distinguishes this one is the accompanying training material. It’s very good especially for those learning the ropes of penetration testing.

5. Resource of the week


Password brute forcing is one of my weaknesses. I never seem to have the right password list whether on real engagements or CTFs!

So I was glad to find this site. It compiles many password lists from different sources: for different languages, with different sizes, real passwords from data breaches, passwords based on dates or names…. To be used for cracking passwords, hashes, WPA2 connections, etc.

Other amazing things we stumbled upon this week



Conference slides


Medium to advanced

Beginners corner


Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

More tools, if you have time

Misc. pentest & bug bounty resources



Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/26/2018 to 11/02/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…