The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on November 5, 2018
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 26 of October to 02 of November.
OMG, this is a spooky one! The story of a whitehat hacker (maybe) wrongfully convicted, CIA agents killed because of Google dorking, researchers theorizing about human memory hacking… Plus the quantity of items listed this time!
There was so many good things shared that I could hardly choose, so this newsletter is even longer than usual. But of course, you don’t have to consume everything if you’re short on time. Just start with what interests you more, as many different topics are covered.
Enjoy and you can share feedback, suggestions, questions, likes… whatever you feel like.
How to perform the static analysis of website source code with the browser — the beginner’s bug bounty hunters guide
This guide explains everything: the tools you need, what to look for and where, how to use a JS debugger, etc.
So if you’ve been wondering how to get better at bug bounties, drop everything and read this.
HOW FRCKN’ HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128
This is an amazing explanation of uXSS and how URLs work. Here are my takeaways, but I highly encourage you to still watch the video because it has many more interesting details:
It wasn’t easy to select a single writeup this week. Many are impressive either for the technique and/or the bounty. You’ll find them all listed below.
As THE writeup of the week, I chose this one because it shows that the most dangerous/ impressive bugs are not always the most complicated. Sometimes, some observation and thinking are enough (and pay well, $10,000 exactly). But maybe THIS is the difficulty…
Anyway, it’s a 2FA bypass: The “Submit Report” button requires 2FA. But a URL mentioned in the program’s policy page didn’t. That’s it!
Typhoon Vulnerable VM & Practical White hat hacker training material
This is an intentionally vulnerable VM to train for many types of tests: network and web app security testing, password cracking, privilege escalation attacks, post exploitation, information gathering and DNS attacks.
There are already dozens of such VMs out there, but what distinguishes this one is the accompanying training material. It’s very good especially for those learning the ropes of penetration testing.
Password brute forcing is one of my weaknesses. I never seem to have the right password list whether on real engagements or CTFs!
So I was glad to find this site. It compiles many password lists from different sources: for different languages, with different sizes, real passwords from data breaches, passwords based on dates or names…. To be used for cracking passwords, hashes, WPA2 connections, etc.
See more writeups on The list of bug bounty writeups.
Hey offsec students,— (@xxByte) October 27, 2018
I created a discord server for us to exchange information and learn from each others. Please join us > https://t.co/UVU48JCO1V ; for OSCP, OSCE, OSEE, and OSWE#offsec #oscp #osce #infosec pic.twitter.com/yt0UYuEogi
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/26/2018 to 11/02/2018
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…