The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on December 18, 2018
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 07 to 14 of December.
This is a great resource to learn more on testing Android apps. A lot of interesting information can be gathered even if the talk itself isn’t available.
The presentation includes three parts:
Wow, this is one impressive finding! I think that most hunters would have stopped testing this vulnerable endpoint after it returned a 404 error. But not @honoki.
He changed the HTTP method from GET to a POST and the Content-Type to application/xml (instead of text/xml). Seeing that the server responded differently, he started submitting different kinds of XML POST data and analyzing the responses until he got a blind XXE that he elevated to a root-level file read access.
All this with no documentation whatsoever on the endpoint and from a 404 page. Again, impressive!
If you’ve ever wondered how complex XSS payloads are constructed, this challenge & tutorial are exactly what you need!
Start with the challenge then, if you couldn’t solve it, carefully read the tutorial. It breaks down how to detect the bug and construct a working payload step by step.
This is the tale of Israel Unit 8200, Israel’s equivalent of the NSA. No matter on which side you stand regarding the Palestine/Israel conflict, this is an amazingly entertaining and insightful story.
It explains why a relatively small country such as Israel is so good at cybersecurity, why so many successful startups emerge there, and why mandatory military service can be a good thing for both individuals and the country (if done right).
Also, the narrator is so talented. This particular episode is a must watch.
APIsecurity.io Issue 10: Unprotected Docker and Ethereum APIs, McAfee 2019 forecast
Apisecurity.io is one of the rare newsletters I follow regularly. It’s a weekly publication focused on news related to API security.
I highly recommend it whether you are a pentester, bug hunter or developer interested in security.
See more writeups on The list of bug bounty writeups.
Vulnerability reports can now be disclosed within a private program. “Within a program” means the report will only be disclosed to other hackers participating in the private program, and not the entire World
During the video, those URLs were visible in the address bar. It seemed that YouTube had run OCR (optical character recognition) across my entire video and decided to crawl the links within.
With respect to this API (ed Google+ API), apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/07/2018 to 12/14/2018
Have a nice week folks!
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…