Sponsored by

The 5 Hacking NewsLetter 32

Posted in Newsletter on December 18, 2018

The 5 Hacking NewsLetter 32

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 07 to 14 of December.

Our favorite 5 hacking items

1. Slides of the week

Hidden Gems in APKs

This is a great resource to learn more on testing Android apps. A lot of interesting information can be gathered even if the talk itself isn’t available.

The presentation includes three parts:

  1. How to analyze an APK and where to find vulnerable code
  2. Two cases studies with many examples of vulnerabilities found on real apps, plus other random findings
  3. Tools used: scanapk, kpa_esrever and kpa_esrever (couldn’t find them anywhere)

2. Writeup of the week

XXE on private program

Wow, this is one impressive finding! I think that most hunters would have stopped testing this vulnerable endpoint after it returned a 404 error. But not @honoki.

He changed the HTTP method from GET to a POST and the Content-Type to application/xml (instead of text/xml). Seeing that the server responded differently, he started submitting different kinds of XML POST data and analyzing the responses until he got a blind XXE that he elevated to a root-level file read access.

All this with no documentation whatsoever on the endpoint and from a 404 page. Again, impressive!

3. Challenge & Tutorial of the week

XSS challenge & Advanced JavaScript Injections (solution)

If you’ve ever wondered how complex XSS payloads are constructed, this challenge & tutorial are exactly what you need!

Start with the challenge then, if you couldn’t solve it, carefully read the tutorial. It breaks down how to detect the bug and construct a working payload step by step.

4. Non technical item of the week

Darknet Diaries Ep 28: Unit 8200

This is the tale of Israel Unit 8200, Israel’s equivalent of the NSA. No matter on which side you stand regarding the Palestine/Israel conflict, this is an amazingly entertaining and insightful story.

It explains why a relatively small country such as Israel is so good at cybersecurity, why so many successful startups emerge there, and why mandatory military service can be a good thing for both individuals and the country (if done right).

Also, the narrator is so talented. This particular episode is a must watch.

5. Resource of the week

APIsecurity.io Issue 10: Unprotected Docker and Ethereum APIs, McAfee 2019 forecast

Apisecurity.io is one of the rare newsletters I follow regularly. It’s a weekly publication focused on news related to API security.

I highly recommend it whether you are a pentester, bug hunter or developer interested in security.

Other amazing things we stumbled upon this week



Conference slides


Medium to advanced

Beginners corner


Challenge writeups

Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • Exon/slackapi.py: Python script for extracting stuff from Slack using a leaked xoxp token
  • AWSSigner: Burp Extension for AWS Signing
  • Regex-Filter: Regex Filter on urls and files. Script for using gitleaks’s custom regex to scan both for github or anywhere(web or local)

More tools, if you have time

  • Dawnscanner: a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
  • Cameradar: hacks its way into RTSP videosurveillance cameras
  • DevAudit: Open-source, cross-platform, multi-purpose security auditing tool
  • htrace.sh: Simple shell script for debugging http/https connection tracing, response headers and mixed-content. Scanning domain using Nmap NSE Library. Support external security tools: testssl.sh, Mozilla Observatory and SSL Labs API
  • Pentest tools presented at Black Hat Europe 2018 Arsenal:
    • Kube-hunter: Pentest Platform for Kubernetes Environments
    • Astra: Automated Security Testing For REST API’s
    • DeepExploit: Fully automatic penetration test tool using Machine Learning
    • OWASP Nettacker: Automated Penetration Testing Framework
    • XSSER: From XSS to RCE

Misc. pentest & bug bounty resources




Vulnerability reports can now be disclosed within a private program. “Within a program” means the report will only be disclosed to other hackers participating in the private program, and not the entire World

During the video, those URLs were visible in the address bar. It seemed that YouTube had run OCR (optical character recognition) across my entire video and decided to crawl the links within.

With respect to this API (ed Google+ API), apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.

As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password.

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/07/2018 to 12/14/2018

Have a nice week folks!

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…