Sponsored by

The 5 Hacking NewsLetter 34

Posted in Newsletter on January 1, 2019

The 5 Hacking NewsLetter 34

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 21 to 28 of December.

Also, I wish you and your family a very happy new year, full of bugs, bounties, fun, health & happiness!

Our favorite 5 hacking items

1. Tip of the week

I love the technical tricks for bug hunters that @intigriti shares on Twitter. I regularly add them to the tweets collection at the end of this newsletter.

But this trick in particular blew my mind! Here’s why: Have you ever tested a login or contact form, entered a valid email address, intercepted the request with Burp, then replaced the email with XSS/SQLi/SSTI/RCE detection payloads? This is a way to bypass client-side validation of the email field. So what do you do if you get an “invalid email” response from the server?

To me, its was the end of testing for input validation on that field because the check is done server-side.

But according to @securinti, you can smuggle any payload and trick the server into believing that it’s a valid email by putting the payload between round brackets: yourname@(${}<>'/"*-)domain.com or yourname(${}<>'/"*-)@domain.com.

Amazing, right? I can’t wait to re-test all forms in my bug bounty notes.

2. Writeup of the week

From Hunting for a Laptop to Hunting down Remote Code Execution

This is the writeup of a WebDAV RCE on Asus. It’s a simple but powerful vulnerability to test for if you see a 403 error page typical of Microsoft Server.

Anil Tom found one on http://stw.asus.com/ and tried to add the website as a new network location on his laptop, to see if WebDAV is enabled on the server.
It worked! So just by adding http://stw.asus.com/ as a network location, he was able to create new files on the server!

3. Resource of the week


More and more sites use the Content Security Policy especially those that have a bug bounty program. So this repo can come in very handy if you find an XSS and want to bypass CSP.

If you just want the list of payloads to bypass CSP for different sites (Google, Blogger, Uber, Yahoo, Alibaba…), check out the file Jsonp.txt.

Otherwise, you can get more information on CSP and JSONbee on the Bypassing CSP: Automated discovery of JSONP endpoints conference slides.

And you can play with csp_lab.php as a testbed to train for byassing CSP.

4. Tool of the week

PA Toolkit: Pentester Academy Wireshark Toolkit

I’ve always had trouble remembering the syntax of Wireshark filters, so this tool is a blessing.

It’s a collection of plugins that extend the functionality of Wireshark. They allow you to quickly get a list of all visited websites, downloaded files, POST/GET requests, list DNS servers, etc.

5. Tutorial of the week

How To Exploit PHP Remotely To Bypass Filters & WAF Rules

I love me some good WAF/filter bypass techniques! It’s what makes a difference between being stuck in front of a WAF and finding bugs that other hunters missed even in old programs.

This is a great tutorial on how to bypass different PHP filters like: /etc/passwd, the system() function or double & single quotes ( and ) being blocked. It’s worth reading & taking notes of tricks to test on your next bug hunt/pentest.

Other amazing things we stumbled upon this week



Conferences & Webcasts

Slides only

Upcoming webinars


Medium to advanced

Beginners corner


Challenge writeups

Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • Notable: The markdown-based note-taking app that doesn’t suck
  • Adhrit: Open source Android APK reversing and analysis tool that can help security researchers and CTF enthusiasts alike. The tool is an effort to cut down on the amount of time spent on reversing and basic reconnaissance of Android applications.
  • Jsdir / Jspathextractor: Burp Suite extension that extracts hidden paths from js files and beautifies it
  • Ipify: Public API to get your public IP & geolocation data programmatically

More tools, if you have time

Misc. pentest & bug bounty resources




In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on

At least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.

It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/21/2018 to 12/28/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…