The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on February 5, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 25 of January to 01 of February.
BSides Leeds 2019, especially:
I love these four talks. They’re respectively about:
This is a great writeup on a simple bug sthat affects some misconfigured Jira instances.
When a new dashboard or shared filters are being set up, they can become inadvertently accessible without authentication if permissions are set to “everyone”. You can test, for instance, if the status endpoint is accessible by trying
/status/, then if it doesn’t work try
What I love about this writeup is how @ErayMitrani explains two fundamentals processes for bug hunters:
SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-3, Part 2 & Part 1
This is a great series of blog posts on SSRF. It’s very practical and explains the types of SSRF bugs, how to exploit them, how to bypass filters, and example of vulnerable sites.
FIY, some of the vulnerable sites were found with Shodan. These bugs were probably not disclosed to the sites’ owners which I think is illegal. So please do not exploit them.
DOM XSS can be harder to detect and exploit than traditional XSS. This is because everything happens client-side. The payload isn’t sent to the server and reflected back in the response. So the best way to detect them is reviewing code and most tools aren’t that good at it (at least not as good as manual code analysis).
This challenge can help you understand sources and sinks usually involved in the exploitation of DOM XSS bugs. There are 10 exercises with the vulnerable code highlighted.
A lot of hackers suffer from imposter syndrome, me included. I think it’s because the more we learn, the more we know we don’t know. We also have to be both versatile and specialists, which is hard because infosec/hacking has so many different vast subcategories.
If you get imposter syndrome too, then I recommend this article. It offers advice and practical tips to manage it and don’t let it hold you back.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/25/2019 to 02/01/2019
Have a nice week folks!
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…