The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on March 5, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 of February to 1 of March.
Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them
One of the first things I was told as a junior pentester was that writing a report is the most important part of a pentest. The reason is that even if you find the craziest vulnerabilities, they’ll bring no value to the customer if you can’t explain them clearly enough. Information like risks, impacts, how the bug works, and how to fix it must be crystal clear so that the client and developers know why they must fix the bug and how.
The good news is that writing good reports is not a magical art, it can be taught. This webcast by SANS has great tips on this topic. These are 10 mistakes to avoid and what to do instead. They apply whether you write your reports in english or any other language.
This is a must-read resource if want to improve the quality of your reports.
Typo in permission name allows to write contacts without user knowledge on Mail.ru ($150)
I’ve never encountered this vulnerability type, so I thought it was very interesting. It is basically an Android app vulnerable to permission hijacking (the same idea behind link hijacking or subdomain takeover).
The app declares in its Manifest file the permission
write_contacts. Then it defines a provider that gives access to the app’s contacts database. The problem is that the provider definition uses the permission
write which is not defined anywhere (instead of
So another malicious app could define this permission, using the same name and hence have access to the content provider. It could write contacts and users wouldn’t see anywhere that the malicious app has this permission.
Wow, this is a pretty impressive collection on WAFs that @0xInfection open sourced this week. It contains:
Also, the author recommends to keep an eye on it as he plans to update it regularly.
This isn’t a new tool, it’s 2-year old. But I’ve just discovered it thanks to the tutorial above and it is the pentest reporting tool that I’ve been looking for.
It is a web app that you can self host and has great features: You can add applications (targets), multiple tests per application, vulnerabilities from custom defined vulnerability types, and a lot more (user roles, admin, exporting reports in PDF…).
Truth be told, I haven’t tested it yet, but judging from the documentation and screenshots this is the most customizable and professional pentest reporting tool I’ve seen. And if it’s still missing something you need, you can add it since it is open source.
This is an excellent introduction to XXE. It’s concise and contains most information you need to understand XXE and start hunting for it. The explanations include how XML works, what XXE is, the different types, how to detect it… It’s very understandable even for people not familiar with XML.
Also, I love this quote:
’s’ in ‘xml’ stands for ‘security’
Wait, there is no ’s’ in ‘xml’…! :D
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/22/2019 to 03/01/2019
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…