The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on April 9, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 29 of March to 05 of April.
The Web Security Acedemy is a new online training on Web security. What’s great about it that it’s free, and it’s from PortSwigger the company behind Burp Suite and The Daily Swig. Also, Dafydd Stuttard who is part of the team that created it, is the author of The Web Application Hacker’s Handbook.
All this to say that it is high quality like everything that the company produces.
There are only 4 modules for now: SQL injection, XSS, OS command injection and Directory traversal. Each one includes theory, resources and practical labs, plus related stories from The Daily Swig at the end of the page.
More vulnerabilities and labs will be added in the next months.
Handlebars template injection and RCE in a Shopify app & HackerOne report ($10,000)
This is an awesome writeup! What I love about it most us that @Zombiehelp54 initially reported a “possible template injection”. He wasn’t sure it was exploitable or even valid, and just explained the app’s behaviour that led him to think it was vulnerable.
Then he kept trying and ~2 months later, he was able to identify the template used (handlebars) and escalate to a full SSTI/RCE.
So this is an excellent example of perseverence, a well-written report, escalating from an “almost bug” to RCE, and how to exploit an SSTI on an initially unknown template engine.
If you have tried automating your recon, you might have noticed that some interesting platform identification tools like Wappalyzer and BuiltWith have expensive APIs. There are many free alternatives like Webtech or Whatweb, but I like using different tools and combining their results to avoid erroneous results.
So Webanalyze is a good addition to my workflow. It’s a port of Wappalyzer in Go. It doesn’t require any API key because it uses the apps.json from the Wappalyzer project, which contains signatures to identify technologies.
Here are example outputs:
Bringing Cybersecurity into Academia: We Talk with Patrik Hudak
I’m a huge fan of Patrick Hudak’s blog https://0xpatrik.com/. His articles on subdomain takeover, recon and OSINT are so detailed and well-written, they’re like mini e-books!
So it was interesting to learn more about him through this interview. His work on subdomain takeovers and subdomain enumeration was actually part of his master thesis.
I really want to read that now, as not all theses are as practical and financially rewarding!
This might give you ideas if you’re a student.
This is a mindblowing video writeup of an XSS on Google Search. The vulnerable parameter (
q) and URL (
https://www.google.de/search?q=vuln) are used by millions of people. It was vulnerable for almost 5 months until @kinugawamasato found the bug!
This shows that there are always bugs even in the most tested and secure apps.
Also, the video is full of interesting information on:
<template>has JS disabled. And the browser parses
<noscript>differently if JS is enabled or disabled.
onerror=debugger;. It triggers a breakpoint in the JS debugger when the XSS is executed.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/29/2019 to 04/05/2019
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…