Sponsored by

The 5 Hacking NewsLetter 55

Posted in Newsletter on May 28, 2019

The 5 Hacking NewsLetter 55

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 17 to 24 of May.

Our favorite 5 hacking items

1. Article of the week

Turning your time into bugs — zseano’s thoughts

If you’re into bug bounty, and want to get into the right mindset for success, then you need to read this and apply it.

The advice given is common sense, but sometimes what we need to hear is exactly that.

I love this piece, especially these two reminders: What you can try is limitless. And focus on specific goals to avoid burnout.

2. Writeup of the week

Another LFI on Google ($13,337)

An LFI on a Google subdomain is an impressive finding. The most interesting parts of this writeup (the entire vulnerable paths) are sadly redacted, but here are 3 important lessons I got from it:

  • Do file/directory bruteforce even on redirection pages
  • Improving the wordlist & doing a second round can yield more new directories
  • Persist if a bug is rejected. And follow your gut: if an endpoint looks interesting, keep digging

Also, it’s good to know that @omespino used a combination of known wordlists (all.txt & SecLists) and custom ones (based on pattern matching and discovery).

3. Resource of the week

EdOverflow’s newsletter

A couple of weeks ago, when @EdOverflow announced he was starting a newsletter, I didn’t know what it would be about. But I knew for sure that it would be good, as is everything shared by Ed.

Now after two issues, I urge you to subscribe if you haven’t already. Each email is about a vulnerability class, with links to articles for digging deeper. This is a great opportunity to learn about lesser known bugs and dedicate some quality time to research them.

I can’t wait for more of these emails! Reading them is like the hacker version of reading a good magazine, sitting by the pool with mango juice and a good playlist. Fun times!

4. Tool of the week


Remember this recent article by @EdOverflow on extracting sensitive information from Travis CI? It voluntarily didn’t include the tools used to fetch build logs to avoid them causing any service disruptions.

So if you’ve been wondering how to automate the techniques explained in the article, TravisLeaks will be very helpful. It has room for improvement but is a good start. Use it responsibly and customize it starting with the wordlist.

5. Slides of the week

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

These are slides by @fransrosen on live hacking (i.e. bug bounty live events), touching on many different topics: technical advice, methodology, recon, the genesis of live events, reporting, what to focus on, examples of bugs…

To give you a taste, here’s something to do when you’re blocked while doing file/directory bruteforce: Use VPN with switchable IP.

Need I say more? Stop everything and go check it out!

Other amazing things we stumbled upon this week




Slides only


Medium to advanced

Beginners corner


Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • Openinbrowser.py: Python script to open a list of URLs from a file in browser tabs, n tabs at a time
  • Tt-ext - Taint Testing Tool: Chrome extension to aid in finding DOMXSS by simple taint analysis of string values
  • To Fuzz a WebSocket: WebSocket Fuzzer in Python
  • Pown-cdb: Automate common Chrome Debug Protocol tasks to help debug web applications from the command-line and actively monitor and intercept HTTP requests and responses. As @hakluke said, “like Burp proxy but CLI”

More tools, if you have time

Misc. pentest & bug bounty resources




Bug bounty / Pentest news



Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/17/2019 to 05/24/2019

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…