The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on May 28, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 17 to 24 of May.
If you’re into bug bounty, and want to get into the right mindset for success, then you need to read this and apply it.
The advice given is common sense, but sometimes what we need to hear is exactly that.
I love this piece, especially these two reminders: What you can try is limitless. And focus on specific goals to avoid burnout.
Another LFI on Google ($13,337)
An LFI on a Google subdomain is an impressive finding. The most interesting parts of this writeup (the entire vulnerable paths) are sadly redacted, but here are 3 important lessons I got from it:
Also, it’s good to know that @omespino used a combination of known wordlists (all.txt & SecLists) and custom ones (based on pattern matching and discovery).
A couple of weeks ago, when @EdOverflow announced he was starting a newsletter, I didn’t know what it would be about. But I knew for sure that it would be good, as is everything shared by Ed.
Now after two issues, I urge you to subscribe if you haven’t already. Each email is about a vulnerability class, with links to articles for digging deeper. This is a great opportunity to learn about lesser known bugs and dedicate some quality time to research them.
I can’t wait for more of these emails! Reading them is like the hacker version of reading a good magazine, sitting by the pool with mango juice and a good playlist. Fun times!
Remember this recent article by @EdOverflow on extracting sensitive information from Travis CI? It voluntarily didn’t include the tools used to fetch build logs to avoid them causing any service disruptions.
So if you’ve been wondering how to automate the techniques explained in the article, TravisLeaks will be very helpful. It has room for improvement but is a good start. Use it responsibly and customize it starting with the wordlist.
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
These are slides by @fransrosen on live hacking (i.e. bug bounty live events), touching on many different topics: technical advice, methodology, recon, the genesis of live events, reporting, what to focus on, examples of bugs…
To give you a taste, here’s something to do when you’re blocked while doing file/directory bruteforce: Use VPN with switchable IP.
Need I say more? Stop everything and go check it out!
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/17/2019 to 05/24/2019
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…