The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on June 4, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 24 to 31 of May.
Keye is a really useful recon tool. It’s the first one I’ve come across that allows hackers to easily monitor changes in URLs.
It’s written in Python with SQLite3 integrated. You give it a list of urls, and run it periodically (using Cron for example). It then requests the urls and detects changes based on the responses’ Content-Length. You can also receive Slack notifications when changes are detected.
This is a great writeup on file upload vulnerabities. The author breaks down how he found a stored XSS through file upload.
I love the way he explains what he did step by step, from detecting which extensions are allowed and which filters are in place, to bypassing them and executing an XSS. A worthy read!
This is an excellent resource if you want to build a pentest lab.
It’s 453 slides detailing everything: which OS/VMs you need to install (including Kali, Metasploitable 2, Firewall with pfSense, SIEM with Splunk…), how to do it, how to automate OS updates, intro to virtualization, which software you need on each OS (Linux, OS X & Windows) and much more.
I wish I had this when I had just started out. Such a time saver!
Automating the Recon Process by armaan pathan null Ahmedabad Meet 26 May 2019 Monthly Meet & Slides
Armaan (@armaancrockroax) got $21,000 from bug bounty last month. So when he talks about automation, I’m all ears!
In this talk, he shows how he:
This is a short, sweet and very practical talk. Code snippets are also provided (check out the slides).
This is an awesome resource for junior penetration testers (and students who want to become professional pentesters). It provides a pentest report template and goes through each page and detail to explain the reasoning behind it.
Of course, this is not meant to be copied and used as as… Every company uses custom report templates for a reason: they tend to elvolve mission after mission, following client feedback and any new ideas that you have.
But this template is an excellent basis. It contains all the important sections and information you want to convey to clients.
Logic flaw on HackerOne ($500)
IDOR on Microsoft ($500)
Weak encryption on Facebook ($12,500)
CSRF / Account takeover ($750)
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/24/2019 to 05/31/2019
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…