The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on July 31, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 19 to 26 of July.
This is an excellent tutorial on how to organize your pentest and bug bounty notes using a static website created with Mardown and Mkdocs.
I know… SwiftnessX and many other options already exist for taking notes. Why this one too?
Well, it’s worth trying if you’re looking for a self-hosted solution, want to use or learn markdown, want to share your notes with the world or make your site private, want a lightweight web-based tool to access your notes from any device…
Pwning child company to get access to ParentCompany’s Slack Team
Going out of scope while pentesting or bug hunting is a big no-no. You could end up with legal issues or upsetting your client/target. But it is sometimes tolerated in bug bounty, when the bug is critical or when it impacts an in-scope target.
That’s what happened here: @Parth_Malhotra saw that he could sign up to his target’s Slack URL either with a @parentcompany.com or @childcompany.com email address.
He looked at childcompany.com and found a cPanel on it. So if he could find an RCE on this server, he would use cPanel to edit the server’s MX records and hijack emails sent to @childcompany.com.
Receiving these emails would allow him to access parentcompany.com’s Slack (the in-scope target).
This scenario is exactly what ended up happening. I love how @Parth_Malhotra went backwards from a desired goal (Slack), to a needed vunerability (RCE). This is way more impactful than if he was just looking for a technical bug without thinking about business risk.
A BEAST and a POODLE celebrating SWEET32 (Free registration needed)
SSL/TLS vulnerabilities can be a headache when you’re writing a pentest report.
There’s a lot of them like: POODLE, BEAST, BREACH, CRIME, DROWN, FREAK, SWEET32, etc. Some of them are really critical, but others are complicated to exploit in real life. So which ones are real threats? Should you report them as low/high findings, or not report them at all…?
If you’re familiar with these questions, this webinar will help you have a better understanding of each vulnerability.
@nahamsec is now doing a live on Twitch every sunday. They’re usually great for bug hunters or anyone interested in Web app security testing.
This one shows Ben live hacking on Yahoo (with their permission). It’s a unique opportunity to see a bug hunter in action and learn things like: how he uses a VPS for recon automation, how he does recon in a structured way on a target that has thousands of subdomains, how he uses crt.sh and certspotter.com, etc.
Weird confession: I (really) hate Twitch! So I wait for the streams to become available on Youtube. But you don’t have to, here is Ben’s Twitch account.
Relationships between pentesters and developers can be tense for so many reasons: pentesters with a superior know-it-all attitude, developers who aren’t briefed on the purpose of the pentest and their role in it, developers who aren’t aware of security issues, or fear for their job…
If you’ve ever been in an opening/closing pentest meeting and felt such tensions, this article could help you understand the mindset of some developers. You’ll also have ideas on how to deal with each situation or objection you are facing.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/19/2019 to 07/26/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…