The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on November 6, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 25 of October to 01 of November.
This podcast is A-M-A-Z-I-N-G! It makes you feel like you’re at a live hacking event, sitting with two seasoned bug hunters discussing all kinds of subjects. It goes from how to pronounce CSRF, how @stokfredrik overcame depression, to his race conditions research, etc.
This is perfect for when you want to listen to something relaxing but still informational and related to bug bounties. To accompany with a nice cup of coffee, hygge style!
This is some cool research on hop-by-hop headers. These are headers that are used by proxies and not forwarded to the end server.
@nj_dav discovered a way to abuse them and basically remove other request headers. This can have unexpected results like authentication bypass, Cache poisoning DoS, etc.
The premise is simple to understand, but it would be interesting to practice this attack and take the research further by testing on common WAFs.
What do you do when doing blackbox web testing that may be obvious to you but not so obvious to other people?
This is an excellent question asked by @nnwakelam. Doing “not so obvious” tests is the best way to differentiate yourself and avoid duplicates.
The thread includes some very interesting responses, for instance: “Continuously scanning for surface will net you more $$$ in the long run. Looking at an asset once defeats the purpose of a BB, it might as well be a pen test at that point”.
It’s good to know all these strategies, and test them especially if stuck in dup’zone.
Live Bug Bounty Recon Session on Verizon Media’s Yahoo.com W/ @Securinti
@securinti is most known for his crazy logic bugs. Since he is killing it at live hacking events, and mostly shares unique creative bugs, it is interesting to get to know his mindset and approach. A recommended watch!
Wow, there are way too many interesting talks to list them and comment them all here!
Let’s just say that Global AppSec and SAINTCON both offer a lot of talks on a large variety of topics, and many of them are really captivating.
Security@ has two panels I find interesting for bug hunters: one with bug bounty millionaires @nnwakelam, @thedawgyg and @santi_lopezz99. And another one on hacking the talent gap with @d0nut and @yaworsk.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/25/2019 to 11/01/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…