Sponsored by

The 5 Hacking NewsLetter 78

Posted in Newsletter on November 6, 2019

The 5 Hacking NewsLetter 78

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 25 of October to 01 of November.

Our favorite 5 hacking items

1. Podcast of the week

The Bug Bounty Podcast - Episode #1 - STÖK

This podcast is A-M-A-Z-I-N-G! It makes you feel like you’re at a live hacking event, sitting with two seasoned bug hunters discussing all kinds of subjects. It goes from how to pronounce CSRF, how @stokfredrik overcame depression, to his race conditions research, etc.

This is perfect for when you want to listen to something relaxing but still informational and related to bug bounties. To accompany with a nice cup of coffee, hygge style!

2. Writeup of the week

Abusing HTTP hop-by-hop request headers

This is some cool research on hop-by-hop headers. These are headers that are used by proxies and not forwarded to the end server.

@nj_dav discovered a way to abuse them and basically remove other request headers. This can have unexpected results like authentication bypass, Cache poisoning DoS, etc.

The premise is simple to understand, but it would be interesting to practice this attack and take the research further by testing on common WAFs.

3. Tips of the week

What do you do when doing blackbox web testing that may be obvious to you but not so obvious to other people?

This is an excellent question asked by @nnwakelam. Doing “not so obvious” tests is the best way to differentiate yourself and avoid duplicates.

The thread includes some very interesting responses, for instance: “Continuously scanning for surface will net you more $$$ in the long run. Looking at an asset once defeats the purpose of a BB, it might as well be a pen test at that point”.

It’s good to know all these strategies, and test them especially if stuck in dup’zone.

4. Video of the week

Live Bug Bounty Recon Session on Verizon Media’s Yahoo.com W/ @Securinti

@securinti is most known for his crazy logic bugs. Since he is killing it at live hacking events, and mostly shares unique creative bugs, it is interesting to get to know his mindset and approach. A recommended watch!

5. Conferences of the week

Global AppSec Amsterdam 2019 SAINTCON 2019 Security@ 2019

Wow, there are way too many interesting talks to list them and comment them all here!

Let’s just say that Global AppSec and SAINTCON both offer a lot of talks on a large variety of topics, and many of them are really captivating.

Security@ has two panels I find interesting for bug hunters: one with bug bounty millionaires @nnwakelam, @thedawgyg and @santi_lopezz99. And another one on hacking the talent gap with @d0nut and @yaworsk.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • BugReplay: Browser extension to record bugs with network traffic and JS console (commercial tool)
  • XORpass: Encoder to bypass WAF filters using XOR operations
  • Femida: Burp extension for automated blind-xss testing (both passive & active)
  • UhOh365: A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is useful for social engineering assessments to find which emails exist and which don’t. See Reddit discussion on the weakness exploited by this tool

More tools, if you have time

Misc. pentest & bug bounty resources




Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/25/2019 to 11/01/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…