Sponsored by

The 5 Hacking NewsLetter 80

Posted in Newsletter on November 19, 2019

The 5 Hacking NewsLetter 80

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 08 to 15 of November.

Our favorite 5 hacking items

1. Conference of the week


Finally, DEF CON 27 videos are released! There is no introduction needed, right?

I’m watching this first: “Owning The Clout Through Server Side Request Forgery” by @NahamSec & @daeken. What about you?

2. Resource of the week

JWT Attack Playbook (for methodical pentesting)

This is a wiki for the jwt_tool toolkit for testing JSON Web Tokens. I was surprised to see how detailed it is.

It explains everything from recognizing and reading JWTs, an attack methodology, how to test for known exploits, fuzzing, stealing JWTs by exploiting other vulnerabilities, and more. An excellent resource to get into hacking JWTs!

3. Challenge of the week

Leaky repo

This Github repository has many vulnerabilities. It is intended to be used as a target for benchmarking tools like github-dorks or truffleHog.

Personally, I also plan on using it as a challenge to practice finding secrets on Github.

4. Non technical item of the week

Tips for an Information Security Analyst/Pentester career - Ep. 78 - Nothing is impossible

This is @mattiacampagnan’s story on how he found a pentesting job. Basically, he created a blog and wrote dozens of articles related to penetration testing. This gave him some exposure. A company contacted him for an interview, he got a remote part-time position, did the work for 3 months, and finally it became a full-time position.

I loved reading this story because it is another reminder that there is no secret way to success. Do your work and find a way to differentiate yourself. Simple, but a lot of people do not want to hear that…

I personally can attest to the same thing: Maintaining a blog and being consistent opens up so many possibilities and professional options. If you are struggling to find work, you should really consider starting a blog, video course or Youtube channel. Anything that you put out there that shows technical abilities and professionalism will help you find employers or customers.

5. Tutorials of the week

These are two nice tutorials that go a bit further that most typical recon articles.

Apart from classic subdomain enumeration, they show how to programmatically fetch URLs with their status code & page title, and search results for keywords. This will certainly aid process data collected from large scope bug bounty programs (or pentest targets).

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


Misc. pentest & bug bounty resources




Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2019 to 11/15/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…