The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on November 29, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 15 to 22 of November.
Rewarded with $xxxx for an issue which could have allowed me an access to stag & prod server. Sub-domain scan -> dir fuzz -> found a publicly exposed git -> extracted all committers email -> found one email in pw dump -> used it to log into git instance -> got creds for servers
I’ve never thought of this, but it is a great idea for exploiting exposed .git folders: In addition to extracting source code, you can also extract committer emails and search for them on password dumps. I’d also search for them on Google, Github, etc. Good idea for recon/OSINT!
CORS misconfiguration allows to steal customers data (on LocalTapiola) ($2,100)
The most interesting part of this writeup is the Proof of Concept. It shows how to exploit a CORS misconfiguration to exfiltrate user data. The code can help if you’re working on a CORS PoC and want to show real impact.
This is yet another awesome script by @gwendallecoguic. It returns expiration date of hosts, which is useful for detecting subdomain takeovers.
A good idea would be to run with a cron job and add Slack/email alerts to get notified as soon as a domain expires.
If you like bug bounty and jokes, this Twitter hashtag is a treat. Some are so bad, they’re good…
Analyzing DNS TXT Records to Fingerprint Online Service Providers
This tutorial shows how to automatically analyze and extract information from DNS TXT records used to verify domain ownership.
Tokens used within DNS TXT records allow for fingerprinting the service provider associated with the domain (e.g. Microsoft, Google, Citrix, Atlassian…). This is useful for pentesters as it is a different way for identifying technologies used.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/15/2019 to 11/22/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…