The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on December 5, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 to 29 of November.
SecTalks Live 2019 - The Changing Landscape of Web Tooling | Questions? !questions & @xyantix’s notes
This is recap by @codingo_ of the latest changes in open source Web security tooling. Categories discussed are scaling, directory brute forcing, XSS subdomain discovery, API keys and build logs, and cloud based services.
With the year ending, it is nice to stop and reflect on the state of our tools. Better ones with more features and attack techniques are released all the time. Following the trends is necessary to avoid using outdated tools.
Alternative title: How to go from beginner to RCE using basic automation.
If you feel that critical bugs and automation elude you, this is the writeup for you! It is very well written and present a step-by-step guide that you could follow for finding different types of bugs.
The common theme for these tools is automation.
Smuggler.py is for testing a list of URLs for HTTP request smuggling.
Corsy is a CORS misconfiguration scanner (with currently 10+ checks).
Jaeles is a framework in Go for building your own Web Application Scanner. I have not tested it yet, but it looks powerful and easy to use. You can add signatures for new tests and integrate it with Burp.
I’ve been on a quest for the perfect note-taking app for years. Some of the criteria I’m looking for are: Web Clipper, supports multiples OSes including Linux, mobile apps available, automatic synchronization and backups ideally with self-hosted server, markdown, and possibility to encrypt notes.
Evernote was good especially for its Web Clipper and mobile apps, but it does not have a Linux version.
Laverna was impractical and lacked basic features like searching inside notes.
SwiftnessX can be very useful for creating pentest templates, checklists and payload lists. But it does not have markdown and I found it not suitable for being used as a full knowledge base app. QOwnNotes was a good candidate that I used for months. But it had an annoying bug (cursor moving by itsef while I was writing notes).
So, when Alexandre Dulaunoy tweeted about Joplin, I instantly installed it. It has all the features I’m looking for, even a Web Clipper and mobile apps! I also like that you can change the layout (whether to display markdown text, rendered markdown, or both).
Only time will tell, but this looks like the perfect note-taking app for me!
Accelerate Your Career By Building FIVE Critical Professional Skills
Ted Demopoulos offers great advice in this webinar, for both people who want to become entrepreneurs or move up the corporate ladder.
You probably have already heard some of these things. But it is good to hear the reminder and detailed tips from someone who has 20+ years of experience as an independent consultant.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/22/2019 to 11/29/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…