The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on December 24, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 13 to 20 of December.
These are excellent tutorials to learn about:
Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty ($40,000)
I have a bad memory of buffer overflows from my university days. But this writeup describes a type of overflows that is relatively easy to understand and exploit remotely on Web apps.
@samwcyo was trying to re-register existing usernames. He tried adding special characters (like null byte, CRLF characters, spaces, Unicode…) hoping that they would be removed during the registration process.
The vulnerability is that each null byte inserted was replaced with random data, e.g.:
So, injecting multiple null bytes (
victim%00%00%[email protected]) made the server return chunks of memory that contained very sensitive data (SSH keys, passwords, usernames, etc).
Finding Your First Bug: Getting Started on a Target (Part 1) & Part 2
@InsiderPhD continues to delight us with new video tutorials on “Finding your first bug”. This series is excellent for anyone starting out in bug bounties or who wants to get into Web app penetration testing.
A lot of things are covered from creating your own testing methodology to recon, note taking, what to look for, etc.
This is for firefox users, especially those of us who always have 20+ tabs open. The 9 features mentioned include synchronization between devices, sending tabs to another device, muting tabs, etc.
I find this very helpful for organizing tabs (and reducing anxiety).
Two cool Python tools to help with recon automation. Silver by @s0md3v is a wrapper around Masscan, Nmap and Vulners. Flumberbuckets by @fellchase is for S3 bucket hunting.
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/13/2019 to 12/20/2019.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…