Sponsored by

The 5 Hacking NewsLetter 90

Posted in Newsletter on January 28, 2020

The 5 Hacking NewsLetter 90

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 17 to 24 of January.

Our favorite 5 hacking items

1. Conference of the week

Frans Rosén Keynote at BSides Ahmedabad

This is a talk I’ve been impatiently waiting for since it was announced. @fransrosen shares his methodology for breaking Web apps/APIs by using fuzzing and information disclosure.

He uses an imaginary app to show practical examples of building custom API wordlists, finding hidden endpoints, etc. An absolute must watch if you’ve ever come accross tips on Web app fuzzing and did not know how to apply them in practice.

2. Writeup of the week

A Less Known Attack Vector, Second Order IDOR Attacks

This writeup shows two instances where an app seemed safe but was actually vulnerable to IDOR.

In one case, trying to access another account’s info returned an error but the information was displayed in a different location.

The second example seems weird. It involves many steps, so I am not going to try to sum it up in a sentence. But it is definitely something I will start testing for.

3. Video of the week

@Jhaddix Talks About Defcon, Burp Suite, Hacking, Bug Bounties and How He Does Recon!

This is a cool interview with @Jhaddix. Watch if you want to know how he increased his bug bounty payouts and how he deals with companies that silently fix bugs as soon as they detect that he found them. He transformed an N/A report into a 15K bounty using reporting wizardry😱

4. Tools of the week

Sourcemapper is a Bash script that reconstructs JavaScript from a sourcemap. It is a reliable and fast way to retrieve JS files for further analysis (using tools like LinkFinder).

The recon pipeline is an awesome example of recon automation using Python. The tutorials are fantastic for anyone who want not only a recon tool, but mostly how to build your own.

5. Resources of the week

These are cool examples of leveraging markdown to save recon results in a Git repository and to create a testing checklist (in any Markdown note-taking app like Joplin).

It seems so obvious now but when I started using Markdown, I did not think that it could help with these two situations. In both cases, markdown allows you to take notes that are easy to backup and are displayed in a human-friendly format.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • ccrawlen: Python script that uses the CommonCrawl dataset API (petabytes of data!) to extrat subdomains and crawl the data to get interesting endpoints and js files
  • Top-Port-Slicer: Python script to give you subsets of the nmap “top-ports”. For example, I want the 10th to 100th most common TCP ports. Spits out a comma separated list you can copy into -p arg for nmap or masscan
  • Playwright: Node library to automate Chromium, Firefox and WebKit browsers
  • Rusty Hogs: A suite of secret scanners built in Rust for performance. Based on TruffleHog (https://github.com/dxa4481/truffleHog) which is written in Python

More tools, if you have time

  • Scanner/Poc for CVE-2020-0609 & CVE-2020-0610 (BlueGate): by @MalwareTechBlog & by @ollypwn
  • Naabu: A fast port scanner written in go with focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
  • Peirates: Kubernetes Penetration Testing tool
  • S3 Bucket Scraper: A tool for scraping S3 buckets on AWS
  • Blinder: A python library to automate time-based blind SQL injection
  • Pullit: Find leaked credentials on Github
  • ApplicationInspector: A source code analyzer by Microsoft for almost any modern language
  • Satellite & Introduction: A Payload and Proxy Service for Red Team Operations
  • SharpCookieMonster & Introduction: C# tool that dumps cookies from Chrome for all sites, even those with httpOnly/secure/session flags
  • Pcapinator: A tool for processing a lot of pcaps using tshark
  • TAS: Framework for easily manipulating the tty and creating fake binaries. Useful as a post-exploitation technique to perform privilege escalation and information gathering
  • Grouper2: Find vulnerabilities in AD Group Policy
  • Red_Team: Some scripts useful for red team activities
  • Zipper: A CobaltStrike file and folder compression utility

Misc. pentest & bug bounty resources

Articles & Papers


Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/17/2020 to 01/24/2020.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…