The 5 Hacking NewsLetter 107
Posted in Newsletter on May 27, 2020
Posted in Newsletter on February 25, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 14 to 21 of February.
Low Competition Bug Hunting (What to Learn) - ft. #AndroidHackingMonth
If you are discouraged by bug bounty and think all the bugs are gone, watch this. @InsiderPhD gives an awesome explanation of why it is not true, and what you need to do to start finding bugs.
I love her way of thinking. She deconstruct the question into several chunks and tackles one after the other: Which targets/industry to choose? Which assets and bugs to focus on? Which techniques to learn? How to interpret and use bug bounty statistics?
The first writeup is an excellent breakdown of common vulnerabilities of XML and ZIP parsers. @spaceraccoonsec was able to find an XXE and RCE via ZIP path traversal.
Mastering classic techniques can be as lucrative as monitoring and testing for new ones, which is what @parzel2 did. He got an impressive bounty by reporting CVE-2020-0618 on Tesla only 1 day after it was published! I am amazed at his monitoring and historic data management that probably allowed for this speed. But I’m also surprised that the bug was accepted since some programs do not reward for CVEs discovered too recently.
This episode goes over what happened during the Iowa-Coalfire pentesters debacle.
This is a must for anyone who loves pentest stories, Darknet Diaries, and was concerned over this shocking incident.
This Burp extension automatically highlights or add a comment to requests based on user-defined rules.
Use cases suggested are interesting. The tool allows you to highlight specific status codes, differentiate user sessions for authentication and authorization testing, hide requests with specific HTTP methods (e.g. CORS preflight OPTIONS requests), facilitate SOAP services tests by adding comments, and highlight requests containing sensitive information.
Do you know the common point between learning German, crochet world records, knitting, hedge fund management, reading challenges, skydiving, and losing weight by hiking? Stephen Duneier did all that and much much more just by making marginal adjustments to his daily routine.
It is amazing to see these concrete examples of making really ambitious goals and breaking them down into manageable decisions. By making one small good choice after another, the unattainable becomes easily reachable.
I think this is the best approach and mindset whether you’re struggling with bug bounties, some complex hacking techniques, time management, weight loss or anything.
yarn installvia symlinks and tar transforms inside a crafted malicious package
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/14/2020 to 02/21/2020.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…