The 5 Hacking NewsLetter 107
Posted in Newsletter on May 27, 2020
Posted in Newsletter on March 31, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 20 to 27 of March.
The first article shows a solution for testing Web apps that have a short session timeout and log you out everytime you trigger an exception, and that also require solving a captcha to log in. The captcha makes it complicated to use Burp macros, the traditional way of handling sessions. @dinosn’s method is to chain Burp with mitmproxy, another proxy that detects logouts and calls a custom script to run tesseract OCR and solve captchas.
I haven’t had the time to properly test this tool, but judging from its documentation, it offers very interesting functionality. It is a Burp extension that allows you to easily use external tools that were not designed for Burp. You can pipe requests and/or responses with Linux tools like diff, head, cut, grep…
This can be used to show each response’s hash as a comment, which helps detect different responses that have the same length but a different hash. You can also apply a regex to requests and responses and add a comment if a pattern was detected. Many other uses cases are explained in the documentation that I invite you to check out.
2019-12-11-Jan Masarik - Automating bug bounty + Opening ceremony, Slides, Master’s thesis & Bugshop
This is awesome work on bug bounty automation. @s14ve did a Master’s thesis on this topic and presents everything he came up with: Common bugs, existing tools for automation, and his own solution. This is in the form of a conference talk, slides, the thesis report, and the tool’s source code.
I’ve been intrigued by some of the paid/closed source tools he mentions, especially Bounty Machine. So, it is amazing to be able to play with this this free, open source, well documented alternative.
This is a crash course on Java for the purpose of writing Frida scripts. If you’ve tried using existing scripts and wondered how to modify them for you own needs, this will help you quickly understand the syntax and most of what you need to know.
The fist resource is a neat Web security course taught last quarter at Standford. It is comprehensive and up-to-date. In addition to videos, slides and external links, you’ll also find asssignements and an exam!
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/20/2020 to 03/27/2020.
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…