Hi, this is the second edition of The 5 Hacking NewsLetter. It’s a few days late but better late than never, right?
Grab a nice cup of coffee (or herbal tea if you’re an old soul like me) and enjoy!
Also, don’t forget to subscribe if you prefer receiving this on your inbox.
1. Tool of the week
This is a great tool that I’ve just added to my testing arsenal. It gets subdomains of an HTTPS website in a few seconds by abusing certificate transparency logs.
For quick reference, here’s how to install and use it:
git clone https://github.com/UnaPibaGeek/ctfr.git cd ctfr/ pip install -r requirements.txt python ctfr.py -h # Show help python ctfr.py -d example.com # Get subdomains of HTTPS website
2. Tweet of the week
This is one of the best definitions of hacking I’ve ever heard! It rings especially true on days I am doing pentest challenges (when I known for a fact that there is a vulnerability but can’t find it for hours).
3. Webcast that taught me a lot of testing tips
I think this webcast could be very helpful if you’re a pentester or bug bounty hunter. It offers many tips, some of which I haven’t been using and will help improve my recon process.
4. Bug bounty write-up of the week
$18,337 for a stored XSS and a SSRF on Google! I love this insight on where and what to test in order to find such vulnerabilities on highly tested targets like Google.
- The Dataset Publishing Language tool generates a zip file. It was downloaded, unzipped, modified to add the payload, then zipped again and uploaded.
5. Another web app security podcast & Youtube channel I like
Although started recently, this podcast / Youtube channel looks very promising. They tackle different security topics with a focus on Web app security.
See you next time!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…