The 5 Hacking NewsLetter 8

Hey hackers! As usual, this is a collection of our favorite resources for penetration testers and bug bounty hunters. It covers the week from to the 8th to the 15th of June.

There’s a lot to read, so grab a nice plate of watermelon (yeah, it’s summer baby!) and good reading!

T5HN8.png

Our favorite 5 hacking items

1. Tutorial of the week

Should this be public though? by Rojan Rijal

This tutorial presents great OSINT techniques for finding sensitive information leaked by employees.
A tool, LeakFinder, is also provided to automate the process. The author used it successfully on 2 bug bounty programs but the reports have not yet been disclosed.

2. Writeup of the week

How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL by Darrell Damstedt

This is a great writeup about finding an XXE using Burp Collaborator.
If you read only one writeup this week, it should be this one: it’s well written, references good articles, presents a detailed methodology and a high impact vulnerability.

3. Conference of the week

Amongst the several security conference videos that were released lately, I particularly enjoyed watching Frans Rosén’s talk at Security Fest. He explains how he found many critical vulnerabilities and the tricks he used to win $45,000 in bug bounties.

4. Tool of the week

Archaeologit by Peter Jaric

Archaeologit scans the history of a user’s GitHub repositories for a given pattern to find sensitive things. So it can be useful for finding sensitive information from target companies while pentesting and bug bounty hunting.

5. Non technical item of the week

The Never Ending Hack: Mental Health in InfoSec Community by Danny Akacki

This is a good talk about depression and mental illness by a hacker. It might help if you suffer from this kind of issues.
Also, if you are a remote worker in InfoSec, you might want to read this article from Danny Akacki too: Working from home is great, ‘till it ain’t.. No-one is immune to depression!

Other amazing things we stumbled upon this week

Videos & Podcasts

Tutorials

Writeups

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

Tools

Misc. pentest & bug bounty resources

Challenges & Training

Non technical

Tweets

WHAAAAAAAAAAT?! More than a million dollars!







More tweets (Tips)

















More (fun) tweets


This one reminds me of my years as a security auditor, we were always asked to look for the root cause!



See you next time!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments