The 5 Hacking NewsLetter 22

Hey hackers! These are our favorite resources pertaining to pentesting and bug hunting for last week.

It covers the period from 28 of September to 05 of October.

T5HN22.png

Our favorite 5 hacking items

1. Resource of the week

Mobile Security Testing Guide (MSTG) v1.0.1 by OWASP

This is an awesome guide on mobile security testing! I’ve been reading through it because I’m preparing a training on Android hacking and it is very good quality information on hacking Android & iOS apps for both beginners and experienced testers.

2. Writeup of the week

Harvesting all private invites using leave program fast-tracked invitation and [email protected] email forwarding feature by japz

What an amazing finding! By chaining two features, it is possible to create a business logic bug that allows anyone to receive all private invites without any user interaction:

  • Sending an email to the [email protected] email in the program’s page automatically triggers h1’s system to send you an invite
  • Then leaving the private program triggers the system to send you fast-tracked invites in the next 24 hours

If you can only read one writeup this week, this is an excellent candidate for 2 reasons: It demonstrates real out-of-the-box thinking, and I love how the researcher politely questioned hackerone’s decision to close it as a duplicate and how @jobertabma took the time to explain their decision. So the bug went from dup to triaged with $2,500 and swag!

3. Tool of the week

Gurp by @joan_bono

This is a Golang command-line interface to Burp Suite’s REST API.

I haven’t yet played with Burp’s new REST API, because of so many projects lined up and things to learn. But it like the idea of using the API from a command line. Sometimes, many URLs or apps have similar endpoints. So I’d create scripts for some specific tests (to detect open redirects, bruteforce Basic authentication, etc), and run them against the list of targets. It could be done using the API directly, but I’m more comfortable with the CLI.

4. Conference of the week

DerbyCon 2018, especially:

There are so many interesting talks in Derbycon 2018! Some are technical, some fun, with a huge variety of topics (red teaming, pentesting, web apps security, mobile security, active directory hacking, buffer owerflows, physical security, social engineering…). I couldn’t list all talks I find interesting here as usual, so check the playlist. You will surely learn something!

5. Site of the week

Application Security Wiki by @exploitprotocol & @abhibundela

This is a new wiki which compiles resources on many subjects related to Web application security: books, vulnerable apps for training, recon, and tutorials, tools & writeups for each type of vulnerability…

I like going through this kind of sites because they gather a lot of information and good references in the same place, categorized by subject which saves a lot of time. It’s kind of what I do with this weekly newsletter but presented differently!

Other amazing things we stumbled upon this week

Videos, Conferences & Podcasts

Videos
Podcasts
Conferences
Slides only

Tutorials

Medium to advanced

Beginners corner

Tools

Misc. pentest & bug bounty resources

News

Challenges

  • XSS challenge:

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/28/2018 to 10/05/2018


Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments