The 5 Hacking NewsLetter 26

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 26 of October to 02 of November.

T5HN26.png

OMG, this is a spooky one! The story of a whitehat hacker (maybe) wrongfully convicted, CIA agents killed because of Google dorking, researchers theorizing about human memory hacking… Plus the quantity of items listed this time!

There was so many good things shared that I could hardly choose, so this newsletter is even longer than usual. But of course, you don’t have to consume everything if you’re short on time. Just start with what interests you more, as many different topics are covered.

Enjoy and you can share feedback, suggestions, questions, likes… whatever you feel like.

Our favorite 5 hacking items

1. Tutorial of the week

How to perform the static analysis of website source code with the browser — the beginner’s bug bounty hunters guide

If you can only check one item from this newsletter, this is it! Reading and analyzing HTML & JavaScript code when testing web applications is a must. But it can be difficult for non-developers, especially because the best bugs are generally found manually.

This guide explains everything: the tools you need, what to look for and where, how to use a JS debugger, etc.

So if you’ve been wondering how to get better at bug bounties, drop everything and read this.

2. Video of the week

HOW FRCKN’ HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

This is an amazing explanation of uXSS and how URLs work. Here are my takeaways, but I highly encourage you to still watch the video because it has many more interesting details:

  • If a browser fails to enforce the Same Origin Policy (SOP), any malicious site can steal data from any other site you log into
  • uXSS is an XSS due to a browser weakness, which bypasses the SOP
  • Example of uXSS in Chrome on iOS
    • Run this code on your site https://web-safety.net/: javascript code " history.replaceState('','','..;@www.google.com:%3443/')
    • The url will be replaced with https://web-safety.net/..;@www.google.com:%3443/
    • This fools the browser into thinking you’re on www.google.com, due to an error in URL parsing
    • So you can run JavaScript on your site and the browser will think you’re on www.google.com, bypassing the SOP
    • $7,500 bounty paid by Google even if it’s an Apple bug!

3. Writeup of the week

2FA bypass on HackerOne

It wasn’t easy to select a single writeup this week. Many are impressive either for the technique and/or the bounty. You’ll find them all listed below.

As THE writeup of the week, I chose this one because it shows that the most dangerous/ impressive bugs are not always the most complicated. Sometimes, some observation and thinking are enough (and pay well, $10,000 exactly). But maybe THIS is the difficulty…

Anyway, it’s a 2FA bypass: The “Submit Report” button requires 2FA. But a URL mentioned in the program’s policy page didn’t. That’s it!

4. Challenge of the week

Typhoon Vulnerable VM & Practical White hat hacker training material

This is an intentionally vulnerable VM to train for many types of tests: network and web app security testing, password cracking, privilege escalation attacks, post exploitation, information gathering and DNS attacks.

There are already dozens of such VMs out there, but what distinguishes this one is the accompanying training material. It’s very good especially for those learning the ropes of penetration testing.

5. Resource of the week

Weakpass

Password brute forcing is one of my weaknesses. I never seem to have the right password list whether on real engagements or CTFs!

So I was glad to find this site. It compiles many password lists from different sources: for different languages, with different sizes, real passwords from data breaches, passwords based on dates or names…. To be used for cracking passwords, hashes, WPA2 connections, etc.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conference slides

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

Misc. pentest & bug bounty resources

Challenges

News

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/26/2018 to 11/02/2018


Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments