The 5 Hacking NewsLetter 47

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 22 to 29 of March.


Our favorite 5 hacking items

1. Tip of the week

Bugbounty scope expanding

This paste presents a set of recon steps to expand your bug bounty scope. All of them are well known and documented in most articles on recon, except one which I haven’t seen anywhere before:

Once you have a first list of subdomains (using scraping or bruteforce), split them up to build a new list of subdomains to test for.

For example, let’s say you first found:


The new subdomains to try are:


It’s a simple idea but might allow you to find new “hidden” subdomains. It is very similar to what Altdns does, but I’m not sure splitting up subdomains like this is included in this tool.

2. Writeup of the week

IDOR on Yahoo ($5,000)

Wow, $5,000 for such a simple bug! But the difficulty was thinking about this test…

@JohnH4X00R saw a GET request to /ws/v3/users/fziy4wzxr41k4qwsgumu2v2qymynzat6kclqpwmc/items.

The part in bold was obviously encrypted and he had the feeling that it was his username. So, get this, he replaced it with his unencrypted username (/ws/v3/users/yahoo-username/items) and got a successful response containing his own notes.

Then, he replayed the same request and replaced his plain username with another account’s username, and also got a successful response with the other account’s notes.

This is a classic IDOR, but the genius of this bug was in completely bypassing encryption by replacing the encrypted string with its plain value.

3. Tool of the week

CommandoVM & Introduction

Finally a Windows-based distribution for pentesters! This is the equivalent of Kali Linux for Windows users. It includes many tools (more than 140) for all kinds of tests.

This will be handy if you prefer Windows or if, for some reason, you have to use Windows for a pentest. It happened to me on one or two missions: we had to use a Windows VPN client to remotely access the client’s internal network. And I didn’t have the time to install all tools and prepare a proper Windows attacking environment. This VM would have been really helpful!

4. Slides of the week

How to win big - Several Interesting Examples of Exploiting Financial & Gambling Apps

I would love to see the recording of this OWASP talk! But the slides by themselves are self-explanatory and provide some ideas for testing financial apps and games.

These are examples of how to abuse an app’s logic flow and play with parameters to bypass or manipulate payment, always win against a slot machine, etc.

5. Tutorial of the week

Abusing CORS (Improper Origin Validation)

This is an excellent tutorial if you want to learn about exploiting CORS.

Four pratical examples are given to understand what to do when access is granted to: any domain, the subdomain, the scheme, or when the “null” origin is used.

Also included are: external references, steps for exploiting each scenario, an exploitation payload, and how to set up a MiTM environment to exploit an unvalidated origin scheme.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

More tools, if you have time

Misc. pentest & bug bounty resources






Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/22/2019 to 03/29/2019

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…