The 5 Hacking NewsLetter 49

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 05 to 12 of April.


Our favorite 5 hacking items

1. Article of the week

Better Exfiltration via HTML Injection, tl;dr by @fransrosen & sic (Sequential Import Chaining tool)

This is great example of how far collaboration can go for bug hunters, how to do research and invent a new attack.

André Baptista and Cache-Money found an HTML injection with clickjacking as the worst-case scenario.

The bug wasn’t an XSS because the target used DomPurify. But since DomPurify allows style tags by default, @donutptr started looked for a way to exfiltrate sensitive data using just a style tag.

It’s similar to a CSS injection but the new attack has less prerequisites and works even though the target limits the payload’s size.

The whole writeup is excellent to learn about CSS injection, and the kind of creativity/perseverence that makes you go from HTML injection to a 5 digit bounty despite many technical obstacles.

2. Writeup of the week

Dell KACE K1000 Remote Code Execution - the Story of Bug K1-18652

This is a writeup of the bug that made @MrTuxracer winner of HackerOne’s H1-3120 event.

It’s an RCE on an in-scope Dropbox vendor. I find his process fascinating:

  • During recon, he found a Dell Kace interface
  • The same software is now distribted by “Quest Software Inc”
  • The version detected is old. Free trials are only available for the last version of the app
  • He tried to social engineer Quest to get a free trial of the same old version of the app that he found
  • He still played with the latest version even though it was completely different from what he saw on the server
  • He analyzed the app’s source code and found a comment referencing a path traversal
  • His code analysis showed that there was also an arbitrary command injection
  • The bugs are fixed in the app’s last version but they worked when he tried them on his target which wasn’t up-to-date

Social engineering to get a demo app and taking the time to install an app locally and review its source code… remind me of this advice by @gwendallecoguic:

You just need to do what other people don’t, because they didn’t think about it or because they were lazy, success guarantee.

3. Tool of the week


I haven’t had the opportunity to test this tool, but I will definitely do it ASAP. It’s a Python script for mass feeding URLs to Burp suite’s sitemap/target tab.

This can be handy to transition from automated recon (and enumeration of live domains) to manual testing with Burp.

4. Tutorial of the week

Linting For Bugs & Vulnerabilities

This is a nice introduction to static analysis of JavaScript code using ESLint with custom rules. It can help detect issues like DOM XSS.

You can also add rules to detect other vulnerabilities, and play with the OWASP Juice Shop to test them. I’d also combine such linting tools with manual anlysis because many bugs won’t be found with automation.

5. Video of the week

How did Masato find the Google Search XSS?

This is a follow-up video to last week’s explanation of the mutation XSS found by @kinugawamasato on Google.

This time @LiveOverflow provides insight into how Masato found that XSS, and the kind of research he was involved in that allowed him to find it.

It’s really interesting for anyone who wants to get into Web security research, or understand what make hackers like @albinowax, @sirdarckcat, @garethheyes or Mario Heiderich so good at research.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • Http-prompt: An interactive command-line HTTP client featuring autocomplete & syntax highlighting, built on HTTPie & prompt_toolkit
  • Git-Pwned: Wrapper around subfinder & git-dumper
  • Denumerator: Finds servers responding on port 80/HTTP
  • LFI-Enum: Scripts to exploit LFI & extract information from Linux servers
  • Dirble: Directory scanning & scraping tool in Rust, based on Dirb but faster
  • Domain-to-webapp: Web application Enumerator
  • EmailGen: Email Generation from Bing using LinkedIn Dorks
  • Adconnectdump: Dump Azure AD Connect credentials for Azure AD & Active Directory
  • PEPE (Post Exploitation Pastebin Emails) & Introduction: Collect information about email addresses from Pastebin for advanced credential stuffing
  • SharpExec & Introduction: Offensive security C# tool designed to aid with lateral movement

Misc. pentest & bug bounty resources




Bug bounty news



Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 04/05/2019 to 04/12/2019

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…