The 5 Hacking NewsLetter 89

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 10 to 17 of January.

T5HN89.png

Our favorite 5 hacking items

1. Webinar of the week

SEC642: Killing snakes for fun, Flask SSTIs and RCEs in Python (Free registration required)

This is an excellent course on SSTIs with a focus on Python frameworks.

I love that it does not only explain how SSTIs work and how to escalate them to RCE, but it also mentions a lot of background information to understand the big picture: Why Python frameworks were created, how they work, the history of Python and Flask, etc.

2. Writeup of the week

Advisory | Seagate Central Storage Remote Code Execution 0day

This is a nice example of RCE found using security code review with a bottom-up approach. It also shows how to reverse and analyze the firmware of a NAS.

Both RCE and code review can be intimidating. But the way everything is broken in this writeup makes them seem easy to follow even for beginners.

3. Challenge of the week

SKF labs

There is a plethora of XSS challenges but labs for GraphQL bugs, JWT, SSRF, SSTI, lack of rate limiting, etc, are rarer. So, these labs are perfect if you want to play with these vulnerabilities and many others. The best part is that detailed walkthroughs are provided for each bug.

4. Video of the week

Finding Your First Bug: Finding Bugs Using APIs

As always, a great tutorial video by @InsiderPhD! I think this is the best introduction to APIs I’ve ever seen. It covers everything you need to start exploiting them ASAP: What APIs are, how to find and enumerate them, types of APIs (REST, SOAP, GraphQL), what is JSON, what bugs to look for, how to take notes, etc.

5. Tutorial of the week

Intruder and CSRF-protected form, without macros

Did you know that macros are not the only way to deal with CSRF tokens in Burp?

@Agarri_FR shows in great detail how to use Intruder Pitchfork to mimick manually replacing the CSRF token with the latest value sent by the server, and the advantages over macros.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • xpasn: Expands an autonomous system (AS) number into prefixes or individual host IP addresses
  • Velocity: DNS caching library for Python. Helps speed up network connections (applies to everything from sockets to HTTP requests)
  • SWFPFinder: SWF Potential Parameters Finder
  • GDA-android-reversing-Tool & Wiki: GDA is a new decompiler written entirely in c++, so it does not rely on the Java platform, which is succinct, portable and fast, and supports APK, DEX, ODEX, oat.

More tools, if you have time

Misc. pentest & bug bounty resources

Challenges

Articles

Unusual Patch Tuesday

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/10/2020 to 01/17/2020.


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments