The 5 Hacking NewsLetter 96

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 28 of February to 06 of March.

T5HN96.png

Our favorite 5 hacking items

1. Tools of the week

Pulsar is described as a Network footprint scanner platform. I didn’t get to test it yet, but it looks promising. It is a wrapper around many recon tools, automates many recon features like subdomain enumeration, cloud resources discovery and basic vulnerability scanning. You can run custom checks periodically, and results are presented in a very cool dashboard.

FUSE and its accompanying research paper are also worth checking out. It helped discover 30 file upload vulnerabilities in 23 Web apps!

2. Writeup of the week

Facebook OAuth Framework Vulnerability ($55,000)

@AmolBaikar challenged himself to find a vulnerability in Facebook’s “Login with Facebook” feature. And boy, did he deliver! He found a postMessage flaw that could allow anyone to steal user access tokens for vulnerable apps using Facebook’s OAuth flow.

The bounty is of course impressive. But there is also the fact that this bug has been there for years (maybe up to 10!), on one of the most hardened targets.

3. Podcast of the week

Darknet Diaries EP 60: dawgyg

@thedawgyg made several appearances in the media recently. But I’ve never heard his full story before. Who better than Darknet Diaries to recap his adventures from chat rooms, black hat days, to prison then full-time bug hunting. Brace yourself for interesting hacker tales!

4. Non technical item of the week

Technical Writing Courses

Writing is a skill every one of us needs to be working on. Being able to convey ideas in a professional, concise and clear way can make all the difference in the world when you are writing blog posts or bug bounty/pentest reports. I would even argue that writing is the biggest hurdle most hackers face, especially those of us who are not native English speakers.

This course is a fantastic resource for improving technical writing skills. It is the same one Google engineers take! I am definitely going to dedicate time for this.

5. Video of the week

Going from a Full-Stack Developer to $1M Hacker: @inhibitor181 Talks About Recon, Hacking and More!

Yep, another interview! This week’s hacking motivation comes from @inhibitor181. @NahamSec asks him a bunch of interesting questions like how he got started, how he went from informative bugs to earning his living with full-time bug hunting, dealing with imposter syndrome, etc. Lots of fun, as always!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • Reports: Templating script @Rhynorater uses to generate bug bounty reports
  • Cnames: Take a list of resolved subdomains and output any corresponding CNAMES en masse
  • h2i: Converts a hostname (or URI) to IP address using your local resolver
  • Fufluns: Easy to use APK/IPA Mobile App Inspector (experimental)
  • ArchiveFuzz: Hunt down the secrets from the WebArchives for Fun and Profit
  • Common Password Permutations: A script to produce a word list based on mangling a single word for password-guessing tests
  • Common-substr: Go script to extract the most common substrings from an input text. Built for password cracking
  • As3nt: Another Subdomain ENumeration Tool
  • AutomatedHunter: Google Chrome Extension that automates testing GET parameters for LFI, RFI, SQLi and Open redirect
  • PowerExfil: A collection of data exfiltration scripts for Red Team assessments
  • Abaddon: Wavestone’s red team operations management software

Misc. pentest & bug bounty resources

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Clearview

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/28/2020 to 03/06/2020.


Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments