The 5 Hacking NewsLetter 20

Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across recently.

This issue covers the week from 14 to 21 of September.

Our favorite 5 hacking items

It’s weird how often I face a new challenge and, while preparing this newsletter, come across relevant resources without looking for them specifically! This is the case for all 5 items of this week, so I hope that you find them as informative as they were for me.

1. Tutorial of the week

Discovering GraphQL endpoints and SQLi vulnerabilities by @localh0t

I read more and more bug bounty writeups like this one or this one that mention misconfigured GraphQL endpoints and these bugs seem to pay really well.

GraphQL is an alternative to Web services like REST. This tutorial is a great introduction to understand their differences, how to find hidden GraphQL endpoints and exploit them to detect SQL injection.

The 5 Hacking NewsLetter 19

Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue exceptionally covers two weeks, from 31 of August to 14 of September.

Our favorite 5 hacking items

1. Tutorial of the week

A practical guide to testing the security of Amazon Web Services (Part 1: AWS S3)

There is so much to learn to become a successful pentester/bug hunter. I can’t remember which famous bug hunter once said that it used to take him 9 month to learn about a new vulnerability!

That’s why I love this kind of comprehensive guides. It goes from the basics as if you’ve never heard of AWS S3 to advanced concepts on their security and how to test them for misconfigurations.

The 5 Hacking NewsLetter 18

Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across the last few days.

This issue covers the week from 24 to 31 of August.

Our favorite 5 hacking items

1. Guide of the week

The Complete Guide to CORS (In)Security by Bedefended

This is a comprehensive guide to CORS for security professionals. It’s the best document that I’ve seen on this subject, covering everything from an introduction to the basics of SOP (Same-Origin Policy) and CORS, to attacks and mitigations, with references to the existing research on this topic.

The 5 Hacking NewsLetter 17

Hey hackers! These are our favorite resources related to pentesting and bug hunters that we came across recently.

This issue covers the week from 17 to 24 of August.

Our favorite 5 hacking items

1. Tutorial of the week

How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes by Luke Stephens (@hakluke)

This is a great tutorial on how to set up an automated subdomain takeover scanner “Franz-Rosén style”. The author uses subfinder to find subdomains and Subover to check for subdomain takeover, but you could easily modify the BASH script suggested to add other subdomain tools (like Amass or Massdns).

The 5 Hacking NewsLetter 16

Hey hackers! These are our favorite resources shared last week by hackers, pentesters, bug hunters and red teamers.

This issue covers the week from 10 to 17 of August.

Our favorite 5 hacking items

1. Tips/Video of the week

Burp Hacks for Bounty Hunters by James Kettle (@albinowax)

These are advanced Burp hacks by James Kettle of PortSwigger Web Security. His day job is to design vulnerability detection techniques for Burp Suite, so when he shares tips on how to maximize your Burp ROI, he knows his stuff!

The talk is addressed to bug hunters, but the tips also apply to pentesters. I’ve been using Burp pro for years and wasn’t aware of many of these hacks.