Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 1 to 8 of March.
Our favorite 5 hacking items
Rescope & Introduction
Wow, I love this tool! Have you’ve ever experienced the discomfort of adding tens of targets one by one or playing with regexes to configure your Burp scope? If yes, worry no more!
It is now possible to copy a bug bounty program’s scope from their page, paste it to a .txt file, and convert it to Burp scope using one command.
Rescope takes as input a file containing your target domains, subdomains, IPs, wildcard subdomains, etc. And outputs a JSON file that you can import in Burp to automagically configure your scope. In one shot, and no regex required.
Here’s an example input file:
In Scope:
Critical admin.example.com/login.aspx
Critical https://example.com/upload:8080
Critical *.dev.example.com and *.prod.example.com
High 192.168.0.1-2 (internal testing)
Out of Scope:
!EXCLUDE
bgp.example.com:179
*.vendor.example.com
192.168.10.9
It can contain any text and descriptions. The tool extract targets wherever they are. The only thing to remember is to put !EXCLUDE before to list your exclusions, because by default all targets found are considered included.
More …
Hi, here’s a new episode of the Bug Hunter podcast!
You can now listen to it using the widget below or on the following platforms: Apple podcasts/iTunes, Google Podcasts, Anchor, Spotify, Breaker, Pocket Casts, Overcast and RadioPublic.
If your favorite podcasting app is missing from this list, please let me know so I can add it.
Also, if you prefer written text, you’ll find the whole transcript below. It’s also helpful for finding any links or commands mentioned in the audio.
More …
Hi, these are the notes I took while watching the “API Security 101” talk given by Andy Sadako on LevelUp 0x03 / 2019.
Links
About
This talk covers the basics of API security testing for hackers.
More …
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 of February to 1 of March.
Our favorite 5 hacking items
1. Webcast of the week
Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them
One of the first things I was told as a junior pentester was that writing a report is the most important part of a pentest. The reason is that even if you find the craziest vulnerabilities, they’ll bring no value to the customer if you can’t explain them clearly enough. Information like risks, impacts, how the bug works, and how to fix it must be crystal clear so that the client and developers know why they must fix the bug and how.
The good news is that writing good reports is not a magical art, it can be taught. This webcast by SANS has great tips on this topic. These are 10 mistakes to avoid and what to do instead. They apply whether you write your reports in english or any other language.
This is a must-read resource if want to improve the quality of your reports.
More …
Hi, here’s a new episode of the Bug Hunter podcast!
You can now listen to it using the widget below or on the following platforms: Google Podcasts, Anchor, Spotify, Breaker, Pocket Casts and RadioPublic.
Apple podcasts (iTunes) is in the works. And if your favorite podcasting app is missing from this list, please let me know so I can add it.
Also, if you prefer written text, you’ll find the whole transcript below. It’s also helpful for finding all links or commands mentioned in the audio.
More …
