The 5 Hacking NewsLetter 21

Hey hackers! This is our latest selection of resources for pentesters and bug hunters. It covers the week from 21 to 28 of September.

Our favorite 5 hacking items

1. Tips of the week

5 Tips Bug Bounty Programs Want You to Know About by @d0nutptr

Lately on Twitter, there has been a lot of controversy/noise/discontentment around bug bounty platforms, particularly HackerOne. Personally, I believe that the best way to succeed and be happy at work in general is to have a flawless attitude, give constructive criticism, then, if you’re really not happy with your work environment, move on to another one.

With this same spirit, this blog post offers great information that could help you improve your bug hunting experience. It’s a must read.

The 5 Hacking NewsLetter 20

Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across recently.

This issue covers the week from 14 to 21 of September.

Our favorite 5 hacking items

It’s weird how often I face a new challenge and, while preparing this newsletter, come across relevant resources without looking for them specifically! This is the case for all 5 items of this week, so I hope that you find them as informative as they were for me.

1. Tutorial of the week

Discovering GraphQL endpoints and SQLi vulnerabilities by @localh0t

I read more and more bug bounty writeups like this one or this one that mention misconfigured GraphQL endpoints and these bugs seem to pay really well.

GraphQL is an alternative to Web services like REST. This tutorial is a great introduction to understand their differences, how to find hidden GraphQL endpoints and exploit them to detect SQL injection.

The 5 Hacking NewsLetter 19

Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue exceptionally covers two weeks, from 31 of August to 14 of September.

Our favorite 5 hacking items

1. Tutorial of the week

A practical guide to testing the security of Amazon Web Services (Part 1: AWS S3)

There is so much to learn to become a successful pentester/bug hunter. I can’t remember which famous bug hunter once said that it used to take him 9 month to learn about a new vulnerability!

That’s why I love this kind of comprehensive guides. It goes from the basics as if you’ve never heard of AWS S3 to advanced concepts on their security and how to test them for misconfigurations.

The 5 Hacking NewsLetter 18

Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across the last few days.

This issue covers the week from 24 to 31 of August.

Our favorite 5 hacking items

1. Guide of the week

The Complete Guide to CORS (In)Security by Bedefended

This is a comprehensive guide to CORS for security professionals. It’s the best document that I’ve seen on this subject, covering everything from an introduction to the basics of SOP (Same-Origin Policy) and CORS, to attacks and mitigations, with references to the existing research on this topic.

The 5 Hacking NewsLetter 17

Hey hackers! These are our favorite resources related to pentesting and bug hunters that we came across recently.

This issue covers the week from 17 to 24 of August.

Our favorite 5 hacking items

1. Tutorial of the week

How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes by Luke Stephens (@hakluke)

This is a great tutorial on how to set up an automated subdomain takeover scanner “Franz-Rosén style”. The author uses subfinder to find subdomains and Subover to check for subdomain takeover, but you could easily modify the BASH script suggested to add other subdomain tools (like Amass or Massdns).