The 5 Hacking NewsLetter 84

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 06 to 13 of December.

T5HN84.png

Our favorite 5 hacking items

1. Tutorial of the week

Quality of Life Tips and Tricks - Burp Suite

These tips are very helpful for improving your Burp experience. Some are old news but I’m discovering others for the first time:

  • How to reduce the size of Burp projects for long term storage (Burp project hoarders, hello!)
  • How to leverage Match and Replace for simplifying the use of complex or long test username/passwords (Simple yet genius! Useful especially with mobile tests)
  • How to rearrange Burp Repeater request and response tabs (So useful for taking screenshots for reports!)
More …

The 5 Hacking NewsLetter 83

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 29 of November to 06 of December.

T5HN83.png

Our favorite 5 hacking items

1. Tutorial of the week

Exploiting XSS with 20 characters limitation

This tutorial solves a specific problem: bypassing character limitation to exploit XSS. To do that, the idea is to load a remote JavaScript file hosted on a very short domain.

What I love about this tutorial is that it goes further than theory: in practice most short domains are taken or very expensive. Using Unicode, it is possible to redirect to domains like ℡㏛.pw (5 characters) which expands to telsr.pw (8 characters). Two excellent resources for working with Unicode are also shared.

More …

The 5 Hacking NewsLetter 82

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 22 to 29 of November.

T5HN82.png

Our favorite 5 hacking items

1. Conference of the week

SecTalks Live 2019 - The Changing Landscape of Web Tooling | Questions? !questions & @xyantix’s notes

This is recap by @codingo_ of the latest changes in open source Web security tooling. Categories discussed are scaling, directory brute forcing, XSS subdomain discovery, API keys and build logs, and cloud based services.

With the year ending, it is nice to stop and reflect on the state of our tools. Better ones with more features and attack techniques are released all the time. Following the trends is necessary to avoid using outdated tools.

More …

The 5 Hacking NewsLetter 81

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 15 to 22 of November.

T5HN81.png

Our favorite 5 hacking items

1. Tip of the week

Rewarded with $xxxx for an issue which could have allowed me an access to stag & prod server. Sub-domain scan -> dir fuzz -> found a publicly exposed git -> extracted all committers email -> found one email in pw dump -> used it to log into git instance -> got creds for servers

I’ve never thought of this, but it is a great idea for exploiting exposed .git folders: In addition to extracting source code, you can also extract committer emails and search for them on password dumps. I’d also search for them on Google, Github, etc. Good idea for recon/OSINT!

More …

The 5 Hacking NewsLetter 80

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 08 to 15 of November.

T5HN80.png

Our favorite 5 hacking items

1. Conference of the week

DEF CON 27

Finally, DEF CON 27 videos are released! There is no introduction needed, right?

I’m watching this first: “Owning The Clout Through Server Side Request Forgery” by @NahamSec & @daeken. What about you?

More …