The 5 Hacking NewsLetter 18

Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across the last few days.

This issue covers the week from 24 to 31 of August.

T5HN18.png

Our favorite 5 hacking items

1. Guide of the week

The Complete Guide to CORS (In)Security by Bedefended

This is a comprehensive guide to CORS for security professionals. It’s the best document that I’ve seen on this subject, covering everything from an introduction to the basics of SOP (Same-Origin Policy) and CORS, to attacks and mitigations, with references to the existing research on this topic.

More …

The 5 Hacking NewsLetter 17

Hey hackers! These are our favorite resources related to pentesting and bug hunters that we came across recently.

This issue covers the week from 17 to 24 of August.

T5HN16.png

Our favorite 5 hacking items

1. Tutorial of the week

How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes by Luke Stephens (@hakluke)

This is a great tutorial on how to set up an automated subdomain takeover scanner “Franz-Rosén style”. The author uses subfinder to find subdomains and Subover to check for subdomain takeover, but you could easily modify the BASH script suggested to add other subdomain tools (like Amass or Massdns).

More …

The 5 Hacking NewsLetter 16

Hey hackers! These are our favorite resources shared last week by hackers, pentesters, bug hunters and red teamers.

This issue covers the week from 10 to 17 of August.

T5HN16.png

Our favorite 5 hacking items

1. Tips/Video of the week

Burp Hacks for Bounty Hunters by James Kettle (@albinowax)

These are advanced Burp hacks by James Kettle of PortSwigger Web Security. His day job is to design vulnerability detection techniques for Burp Suite, so when he shares tips on how to maximize your Burp ROI, he knows his stuff!

The talk is addressed to bug hunters, but the tips also apply to pentesters. I’ve been using Burp pro for years and wasn’t aware of many of these hacks.

More …

The 5 Hacking NewsLetter 15

Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue covers the week from 03 to 10 of August.

T5HN15.png

Our favorite 5 hacking items

1. Writeup of the week

How I gained commit access to Homebrew in 30 minutes by Eric Holmes (@vesirin)

Eric was able to make an unauthorized commit to Homebrew’s GitHub repositories. It took 4 steps and less than 30 minutes:

  • He used Gitrob to automate the organization’s Github recon
  • He looked at previously disclosed issues on https://hackerone.com/Homebrew and found a Jenkins instance (intentionally) publicly exposed
  • Git authenticated push meant that credentials were stored somewhere…
  • The “Environment Variables” page exposed a valid GitHub API token
More …