The 5 Hacking NewsLetter 42

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 15 to 22 of February.

T5HN42.png

Our favorite 5 hacking items

1. Resource of the week

NetSPI SQL Injection Wiki

This is a great wiki on SQL injection for both beginners and advanced testers.

I’m always talking abount maintaining a personal knowledge base. If you need inspiration, this is a perfect example of one which is very well organized and includes most things you need to learn or remember for testing SQL injections:

  • Payloads for detection (by type of request)
  • How to identify the Database Management System in use
  • The different injection types and techniques including WAF evasion techniques
  • Payloads for different attack queries (for information gathering, OS commands execution, privilege escalation, etc)
More …

The Bug Hunter Podcast Ep. 1: Hacker mindset & Network pentest

the-bug-hunter-podcast-episode-1.png

Hi, I am so happy to finally launch this podcast. The idea behind it is to provide hackers with a unique mix of various topics: technical stuff like hacking Q&As and tool reviews, and non technical advice on productivity, personal growth…

You can listen to the first episode using the widget below or on https://anchor.fm/bughunter. I’m working on making it available on all major platforms like iTunes, Spotify, etc.

Also, if you prefer written text, you’ll find the whole transcript below. It’s also helpful for finding all links or commands mentioned in the audio.

Transcript

More …

The 5 Hacking NewsLetter 41

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 08 of February to 15 of February.

T5HN41.png

Our favorite 5 hacking items

1. Tool of the week

Dnsgrep & Tutorial

This is a great new tool for quickly searching large DNS datasets like those from the Rapid7 Project Sonar.

It’s like grep except it can search dozens of gigabytes of data really fast.

You can either install it and use it locally, or use the online version. But the author said he will likely take down the online service in the future.

More …

The 5 Hacking NewsLetter 40

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 01 to 08 of February.

T5HN40.png

Our favorite 5 hacking items

1. Video of the week

A $7.500 BUG Bounty Bug explained, step by step. (BLIND XXE OOB over DNS)

Another great video by @stokfredrik! It’s a writeup for a blind XXE OOB over DNS using a PDF file upload.

Classic file upload payloads & attacks didn’t work, so the last thing that @stokfredrik tried was sneaking XML entities through PDF files. He was able to trigger a DNS request from the target server (using Burp Collaborator). He then escalated the attack over multiple stages until he got a full blind XXE.

This is pretty advanced stuff but every stage is detailed and well explained, including tools and references.

More …

The 5 Hacking NewsLetter 39

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 25 of January to 01 of February.

T5HN39.png

Our favorite 5 hacking items

1. Conference of the week

BSides Leeds 2019, especially:

I love these four talks. They’re respectively about:

  • Questions & tips from a bug bounty triager for both bug hunters & companies/triagers;
  • Advice for anyone looking for a pentester job from the CEO of a pentesting company;
  • Differences between bug bounty & pentesting;
  • Ideas from a pentester on how to integrate pentesting into the development process. Automating some tests helps detect vulnerabilities early in the development lifecycle.
More …