The 5 Hacking NewsLetter 45

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 8 to 15 of March.

T5HN45.png

Our favorite 5 hacking items

1. Conference of the week

OWASP AppSec California 2019, especially:

OWASP AppSec conferences are great for anyone interested in (both offensive and defensive) Web app security. This one is particularly good, as you can judge from the list of talks above that I’m planning to watch!

Some of the topics addressed are: extracting endpoints from JS files, FaaS & GraphQL security, Web Caching vulnerabilities, scaling visual identification for bug hunters, new features in ZAP, interesting OWASP tools for white box pentesting…

The only thing missing is the video/slides from workshops which look really interesting. Gonna have to go there myself some day!

More …

The Bug Hunter Podcast 4: Bypassing email filters & Thinking out of the box

the-bug-hunter-podcast-episode-04.png

Hi, here’s a new episode of the Bug Hunter podcast!

You can now listen to it using the widget below or on the following platforms: Apple podcasts/iTunes, Google Podcasts, Podbean, Anchor, Spotify, Breaker, Pocket Casts, Overcast and RadioPublic.

If your favorite podcasting app is missing from this list, please let me know so I can add it.

Also, if you prefer written text, you’ll find the whole transcript below. It’s also helpful for finding any links or commands mentioned in the audio.


More …

Conference notes: Eliminating False Assumptions in Bug Bounties (OWASP Stockholm 2018)

Hi, these are the notes I took while watching the “Eliminating False Assumptions in Bug Bounties” by Frans Rosén (@fransrosen) on OWASP Stockholm 2018.

eliminating-false-assumptions-in-bug-bounties.png

Overview

This is a talk where @fransrosen responds to arguments he heard on why you shouldn’t do bug bounties. It’s full of thoughts and ideas on how to approach bug bounty mentally and what you can do to overcome common hurdles.

More …

The 5 Hacking NewsLetter 44

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 1 to 8 of March.

T5HN44.png

Our favorite 5 hacking items

1. Tool of the week

Rescope & Introduction

Wow, I love this tool! Have you’ve ever experienced the discomfort of adding tens of targets one by one or playing with regexes to configure your Burp scope? If yes, worry no more!

It is now possible to copy a bug bounty program’s scope from their page, paste it to a .txt file, and convert it to Burp scope using one command.

Rescope takes as input a file containing your target domains, subdomains, IPs, wildcard subdomains, etc. And outputs a JSON file that you can import in Burp to automagically configure your scope. In one shot, and no regex required.

Here’s an example input file:

In Scope:
Critical admin.example.com/login.aspx
Critical https://example.com/upload:8080
Critical *.dev.example.com and *.prod.example.com
High 192.168.0.1-2 (internal testing)

Out of Scope:
!EXCLUDE
bgp.example.com:179
*.vendor.example.com
192.168.10.9

It can contain any text and descriptions. The tool extract targets wherever they are. The only thing to remember is to put !EXCLUDE before to list your exclusions, because by default all targets found are considered included.

More …

The Bug Hunter Podcast 3: Nmap outputs & motivation vs inspiration

the-bug-hunter-podcast-episode-3.png

Hi, here’s a new episode of the Bug Hunter podcast!

You can now listen to it using the widget below or on the following platforms: Apple podcasts/iTunes, Google Podcasts, Anchor, Spotify, Breaker, Pocket Casts, Overcast and RadioPublic.

If your favorite podcasting app is missing from this list, please let me know so I can add it.

Also, if you prefer written text, you’ll find the whole transcript below. It’s also helpful for finding any links or commands mentioned in the audio.


More …