Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 21 to 28 of June.
Our favorite 5 hacking items
1. Discussion of the week
Do you use vulnerability scanner on bug bounty program? How is the result?
This is an interesting discussion for beginner bug hunters on why you shouldn’t use scanners in bug bounty.
Vulnerability scanners are of low added value because many other people (including internal pentesters) have probably already run them. So it’s improbable that they’ll allow you to find anything new of real value. This, combined with the risk of causing Denial of Service if many bug hunters use scanners on the same target, is why scanners are generally not allowed.
The following reasons apply to pentesting too: the risk of causing an email flood to a client email address (happened to me once!), and the risk of deleting resources by using spidering on authenticated pages.
These risks are good to know whether you’re a bug hunter or pentester. It helps decide which tools to run or not and avoid causing service disruptions.
Also, I find cym13’s stance on Burp interesting. There really is no ‘one size fits all’!
More …
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 14 to 21 of June.
Our favorite 5 hacking items
1. Video of the week
VIM tutorial: linux terminal tools for bug bounty pentest and redteams with @tomnomnom
Oh my! We’re really spoilt this week between this video tutorial with @tomnomnom and @nahamsec’s recon tips video (see below).
@tomnomnom shares so many tips that are worthy to discover whether your are a beginner or seasoned bug hunter. This includes the tools he uses for recon (including custom ones like assetfinder and html-tool), BASH basics, how to manually search for secrets in Git repos, how to use (and exit) VIM and a lot more.
This is a must watch if you’re into Web app security!
More …
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 07 to 14 of June.
Our favorite 5 hacking items
1. Conference of the week
BSides London 2019, especially:
Stress, anxiety and depression are three health risks that we should all be aware of and have strategies to avoid. This talk is a perfect reminder of their distinctions, why they affect us and what to do to avoid them or to get better.
This is very helpful especially for us, hackers, who can spend days in front of our computers, forgetting to exercise, sleep or eat properly.
More …
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 31 of May to 07 of June.
Our favorite 5 hacking items
1. Tip of the week
Foxyproxy.json for disabling distracting Firefox traffic from Burp
If you’re a regular Firefox + Burp user, you probably have noticed that Firefox generates some traffic that shows up in Burp, like requests to http://detectportal.firefox.com/ or update checks.
This JSON file is @liamosaur’s Foxyproxy configuration file that allows him to disables this unwanted traffic.
More …
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 24 to 31 of May.
Our favorite 5 hacking items
Keye
Keye is a really useful recon tool. It’s the first one I’ve come across that allows hackers to easily monitor changes in URLs.
It’s written in Python with SQLite3 integrated. You give it a list of urls, and run it periodically (using Cron for example). It then requests the urls and detects changes based on the responses’ Content-Length. You can also receive Slack notifications when changes are detected.
More …
