Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 05 to 12 of July.

Our favorite 5 hacking items

1. Tips of the week

These tweets are so good that I had to mention all four. They’re about:

How to exit VIM, and more importantly how to make :!Q (which isn’t currently an option) quit it too

(which isn’t currently an option) quit it too Awesome advice to improve your environment and methodology, and start finding vulns/bugs

Why some SSRF payloads include IP addresses like 1.1.1, and how routers know that it means 1.1.0.1 and not 1.1.1.0. I’ve been wondering about that and the answer was… RTFM!

What to do when you’re hours into an Nmap scan and you forgot to start it in a Tmux/Screen session (Genius!)

2. Writeup of the week

If testing for mass assignment isn’t currently part of your methodology, this is an excellent opportunity to learn about it and start testing for it.

@albinowax was bug hunting on New Relic. He found that free accounts didn’t have access to the API. But this restriction could be bypassed by intercepting a POST request to change your name and adding this parameter: account[allow_api_access]=true .

He also tells us how he guessed the parameter’s name:

3. Webinar of the week

After last week’s intro to cloud for pentesters and bug hunters, SECARMY returns with a sequel on common cloud security misconfigurations and their mitigations.

More specifically, this one is about SSRF and LFI on AWS, why they occur, how to detect them, how to leak AWS credentials and what companies can do to prevent it.

4. Tool of the week

A few weeks ago, @EdOverflow published the article “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter. He did the research with a few other hackers, and they developed a tool to automate fetching Travis CI build logs.

It allowed them to quickly look for sensitive information in CI logs and earn many bounties. It was awesome to read about that but they didn’t release it because they didn’t want to cause service disruptions to CI platforms.

I guess they’ve changed their minds because they’ve just released Secretz!

It minimizes the large attack surface of Travis CI by automatically fetching repos, builds, and logs for any given organization. So it’s a really neat tool to add to your arsenal.

5. Non technical item of the week

Who doesn’t like peeking at how other hackers organize their notes?

@GouveaHeitor shares here how he uses SwiftnessX to defines payloads, report templates and libraries / checklists. It’s worth looking at his screenshots if you feel like your pentest/bug bounty notes could be better organized.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

ScreenToGif: Allows you to record a selected area of your screen, edit and save it as a gif or video!. Useful for recording PoCs

Qsreplace: A Go script to replace or append to query string values in URLs. Can be used in combination with waybackurls to generate URLs for fuzzing with a particular payload

JWTrek: JWT Token C# Bruteforcer (HS256) (pure bruteforce, no wordlist yet)

Android-App-Testing: Python3 scripts to help automate the installation of Burp Suite certificates on Android devices

Venemy: OSINT tool for Venmo. It grabs profile information, friends lists & transactions

BADministration & Introduction: Tool to leverage SolarWinds Orion servers from an offensive standpoint

RedTeamCSharpScripts: C# Scripts for Red teaming

Kali Linux Tools Interface: A graphical interface to use tools in Kali by the browser

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/05/2019 to 07/12/2019

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…