Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 27 of September to 04 of October.

Our favorite 5 hacking items

This time, exceptionally, we’re featuring way more items than usual… Why limit ourselves to 5 if both quantity and quality are there?

The following links are all really worth checking out if you are into Web application security.

1. Articles of the week

These articles are, in order, about:

New research by @albinowax on HTTP Request Smuggling

3 Firefox security features explained by @KarimPwnz, with good tips on how to use the “Multi-Account Containers” extension for hacking

A list of 8 Burp extension worth using, with everything you need to know about them in one page (what they do, installation & usage tips)

5 tips by subdomain takeover master @0xpatrik

2. Writeup of the week

Google sponsored @LiveOverflow for making this video. It is a writeup of a bug found by @wtm_offensi on Google’s Cloudshell.

Basically, Git cloning a repo with Cloudshell lead to RCE. But this is not a simple bug and I am not going to try to sum it up in a few words like I usually do. This finding is probably the result of hundreds of hours of work.

This is why I find it so inspiring. The level of persistence and work involved to understand both the technologies behind Cloudshell and its inner workings is amazing.

It is also interesting to hear about @wtm_offensi’s thought process: How he chose the target to focus on based on criticality, how he keeps asking himself questions to really understand the app (almost like an investigation), how he doesn’t look for a technical vulnerability but for an outcome (RCE), and for any conditions that could lead to that outcome…

3. Tool of the week

Varanid.io is an all-in-one tool that makes it really easy to monitor a lot of thing for pentest/bug bounty purposes. This includes DNS records, SSL certificates, file changes (e.g. changes to JavaScript files), response headers, status codes, page title, up/down time and more. I’ve never seen all these features on one site, with such ease of use!

is an all-in-one tool that makes it really easy to monitor a lot of thing for pentest/bug bounty purposes. This includes DNS records, SSL certificates, file changes (e.g. changes to JavaScript files), response headers, status codes, page title, up/down time and more. I’ve never seen all these features on one site, with such ease of use! Cyber.dic is a spellcheck dictionary to add support of 1700+ technical terms to Microsoft Word & LibreOffice Writer. Finally, I can write “pentest” without it being highlighted as a mistake…

is a spellcheck dictionary to add support of 1700+ technical terms to Microsoft Word & LibreOffice Writer. Finally, I can write “pentest” without it being highlighted as a mistake… Mobexler is a customised virtual machine, based on Elementary OS, designed to help in penetration testing of Android & iOS apps. I like the idea of having all (or most) of the tools you need for mobile testing already installed on a VM. It’s like the Kali of mobile testing.

is a customised virtual machine, based on Elementary OS, designed to help in penetration testing of Android & iOS apps. I like the idea of having all (or most) of the tools you need for mobile testing already installed on a VM. It’s like the Kali of mobile testing. Swamp is an OSINT tool for discovering associated sites through Google Analytics Tracking IDs. It’s not a novel idea but being able to automate this is helpful for recon.

is an OSINT tool for discovering associated sites through Google Analytics Tracking IDs. It’s not a novel idea but being able to automate this is helpful for recon. Syborg is a recursive DNS Domain Enumerator with dead-end avoidance system. It is inspired from a discussion between @tomnomnom and nahamsec on the drawbacks of current subdomain enumeration tools.

is a recursive DNS Domain Enumerator with dead-end avoidance system. It is inspired from a discussion between @tomnomnom and nahamsec on the drawbacks of current subdomain enumeration tools. Fav-up * is so creative! It helps you find a server’s origin IP behind Cloudflare by looking up its favicon on Shodan.

* is so creative! It helps you find a server’s origin IP behind Cloudflare by looking up its favicon on Shodan. Dnsgen is like altdns on steroïds. It generates a combination of domain names from provided input. This is useful for finding new subdomains and account takeovers. And apparently, it generates way more combinations than altdns.

4. Non technical item of the week

@sharathsanketh recounts how he went from knowing nothing in Web hacking to his first bounty.

He doesn’t give any technical advice, but I think his story and advice are so relatable and useful for beginners. He did two things I find noteworthy: He forced himself to focus on learning, not bug hunting without knowing the basics. And he didn’t start with the most recommended books on bug bounty. He started with less known introductory books on how technology and the Web work, because that’s what he needed to understand before going deeper.

This is a great mindset to adopt: “You need to know where you stand and reverse engineer in order to even know what you have to learn”.

5. Tips of the week

It’s always fun to get a peak at what other hackers are using as tools and wordlists. The first link is basically a crowdsourced list of interesting endpoints to add to your directory bruteforce wordlist. The second one is about several ways for importing a list of URLs to Burp: using Burp API, BurpFeed, Burp-Importer…

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Bucket-decloaker: A simple tool to decloak/expose the bucket name behind a domain

Gitpillage.py: Gitpillage.sh rewritten in Python by @gwendallecoguic

PortswiggerXSS: Go tool that gathers payloads from PortSwigger’s XSS Cheatsheet & creates a usable wordlist

PHP 7.0-7.3 disable_functions bypass: Tool for bypassing disable_functions

Misc. pentest & bug bounty resources

Challenges

Can you find the XSS vulnerability?: Win a Burp Pro license & private invites on Intigriti

24/7 CTF

Hacking Playground Apps: New Android & iOS vulnerable apps by the OWASP Mobile Security Testing Guide

Articles & Papers

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/27/2019 to 10/04/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…