Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 09 to 16 of August.

Our favorite 5 hacking items

1. Tips of the week

This is a cool Twitter thread. Fisher (@Regala_) prompted the question about how other bug hunters organize their notes, and many hunters responded.

Tools mentioned include a private Github repo, simple notes and folders, SwiftnessX, OneNote, a whiteboard for logic flaws, Google Docs, XMind, etc.

It’s nice to get a peak at what others are using!

2. Writeup of the week

This is a good read to learn about you can go from self-XSS to a valid XSS by leveraging clickjacking.

The technique is nice to know in case you’re stuck with self-XSS and want to increase its impact.

@ThomasOrlita does an awesome job explaining all technical details as well as how he was able to find this on Google: he focused on Google Crisis Map, an old project that doesn’t seem to be used much anymore.

3. Tutorial of the week

This is a concise tutorial about GNU Parallel. You might already know about it. But if you don’t and want to speed up your Bash scripts, this is the quickest way to learn about it and start using it today.

Parallel is interesting because it brings multi-threading to Bash. So if you want to iterate any tests on network protocols or targets (for recon, network pentesting…), Parallel allows you to go faster than if you use a while or for loop.

4. Tool of the week

This new Burp extension is a must if you’re planning on collaboration with another Web app tester.

It allows you to share live/historical proxy requests, scope and reapeater/intruder payloads with each other in real time!

This is so useful for both bug bounty / pentest collaboration, and for education and mentorship.

You might also want to check out the other tools previously shared by the same author, Tanner Barnes (@_StaticFlow_).

5. Resource of the week

Paged out! is a new free zine that features short articles on a variety of topics. It reminds me a bit of PoC||GTFO and Phrack.

This first issue has articles on no less than 12 categories: Algorithmics, Assembly, Electronics, File formats, OS internals, Phreaking, Programming, Radio, Retro (retro games), Reverse engineering, Sec/Hack (Web app security, reverse shells, Windows exploitation…) & SysAdmin.

I love that there is something for everyone. Personally, my focus is on pages 17, 52 and 62 because I’m more interested in Web app security.

If you would like to submit an article, the next submission deadline is October 20th.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

If you don’t have time

Httprebind: Automatic tool for DNS rebinding-based SSRF attacks

PyFunnels & Introduction: Data Normalization for InfoSec Workflows

IPRotate_Burp_Extension & Introduction: Burp extension that changes your source IP address using the AWS API Gateway, to bypass IP based blocking

rapid7_OSINT

NSBrute: Python script that automatically takes over domains vulnerable to NS subdomain takeover

GraphQL Raider

WAES: Web Auto Enum & Scanner

Rhodiola & Introduction: Generating Personalized Wordlists with NLP For Password Guessing Attacks

Nray: A free, distributed & platform independent port scanner

PBDataRecon: Pastebin Analysis and Storage Tool

Lure & Introduction: User Recon Automation for GoPhish

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/09/2019 to 08/16/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…