Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 10 to 17 of January.

Our favorite 5 hacking items

1. Webinar of the week

This is an excellent course on SSTIs with a focus on Python frameworks.

I love that it does not only explain how SSTIs work and how to escalate them to RCE, but it also mentions a lot of background information to understand the big picture: Why Python frameworks were created, how they work, the history of Python and Flask, etc.

2. Writeup of the week

This is a nice example of RCE found using security code review with a bottom-up approach. It also shows how to reverse and analyze the firmware of a NAS.

Both RCE and code review can be intimidating. But the way everything is broken in this writeup makes them seem easy to follow even for beginners.

3. Challenge of the week

There is a plethora of XSS challenges but labs for GraphQL bugs, JWT, SSRF, SSTI, lack of rate limiting, etc, are rarer. So, these labs are perfect if you want to play with these vulnerabilities and many others.

The best part is that detailed walkthroughs are provided for each bug.

4. Video of the week

As always, a great tutorial video by @InsiderPhD! I think this is the best introduction to APIs I’ve ever seen. It covers everything you need to start exploiting them ASAP: What APIs are, how to find and enumerate them, types of APIs (REST, SOAP, GraphQL), what is JSON, what bugs to look for, how to take notes, etc.

5. Tutorial of the week

Did you know that macros are not the only way to deal with CSRF tokens in Burp?

@Agarri_FR shows in great detail how to use Intruder Pitchfork to mimick manually replacing the CSRF token with the latest value sent by the server, and the advantages over macros.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

If you don’t have time

xpasn: Expands an autonomous system (AS) number into prefixes or individual host IP addresses

Velocity: DNS caching library for Python. Helps speed up network connections (applies to everything from sockets to HTTP requests)

SWFPFinder: SWF Potential Parameters Finder

GDA-android-reversing-Tool & Wiki: GDA is a new decompiler written entirely in c++, so it does not rely on the Java platform, which is succinct, portable and fast, and supports APK, DEX, ODEX, oat.

Misc. pentest & bug bounty resources

Challenges

Articles

Unusual Patch Tuesday

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/10/2020 to 01/17/2020.



The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

Curated by Pentester Land & Sponsored by Intigriti

Share this: Twitter

Facebook

LinkedIn

Reddit

Telegram

WhatsApp

Email

