Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 07 to 14 of June.
- The European Commission launched a public bug bounty program for DSS (Digital Signature Services)
- @MattiBijnens shows how he and his team earned €20.000 at an intigriti live hacking event with an IDOR trick:
Our favorite 5 hacking items
1. Conference of the week
BSides London 2019, especially:
– Understanding Stress, Anxiety And Depression And How To Cope
Stress, anxiety and depression are three health risks that we should all be aware of and have strategies to avoid. This talk is a perfect reminder of their distinctions, why they affect us and what to do to avoid them or to get better.
This is very helpful especially for us, hackers, who can spend days in front of our computers, forgetting to exercise, sleep or eat properly.
2. Writeup of the week
How spending our Saturday hacking earned us 20k ($20,000)
This is the writeup of an unsual kind of IDOR found during a live hacking event.
Arne Swinnen, Matti Bijnens & Jeroen Beckers were able to bypass several defense mechanisms including encrypted parameters. The thought process is very detailed and so interesting that I can’t summarize it in a few lines. Check out the article, it’s worth it!
3. Video of the week
Live mentoring with zseano
To be honest, last week was so crazy busy that I haven’t had the time to watch this video yet. But it is on the top of my list!
Apart from the technical details, getting advice from one of the top bug hunters is perfect for getting you into the right hacking mindset.
Live mentoring is an awesome opportunity especially if you’re just starting out.
4. Tool of the week
BurpJSLinkFinder is a Burp Suite plugin that passively detects JS files and scans them for endpoint links.
It is very helpful because until now you had to export JS files then run a tool like LinkFinder on them to find new endpoints. Such a time saver!
5. Tutorial of the week
Achieving Persistent Access to Burp Collaborator Sessions
If you have played with Burp Collaborator before, you know that Collaborator sessions are closed as soon as you close Burp. That’s not very practical if you need to shut down your laptop and resume tests later.
This tutorial shows a way around this. Basically, you launch Wireshark and sniff out communications between Burp and the Collaborator server. You should see a secret key pertaining to your Collaborator session. This is what will allow you to query the Collaborator server at any time even after closing Burp.
This solution is not perfect but it is a workaround until Portswigger releases a new feature to save Collaborator sessions.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs
- BKScan: BlueKeep scanner supporting NLA (Network Level Authentication)
- BurpTabEssentials: This changes the style of Burp Suite’s Repeater tabs to help the testers
- Blue: A web-panel designed to make reconnaissance faster and easier accessible
- Deeplack: Deeplack is a python script designed for comparing images (screenshots) using DeepAI to detect changes on websites & push notifications to Slack
- Yaazhini: Free Android APK & API Vulnerability Scanner
Misc. pentest & bug bounty resources
Bug bounty / Pentest news
Breaches & Attacks
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/31/2019 to 06/07/2019.