Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 09 to 16 of August.
Our favorite 5 hacking items
1. Slides of the week
Bounty hunters: how do you organize your notes on targets, especially when switching targets back and forth and doing it for a long time?
This is a cool Twitter thread. Fisher (@Regala_) prompted the question about how other bug hunters organize their notes, and many hunters responded.
Tools mentioned include a private Github repo, simple notes and folders, SwiftnessX, OneNote, a whiteboard for logic flaws, Google Docs, XMind, etc.
It’s nice to get a peak at what others are using!
2. Writeup of the week
Clickjacking DOM XSS on Google.org
This is a good read to learn about you can go from self-XSS to a valid XSS by leveraging clickjacking.
The technique is nice to know in case you’re stuck with self-XSS and want to increase its impact.
@ThomasOrlita does an awesome job explaining all technical details as well as how he was able to find this on Google: he focused on Google Crisis Map, an old project that doesn’t seem to be used much anymore.
3. Tutorial of the week
Improve Your Reconnaissance Performance By Using GNU Parallel
This is a concise tutorial about GNU Parallel. You might already know about it. But if you don’t and want to speed up your Bash scripts, this is the quickest way to learn about it and start using it today.
Parallel is interesting because it bring multi-threading to Bash. So if you want to iterate any tests on network protocols or targets (for recon, network pentesting…), Parallel allows you to go faster than if you use a while or for loop.
4. Tool of the week
This new Burp extension is a must if you’re planning on collaboration with another Web app tester.
It allow you to share live/historical proxy requests, scope and reapeater/intruder payloads with each other in real time!
This is so useful for both bug bounty / pentest collaboration, and for education and mentorship.
You might also want to check out the other tools previously shared by the same author, Tanner Barnes (@_StaticFlow_).
5. Resource of the week
Paged out! is a new free zine that features short articles on a variety of topics. It reminds me a bit of PoC||GTFO and Phrack.
This first issue has articles on no less than 12 categories: Algorithmics, Assembly, Electronics, File formats, OS internals, Phreaking, Programming, Radio, Retro (retro games), Reverse engineering, Sec/Hack (Web app security, reverse shells, Windows exploitation…) & SysAdmin.
I love that there is something for everyone. Personally, my focus is on pages 17, 52 and 62 because I’m more interested in Web app security.
If you would like to submit an article, the next submission deadline is October 20th.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/09/2019 to 08/16/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.