Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 08 to 15 of November.
We launched another XSS challenge! You can win a Burp Suite Pro license if you solve it before Monday. Check it out:
Our favorite 5 hacking items
1. Conference of the week
DEF CON 27
Finally, DEF CON 27 videos are released! There is no introduction needed, right?
I’m watching this first: “Owning The Clout Through Server Side Request Forgery” by @NahamSec & @daeken. What about you?
2. Resource of the week
JWT Attack Playbook (for methodical pentesting)
This is a wiki for the [jwt_tool](https://github.com/ticarpi/jwt_tool
) toolkit for testing JSON Web Tokens. I was surprised to see how detailed it is.
It explains everything from recognizing and reading JWTs, an attack methodology, how to test for known exploits, fuzzing, stealing JWTs by exploiting other vulnerabilities, and more. An excellent resource to get into hacking JWTs!
3. Challenge of the week
This Github repository has many vulnerabilities. It is intended to be used as a target for benchmarking tools like github-dorks or truffleHog.
Personally, I also plan on using it as a challenge to practice finding secrets on Github.
4. Non technical item of the week
Tips for an Information Security Analyst/Pentester career – Ep. 78 – Nothing is impossible
This is @mattiacampagnan’s story on how he found a pentesting job. Basically, he created a blog and wrote dozens of articles related to penetration testing. This gave him some exposure. A company contacted him for an interview, he got a remote part-time position, did the work for 3 months, and finally it became a full-time position.
I loved reading this story because it is another reminder that there is no secret way to success. Do your work and find a way to differentiate yourself. Simple, but a lot of people do not want to hear that…
I personally can attest to the same thing: Maintaining a blog and being consistent opens up so many possibilities and professional options. If you are struggling to find work, you should really consider starting a blog, video course or Youtube channel. Anything that you put out there that shows technical abilities and professionalism will help you find employers or customers.
5. Tutorials of the week
– Fasten your Recon process using Shell Scripting
– Different Approaches For Reconnaissance — Bug Bounty’s
These are two nice tutorials that go a bit further that most typical recon articles.
Apart from classic subdomain enumeration, they show how to programmatically fetch URLs with their status code & page title, and search results for keywords. This will certainly aid process data collected from large scope bug bounty programs (or pentest targets).
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/08/2019 to 11/15/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.