Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 07 to 14 of February.
Our favorite 5 hacking items
1. Video of the week
Lately, @zseano has been quieter than before. So, it is nice to hear him share insights on his recon process (e.g why he runs subdomain tools last), his hacking methodology, why he closed Bug Bounty Notes, and much more.
2. Resource of the week
The Mobile Hacking CheatSheet
No matter how often I use tools like ADB, Keytool or Frida, I always forget the syntax! These two cheatsheets are handy as they sum up commands that are most used used for Android and iOs hacking.
Its creators, @RandoriSec
, have also been sharing a lot of excellent tips for mobile hacking on Twitter. It’s worth checking out.
3. Webinar of the week
Security Reconnaissance With Codingo: How New Tricks Let Hackers See More & Slides
Watch this if you want to know the most notable bug bounty trends (tools and techniques) @codingo noticed in 2019. He focuses on recon and some bug classes like XSS, subdomain takeover, finding and testing API keys, etc.
I love that he explains the reasoning behind each idea. For instance, why reporting alert(1) for XSS is never the best idea, or why you should really not use sublist3r on its own for subdomain enumeration.
4. Non technical item of the week
On Full-Time Bug Bounty Hunting
Should you give up everything and become a full-time bug bounty hunter? This unbiased feedback by @ajxchapman may help you decide. He tells his story, the pros and cons of bug hunting, and advice that helped him earn his living doing this full-time while living in London (not the cheapest town!).
5. Tutorial of the week
Proxying and Intercepting CLI Tools
Have you ever run a command line tool and wondered which requests it was sending to your target? Knowing this can be valuable for pentesters and bug hunters. It helps understanding what the tool does.
The solution detailed in this excellent tutorial is to use Burp Suite as a proxy. The process is explained for curl, wget, Java JARs, Python, Node JS and Go binaries.
Another advantage of using Burp is that all requests sent are logged (with request and response times).
I can’t tell you how many times pentest clients asked for what was being tested at X time and the number of requests, because they noticed network or server issues and wanted to determine if it was caused by the tests.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/07/2020 to 02/14/2020.