bugbytes-58

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 07 to 14 of February.

Our favorite 5 hacking items

1. Video of the week

@zseano Talks About BugBountyNotes.com, Recon, Reading Javascript, WAF, Wayback Machine, and more!

Lately, @zseano has been quieter than before. So, it is nice to hear him share insights on his recon process (e.g why he runs subdomain tools last), his hacking methodology, why he closed Bug Bounty Notes, and much more.

2. Resource of the week

The Mobile Hacking CheatSheet

No matter how often I use tools like ADB, Keytool or Frida, I always forget the syntax! These two cheatsheets are handy as they sum up commands that are most used used for Android and iOs hacking.
Its creators, @RandoriSec, have also been sharing a lot of excellent tips for mobile hacking on Twitter. It’s worth checking out.

3. Webinar of the week

Security Reconnaissance With Codingo: How New Tricks Let Hackers See More & Slides

Watch this if you want to know the most notable bug bounty trends (tools and techniques) @codingo noticed in 2019. He focuses on recon and some bug classes like XSS, subdomain takeover, finding and testing API keys, etc.
I love that he explains the reasoning behind each idea. For instance, why reporting alert(1) for XSS is never the best idea, or why you should really not use sublist3r on its own for subdomain enumeration.

4. Non technical item of the week

On Full-Time Bug Bounty Hunting

Should you give up everything and become a full-time bug bounty hunter? This unbiased feedback by @ajxchapman may help you decide. He tells his story, the pros and cons of bug hunting, and advice that helped him earn his living doing this full-time while living in London (not the cheapest town!).

5. Tutorial of the week

Proxying and Intercepting CLI Tools

Have you ever run a command line tool and wondered which requests it was sending to your target? Knowing this can be valuable for pentesters and bug hunters. It helps understanding what the tool does.
The solution detailed in this excellent tutorial is to use Burp Suite as a proxy. The process is explained for curl, wget, Java JARs, Python, Node JS and Go binaries.
Another advantage of using Burp is that all requests sent are logged (with request and response times).
I can’t tell you how many times pentest clients asked for what was being tested at X time and the number of requests, because they noticed network or server issues and wanted to determine if it was caused by the tests.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/07/2020 to 02/14/2020.

Curated by Pentester Land & Sponsored by Intigriti