There’s quite a good report on Hackerone about account takeover in Flickr. But was there actually an account takeover? The triager kept insisting that the attacker logs to their own account thus it’s not a risk. The hunter claimed that he can log in to the victim’s...
#19
Interesting bugs in Hubspot and Instapage
I’m a simple man - I see Sam Curry publishing writeup, I read the writeup. This time it’s a short one about a couple of interesting bugs found in Hubspot and Instapage. It’s definitely worth reading because there are tricks that can be used in many different contexts....
Installing Burp Collaborator instance
Burp Collaborator is an awesome tool and I probably don’t need to tell you that. However, there are a few problems with using the Portswigger’s server: Disclosing sensitive information to 3rd party company. Depending on what you hack, it may or may not be a problem....
Recon roadmap of an experienced hunter
Ahmad Halabi shared his process of discovering new targets. Starting from the beginning, through subdomain enumeration, port scanning and directory brute-force, up to analysing JS files. Unfortunately, he didn’t share what tools does he use but when you know what you...
Web Cache Poisoning – part 1 – basics
I feel like I see quite a few web cache poisoning writeups recently. That’s why I will tell you about it today and in the next issue, I will show you those recent writeups and examples. Enjoy! For clarity - there are a few kinds of caches - web cache, DNS cache,...
Strategy to become a pentester
On PentesterLab’s blog, there’s a great article that will help you order some things in your mind if you want to land your first job in our fantastic industry. You probably noticed already how many different areas there are inside cybersecurity. Which of them you...