#28

Smart contract security checklist

I haven’t fully gotten into the world of smart contracts security yet but I already see how costly mistakes are here. In this Stack Exchange thread, there’s a checklist for smart contract developers. It is surely not complete but a good starting point....

Copyright-based recon

Jason Haddix is very active on Twitter recently. Usually, I’m far from recommending Twitter to someone as a good learning source. It’s possible, no question about that, but it’s really hard to filter tips from other Tweets (and this includes my profile!). I’m mostly...

How to pick a bug bounty program?

Z-winK is a new YouTuber but I very much like his videos. He’s a successful bug hunter and I think our industry misses such people. In one of his videos, he shared the process of picking a bug bounty program. I took some notes for me and for you. Here they are. He...

Code Review Hotspots with Semgrep

Parsia, a senior security engineer at EA, wrote a great blogpost about using semgrep to... not find vulnerabilities. Semgrep is a code scanner and he uses it in two different ways: To find vulnerabilities. These rules must be fairly accurate and can be integrated with...

Inconsistencies in major URL standard specs

URLs that we use ever yday when browsing the web are usually quite simple. However, if you need to parse them, turns out they are very complex. A lot of bugs I covered on my channel were possible due to URL validation bypasses. But even with that, you would think that...

Using headless browser with Python

In the previous two issues, you learnt how to make HTTP requests with python and how to parse HTML responses. It’s often enough but sometimes, you need the JS on the website to execute. For example, when looking for XSS vulnerabilities - no alert will pop in a dry...