Android hacking gets mentioned quite a lot recently on BBRE Premium Discord. I don’t know if it’s a coincidence or a trend but definitely a nice niche. Here’s another great blogpost about the setup and exploitation of an XSS....
#66
Web AppSec Interview Questions
If you are getting ready for a job interview and you need to prepare yourself for the questions, @0xTib3rius has your back. He published a list of 55 questions on his blog, along with answers. https://tib3rius.com/interview-questions There’s also a repo here with more...
50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
The Aqua Security conducted a fascinating analysis of the open-source vulnerabilities being fixed or, more precisely, the time gaps between the fixes being committed to GitHub and the official fixes are released. They even define terms like 0.5day and 0.75day which do...
New free SSRF testing tool
@bebiksior created a tool that makes allows you to test SSRFs really easily. You no longer have to code something yourself if you need to control the HTTP response when testing for SSRFs. And it’s free to use! https://twitter.com/bebiksior/status/1723797751958257786
Fuzzing XSS Sanitizers for Fun and Profit | @TomAnthonySEO
Earlier this year, I published a video about a payload that confused golang’s HTML parser which could lead to an XSS. While after the fact, I could explain the bug very logically, encountering it was nothing more than intuition and luck. Thus, when seeing other XSS...
CTTB – The OG Bug Bounty King – Frans Rosen
If you are not listening to the Critical Thinking Bug Bounty Podcast, you are missing out on tons of useful, intermediate to advanced bug bounty and web security tips. I do listen to every single episode. Recently, I played the one with Frans Rosen and, at times, it...
JS Monitoring implementation
I’ve been hearing about monitoring JS files for years now and I know that I should start doing it. Youssef Sammouda - Meta’s TOP1 hacker told me in my podcast that he chooses his targets based on monitoring JS files. But I still never got to it. Some of the reasons...