As you may have heard, some time ago Twitch had a massive leak of its source code. It included a lot of their internal tools. Mazin Ahmed took on the challenge to analyse all the 129 security tools that are present in the leak....
Tools
A tool to find bugs in WordPress plugins
As many of you already know, recently, I migrated BBRE Premium to a new platform that runs on WordPress. The way problems are solved here is by installing more plugins. And then even more. And I am very interested in their security. One day, I just took a quick look...
Using headless browser with Python
In the previous two issues, you learnt how to make HTTP requests with python and how to parse HTML responses. It’s often enough but sometimes, you need the JS on the website to execute. For example, when looking for XSS vulnerabilities - no alert will pop in a dry...
Live Recon with TomNomNom
Doesn't matter if you do recon or not, TomNomNom's content is a must-watch, because he shares so many bash tricks and useful tools that you can speed up many of your current bash habits. For example, how many times did you do something like: It will append...
Single most time-saving terminal trick
In the perfect world, every terminal command that you execute more than once you have automated, blah blah blah... 😒 Both you and I know this is not true. Many times you will have to write very similar commands over and over again. You can use up arrow to find lately...
Free DNS tool
DNS protocol can be utilised for many different use cases: exploiting SSRF by DNS rebinding exploiting SSRF by multiple A records exfiltrating data when HTTP traffic is blocked even XSS! etc. However, setting up the DNS server for all that purposes is definitely not...
Generating a web application
This is not really a security link but I just wanted to send you this. Imagine.ai is a free service that generates a REST API for you based on the model that you create. Like many new things, it uses artificial intelligence. It's probably the trend that more and...
Finding DOM-XSS with Untrusted Types
Speaking of DOM-XSS... It's definitely the hardest XSS type to find. I remember when I was at the presentation by Krzysztof Kotowicz from Google about Trusted Types where he mentioned how many of their bug bounty reports are DOM-XSS. I was like "DOM-XSS? I...
How to identify an unknown secret?
pywhat is a python script that can identify what string you gave him. It's useful when you find some secret in JS or in a mobile application and you don't know did you find. Of course, it won't help with completely random secrets but it will be useful for...
Browsing files from your VPS using Visual Studio Code
Many hackers use VPS a lot. VPS stands for virtual private server and it's basically a machine somewhere in the cloud that you control. Some benefits from using them are that you don't need to install all hacking tools on your personal machine and if your IP...