Monday, March 18
TOP STORY
Katarina Borodina wrote a thing on how to get started pentesting, good overview to share with friends looking to break into the biz #longlivetheredteam. And on the pentester motif, check out PowerHub by Adrian Vollmer: web application which aids a pentester in transferring files, in particular code which may get flagged by endpoint protection.
HACKTIVITY HIGHLIGHTS
[Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure [133 upvotes] - $7,500 bounty for this report to Grabtaxi Holdings by @bagipro
Exfiltrate and mutate repository and project data through injected templated service [462 upvotes] - $11,000 bounty for this report to GitLab by @jobert
TWEET OF THE DAY
Hackers, I've built a small game that helps improve your XSS skills! It dynamically generates (increasingly more difficult) levels for you to exploit XSS vulnerabilities. No level is the same. Let me know what you think. Happy hacking! - @jobertabma
OTHER ARTICLES WE’RE READING
Security Voices Podcast: Jack and Dave talk security with other smart people like Wendy Nather, Zane Lackey, and Carey Nachenberg
CVE-2019-5418 - File Content Disclosure in Action View, time to write a Burp plugin
Sector:443’s Python for Reverse Engineering #1: ELF Binaries
Politico looks at Beto O'Rourke history of stances on cyber issues
Googling strangers, professor’s game with students highlights importance of OpSec in every day life
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
If I don’t skateboard through Bally’s hallway with @BetoORourke at @defcon this year I’m going to be disappointed.