he Source Code Sniffer is a poor man’s static code analysis tool (SCA) that leverages regular expressions. Designed to highlight high risk functions (Injection, LFI/RFI, file uploads etc) across multiple languages (ASP, Java, CSharp, PHP, Perl, Python, JavaScript, HTML etc) in a highly configurable manner.
https://github.com/frizb/SourceCodeSniffer

Gaining Filesystem Access via Blind OOB XXE
https://hawkinsecurity.com/2018/03/24/gaining-filesystem-access-via-blind-oob-xxe/

Tip Anti-CSRF token.
When faced with CSRF tokens, sometimes deleting the token parameter, sending an empty token or simply reusing your own token is sometimes more than enough to bypass some solutions of anti CSRF tokens
Via: https://twitter.com/alyssa_herrera_/status/977619512785649664?s=21

WPHunter A Wordpress Vulnerability Scanner
https://github.com/Jamalc0m/wphunter

h1-202 leaderboard photo discloses local wifi password
https://hackerone.com/reports/329798

A journey in the insecurity of JSON Web Tokens : https://www.slideshare.net/mobile/snyff/jwt-insecurity

Hacking Oracle in 5 Minutes
https://medium.com/bugbountywriteup/hacking-oracle-in-5-minutes-b52107a6124c

2018-03-26 | Facebook’s Android app harvesting call logs, AutoFuzz patch rewards by Google, and The newcomers guide to threat actor naming https://www.hackerone.com/zerodaily/2018-03-26

Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal)
https://medium.com/@logicbomb_1/bugbounty-rewarded-by-securing-vulnerabilities-in-bookmyshow-indias-largest-online-movie-bb81dba9b82

Reverb.com went public on Hacker0x01 today: https://hackerone.com/reverb

Misconfiguration of Demographics Privacy in a Page
https://medium.com/@markchristiandeduyo/misconfiguration-of-demographics-privacy-in-a-page-682feb1179f2

From hacked client to 0day discovery
https://security.infoteam.ch/en/blog/posts/from-hacked-client-to-0day-discovery.html

2018-03-27 | Aadhaar data leak, Facebook Container by Firefox, and XSS auditor reporting to report URI
https://www.hackerone.com/zerodaily/2018-03-27

Stored XSS (client-side, using cookie poisoning) on the pornhubpremium.com https://hackerone.com/reports/311948

[Bypass WAF] Php webshell without numbers and letters
https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/

2018-03-28 | City of Atlanta returns to the digital age, PowerPoint exploits are so choice, and That cryptomining side hustle
https://www.hackerone.com/zerodaily/2018-03-28

How to Hire a Rockstar Security Researcher For Your Company
https://blog.appknox.com/hire-security-researcher/

Upcoming Facebook Platform Changes
Reward people who find vulnerabilities: Facebook’s bug bounty program will expand so that people can also report to us if they find misuses of data by app developers. We are beginning work on this and will have more details as we finalize the program updates in the coming weeks.
https://developers.facebook.com/blog/post/2018/03/26/facebook-platform-changes/

Tools to gather subdomains from Bug Bounty programs
https://github.com/bonkc/BugBountySubdomains

Extra program metrics disclosed via /PROGRAM_NAME json response
https://hackerone.com/reports/327088

Bypass XSS Protection (Event Handler filtering) with string+slash
http://www.hahwul.com/2018/03/bypass-xss-protection-event-handler.html