🐝 Hive Five 101 – Read the Bleeping RFC, Meth to Netflix, and Speedrunning Web3 Bug Hunts

Hi friends,

Greetings from the hive!

Merry Christmas and happy holidays.

As I reflect on the recent passing of Maxi Jazz, I'm reminded of the carefree days of my youth. Memories of the joy and simplicity of dancing to Faithless's hits like Insomnia and God is a DJ. Those were simpler times, and this loss emphasized my commitment to living a more minimalistic life, focused on doing less but doing it better, as Marcus Aurelius advised.

Among other projects, I want to declutter my space and simplify my schedule to focus on what's truly important. I want to live with intention and purpose, striving to be my best every day.

What about you? What are your current goals, and how are you working to achieve them?

Let's take this week by swarm!

🐝 The Bee's Knees

1. RTFR (Read The Bleeping RFC), a talk by securinti @ NahamCon 2022 EU. Find out how to read RFC's to find unique vulnerabilities. more | thread

2. Meth to Netflix: ThePrimeagen story. One of Twitch's most entertaining streamers shares his background and lessons learned. more

3. I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS. When is copy-paste payloads not self-XSS? When it’s stored XSS. Recently, spaceraccoon reviewed Zoom’s code to uncover an interesting attack vector. Along the way, they dived into the ClipboardEvent and DataTransfer web APIs and learned a lot about dynamic drag-and-drop internals. more

4. Twelve Days of ZAPmas: Day 1 - Setting Up ZAP. A run down some of the ins and outs of working with OWASP Zed Attack Proxy (ZAP). more

5. Better Make Sure Your Password Manager Is Secure. As part of a security analysis, kuekerino (T / M), ubahnverleih (T / M) and parzel (T / M) examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). more

️💪 Sponsor

Want me to write about your company? Sponsor the Hive Five.

🔥 Buzzworthy

✅ Changelog

1. v1.12 of waymore is available featuring a new argument -𝘤 / --𝘤𝘰𝘯𝘧𝘪𝘨 added to specify the full path of a YML config file. If not passed, it looks for 𝘤𝘰𝘯𝘧𝘪𝘨.𝘺𝘮𝘭 in the same directory more

2. Taborator update added keyword search on IP and payload and mark all as read and clear req/res. The amount of req/resp stored are now limited to reduce memory consumption when using the $collabplz placeholder. more

📅 Events

1. Lupin's Xmas challenge! Can you solve our Xmas Challenge and trigger the alert on the page? more

2. PenTester Nepal Christmas special final infosec quiz for the year 2022. This quiz is designed to test your knowledge and skills in the field of cybersecurity, and upon completion, you will receive an official certificate of completion. more

🎉 Celebrate

1. Bug Bounty Hunter latest Hackevent winners: IamVictorTeh and AyushSingh1098. Congrats! more

2. Andy is 731 days sober. Let's go! more

3. 4n6lady finished the year with their newest accomplishment and are now SAA certified. Woohoo! more

4. Vegeta passed eLearnSecurity’s eWPTXv2 exam. Hooray! more

5. BugBountyHQ's daughter was born. Awesome! more

💰 Career

1. Marcus J. Carey's 12/22/2022 Cybersecurity Job Thread. more

2. The TMCF Resume template. more

⚡️ Community

1. sw33tLie on how much quick payouts impact the overall results of a bug bounty program. more

2. chompie on being in the security industry for 5 years, but still feeling like a noob. more

3. People's goals for 2023 via Louis. more

4. Jason Haddix is moving on from leading Ubisoft’s security team for the last 4 years. more

📰 Read

1. How Monish hacked a company. more

2. AD manager Plus Remote Code Execution. At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. more

3. Shennina Framework - Automating Host Exploitation with AI. more

4. Speedrunning Web3 Bug Hunts. more

5. Daniel's philosophy and recommendations around the lastpass breaches. more

📚 Resources

1. Information security newsletter suggestions via Rami. more

2. Advice on how to start with RFID Hacking. more

3. AWS CIRT announces the release of five publicly available workshops. more

4. JavaScript for hackers book by PortSwigger researcher Gareth Heyes, who is probably best known for his work escaping JavaScript sandboxes, and creating super-elegant XSS vectors. more

🎥 Watch

1. Securing Open Source Dependencies: It's Not Just Your Code That You Need to Secure. The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. more

2. Marcus talking cybersecurity/infosec, and answering viewer questions. more

3. Do You Have What it Takes to be Gone in 60 Seconds? more

4. How to Recover Removed Website Content Using Maltego in 5 Minutes. more

5. Sun introduces Superbacked, possibly the world’s most advanced backup and succession planning app. more

🎵 Listen

1. Malicious Life: How Netflix Learned Cloud Security. Jason Chan was hired by Netflix at its pivot point back in 2011, to lay the foundations for its cloud security protocols. more

2. Smashing Security 303: Secret Roomba snaps, Christmas cab scams, and the future of AI. Beware your Roomba’s roving eye, the Finns warn of AI threats around the corner, and watch out when hailing a cab in Dublin. more

3. JRE #1908 - Erika Thompson. Erika Thompson is the owner and founder of Texas Beeworks, an organization promoting public awareness and education about the valuable work bees and beekeepers do. more

Subscribe to the Hive Five to read the rest.