🐝 Hive Five 115 - AI models become a threat to hackers, 2023 Web Hacking Roadmap, and why DNS always breaks the internet

Hi friends,

Greetings from the hive!

I hope you had a peaceful weekend. I’m writing this while listening to Merry Christmas Mr.Lawrence by Ryuichi Sakamoto.

I’ve noticed that the least bit of friction will prevent me from doing something. So, I’ve been slowly improving those processes, and automating where possible.

Make it easier for yourself. Cut things out of your life. Reduce scope.

What process have you improved lately?

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Our Future As Hackers Is At Stake! Copilot, ChatGPT and other AI models become a threat to hackers. We rely on insecure code, but when all developers moved over to code generated by AI, we will lose our job. We need to act fast! more

2. 2023 Web Hacking Roadmap - How To Bug Bounty. more

3. Why does DNS always break the internet? Katie talks about how the internet actually works and what we mean when we say web security. more

4. Leveraging LLMs for solving bounty hunting pain points. In 2022, Charlie embarked on a journey with jswzl, believing that a single developer could deliver immense value without a team by focusing on high-value outputs and minimizing low-leverage work. more | tool - socksprox

5. BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover. How Wiz Research found a common misconfiguration in Azure Active Directory that compromised multiple Microsoft applications, including a Bing management portal. more

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. HACKTORIA welcomes Joaquin Iglesias as their new CTF engineer. more

2. Caido released some much-requested features: Copy as cURL, Change between GET and POST in Replay/Forward, Timestamp of requests, and more. more

3. GitHub Copilot X was announced and it has an impressive set of new AI coding features. Learn how Microsoft is bringing ChatGPT features directly into your code editor. more

4. gwen001/related-domains 1.1.2. Find related domains of a given domain. more

5. Dalfox 2.9 Release. In this release of Dalfox, a flag has been added to record Dalfox traffic in HAR file and Raw HTTP Req/Res, which can be checked in CLI Output or JSON Report, etc. more

📅 Events

1. Yassine will be the keynote speaker for BSides Prishtina 2023: May 5-6. more

2. Rae Baker announced the official release of their book, Deep Dive: Exploring the Real-World Value of Open Source Intelligence: May 9th. more

More Upcoming Conferences and Security and Privacy Conference Deadlines.

🎉 Celebrate

1. Corben Leo is getting married. Congrats! more

2. d3mondev’s Puredns crossed 1k stars on Github. Awesome! more

3. ca$s:e cage is starting a new job. LFG! more

4. ProjectDiscovery passed 5000 members on Discord. Wonderful! more

5. chompie launched their website: chompie at the bits. Hooray! more

💰 Career

1. Become a LinkedIn Search Ninja: Advanced Boolean Search. more

2. Want an unfair advantage in your tech career? Consume content meant for other roles. more

⚡️ Community

1. Jason Haddix introduces WebSecGPT, your AI security buddy. more

2. STÖK working his lighting magic. more

3. lil c filmed and edited another video. more

4. Masonhck357 dropped 7 vulns (4 crits) on a program and they closed the next day - completely killing his hacking drive. more

📰 Read

1. PHP filter chains: file read from error-based oracle. This attack method was first disclosed during the DownUnder CTF 2022, where @hash_kitten created a challenge where the players where asked to leak the /flag file with an infrastructure based on the following Dockerfile and code snippet. more

2. You Are Not Too Old (To Pivot Into AI). more

3. How to avoid the aCropalypse. Last week, news about CVE-2023-21036, nicknamed the “aCropalypse,” spread across Twitter and other media. more

4. Cognitive Biases in Hacking. In this post monke describes a few of the common biases that may occur in your thought process, with examples for each. more

5. Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. CloudTrail is a crucial AWS service that provides a record of API calls and other important activities in AWS environments. Teams can use this information for auditing purposes and to identify potential security incidents. more

📚 Resources

1. ZwinK shares Android pentesting resources. more

2. People sharing their biggest mistake they’ve made in bug bounty. more

3. Fun lab/training/CTF techniques, tactics, exploits or tools that are not suitable for a junior tester to use on a client unsupervised or at all. more

4. Decurity/semgrep-smart-contracts contains Semgrep rules for smart contracts based on DeFi exploits. more

5. People’s best tricks, tools and ideas for wordlist generation. more

🎥 Watch

1. HackTheBox - Sekhmet walkthrough. more

2. Broken Access Control - Lab #10 User ID controlled by param with password disclosure. more

3. In this video, Tib3rius walks through the solutions to the Hack The Box Cyber Apocalypse CTF 2023 web challenges. more

4. Cloud Hacking: The Basics. more

5. Cheat Engine: Beating the Final Game. Tutorial 10 in a Game Hacking Series. more

🎵 Listen

1. Day[0] Binary Exploitation Podcast 200- Integer Bugs & Synthetic Memory Protections. They talk about Pwn2Own policy changes, a couple memeable overflows, and some new anti-ROP mitigations on OpenBSD. more

2. Day[0] Bug Bounty Podcast 199 - Bypassing CloudTrail and Tricking GPTs. They discuss applying AI/ChatGPT to security research, but before that they have a few interesting vulnerabilities. more

3. Critical Thinking - Bug Bounty Podcast Episode 13: How to Find a Good BBP + Acropalypse + ZDI. In this episode they talk about how to determine if a bug bounty program is good or not from the policy page. more

4. Smashing Security 315: Crypto hacker hijinks, government spyware, and Utah social media shocker. A cryptocurrency hack leads us down a maze of twisty little passages, Joe Biden’s commercial spyware bill, and Utah gets tough on social media sites. more

5. Risky Business #701 - Why infosec is wrong about TikTok. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.