- Hive Five
- Posts
- π Hive Five #12 βIn three words I can sum up everything I've learned about life: it goes on.β β Robert Frost
π Hive Five #12 βIn three words I can sum up everything I've learned about life: it goes on.β β Robert Frost
Photo by Andrea De Santis / Unsplash
Hi friends,
Greetings from the hive!
I hope you had an awesome week. Mine was pretty sweet, had some good food, and there were several sunny days. I even figured out that light-mode works wonders when working outside in bright weather.
My website received some major improvements (changelog). Most notably, I added a become a supporter section, currently just a buy me a coffee link, and a custom 404 page, with a random bee fact!
Let's take this week by swarm!
Brought to you by
DigitalOcean - Get $100 to try it out: I use their VPS for all of my recon needs. Other things you can do: build apps, host websites, run open source software, learn cloud computing, and more β every cloud resource you need at an affordable price.
π The Bee's Knees
Recovering a full PEM Private Key when half of it is redacted: A write-up covering how given a partially redacted PEM, the whole private key can be recovered. The Twitter user, SAXX, shared a partially redacted private RSA key in a tweet about a penetration test where they had recovered a private key.
TomNomNom talk about Networking Fundamentals: Let's learn a bit about networking. Slides
Hidden OAuth attack vectors: The OAuth2 authorization protocol has been under fire for the past ten years. You've probably already heard about plenty of "return_uri" tricks, token leakages, CSRF-style attacks on clients, and more.
Chapter 1 Security Fundamentals - Alice and Bob Learn Application Security: Tanya and guests answer and discuss questions about chapters of her book.
π₯ Buzzworthy
π Events
!!Con - Call for Talk Proposals!: !!Con is back for their eighth year of celebrating the joy, excitement, and surprise of computing, and want you to submit a talk proposal.
March XSS Challenge - Intigriti: Find a way to execute arbitrary javascript on this page and win Intigriti swag.
π Celebrate
Nicolas GrΓ©goire: Company is 10 years old. Congrats!
Nathan Cavitt: Has his Bug Bounty Bday. What an amazing year!
Prash: Had his last day at @Hacker0x01. Excited for what's next!
d0nut π¦: Is feeling better and tackled a bug in resync, allowing it to run 4x faster. Yeet!
β Changelog
Burp Suite HTTP logger: Sneak preview of the native HTTP logger that is coming soon to Burp Suite.
BBRF v1.1.1 by Pieter: Has been released with a number of cool improvements.
OSINT VM: The 2021.1 release of the TraceLabs OSINT VM is out, this is a major release which includes a new menu, default browser change (#Chromium) and a new updater process.
Telegram Voice Chats 2.0: Channels, Millions of Listeners, Recorded Chats, Admin Tools: Voice Chats first appeared in December, adding a new dimension of live talk to Telegram groups - now, they are available in channels too.
π° Jobs
Huge InfoSec job thread by HΞKLUKΞ: For both job posters and job seekers.
π° Articles
APT Encounters of the Third Kind: A few weeks ago an ordinary security assessment turned into an incident response whirlwind.
One day short of a full chain: Part 3 - Chrome renderer RCE: This is the last post of a series in which I exploit three bugs that can be used to form an exploit chain from visiting a malicious website in the beta version of Chrome 86 to gain arbitrary code execution in the Android kernel.,
Thoughts on Threat Modeling: Personal views on threat modeling, how I approach threat modeling and what has worked for me (both as a Platform Security Engineer and vulnerability researcher).
π Resources
Simpsonpt/AppSecEzine: Only just found out about AppSec Ezine and it has been releasing for 7 years!
New to bounties? by bugcrowd: They created a page containing links to everything you need to know including free educational resources, researcher docs, how to find bugs, beginner resources, how to get private invites, and more.
noraj/OSCP-Exam-Report-Template-Markdown: Now you can be efficient and faster during your exam report redaction.
Abusing Data Protection Laws For D0xing & Account Takeovers: A paper on Abusing Data Protection Laws For D0xing & Account Takeovers, leading to over 5 figures in bounties.
GraphQL hacking thread by Rami: Awesome collection of GraphQL resources.
π₯ Videos
AMA - Bug Bounty with Alex Chapman (Public): Alex Chapman talks about his approach to bug hunting, why he hunts on our platform and about his favorite scene from the movie Hackers.
$Echo - Nahamcon 2021 CTF Walkthrough: Optional's method for working through the $Echo challenge for Nahamcon 2021.
Function hooking, detours, inline asm & code caves [Game Hacking 101]: What happens if we want to do something which takes up more space than we actually have available to us?
The HackerCON: Hacking is NOT a Crime and Red Team Village "The HackerCON" streamed on Saturday, March 27, 2021.
SQL Injection - Lab #4 SQL injection UNION attack, finding a column containing text: Rana covering Lab #4 in the SQL injection track of the Web Security Academy.
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- β’ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- β’ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- β’ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- β’ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- β’ Deep DISCOUNTS on paid content.
- β’ Experience continuously added NEW BENEFITS.