🐝 Hive Five 121 - IIS Auth Bypass, Securing AI, and making 100k in 2 months

Hi friends,

Greetings from the hive!

I hope you had a nice weekend. I’m trying out a new way to combat procrastination and building habits. It’s a play on Sahil Bloom’s 30 for 30, but instead of 30m, you spend 15m for 30 days.

For the actual implementation I’m using an embedded Pomodoro timer inside of Obsidian, my PKM tool of choice. This approach is inspired by this tweet from Anne-Laure.

How do you build new habits? Let me know!

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Bypass IIS Authorization with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3. It’s time to look at Sitecore again! In 2021 Assetnote’s security research team took a look at Sitecore and found some nice vulnerabilities. more

2. Securing AI - Prompt Injection Defense. After LiveOverflow explored attacking LLMs, in this video he finally talks about defending against prompt injections. Is it even possible? more | Related: Delimiters won’t save you from prompt injection

3. NahamSec made $100,000 in two months. How did he do it? Through luck, hard work, choosing the right programs, manually searching for for bugs such as authorization issues, and paying attention to details. more

4. The CodeQL Bug Bounty program operated by the GitHub Security Lab aims at scaling the security research community’s work across open source projects. A maximum payout is capped at $7,800 USD corresponding to 8 critical CVEs. more

5. Exploring Algorithm Confusion Attacks on JWT: Exploiting ECDSA. JSON Web Tokens (JWT) are widely used for authentication in modern applications. As their use increases, so does the importance of understanding common attacks against them, such as algorithm confusion attacks. more

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🏞️ Bee’s Eye View

🔥 Buzzworthy

✅ Changelog

1. 4 years after the first version, Hisxo started working on gitGraber again. He added the possibility to filter results by commit date and I also made some improvements. more

2. You can now encode and decode text straight from the HackerOne platform. more

3. Obsidian insider now has a PDF viewer that feels much more native and integrated in the app. more

4. owasp-amass/amass v3.23.2 is an in-depth Attack Surface Mapping and Asset Discovery. more

5. Nuclei Templates v9.5.0 contains essential template enhancements. This update brings bring significant enhancements that will improve your overall experience. However, this release also includes breaking changes. more

🎉 Celebrate

1. Hussein turned 25 years old. Congrats! more

2. Ankit was invited by Dell Technologies to demonstrate live Hacking at Dell Unplugged in Mumbai. Amazing! more

3. Truesec is growing which means bigger and better STÖK studios. Let’s go! more

4. White Cyberduck passed the OffSec Certified Professional (OSCP) with 6/6 machines. Let’s go! more

5. Remon bought a new desk with a built-in RBG controller. Looks amazing! more

💰 Career

1. Buddobot is looking for an Account Executive. more

2. An insight into career paths. How did your peers and mentors got where they are today. more

3. The video discusses the benefits of using an AI assistant during the job search process while emphasizing the importance of personalization and specificity. more

⚡️ Community

1. Hakluke had an idea for bug bounty programs: “An API where you send a subdomain or IP and it tells you whether that asset is in scope or not.” Turns out that HackerOne already supports something of the sort. more

2. Whenever d0nut travels it makes him want to write code and do security research. more

📰 Read

1. Attacking APIs by tainting data in weird places. Never trust user input. Every developer in the world who has attended even the most basic appsec training have had this drilled into their head. Yet, every month we continue to see examples of attacks against APIs that occur because of data that have been tampered with in unexpected ways. more

2. Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot. Dependabot is one of the most widely deployed tools to improve software supply chain security. But like all other software, it is not immune to security vulnerabilities. more

3. Lily Clark celebrating her mentor and friend Don. He actually started an online community called the The Ethical Hacker Network or EH-net back in the early mid 2000s that jump started and connected many of the infosec greats we know today. He’s that guy. more

4. RCE due to Dependency Confusion - Hey everyone! I’m back with another cool write-up about a bug bounty report I submitted to a private program on HackerOne. Guess what? I got a $5,000 reward and they took care of it in just 30 minutes! more

5. Account Takeover of Internal Tesla Accounts. Tesla Retail Tool (TRT) allows logins from both and was not checking what IDP the user logged-in with (auth[.]tesla[.]com vs sso[.]tesla[.]com). more

📚 Resources

1. A list of resources to help you get started on your bug bounty adventure. more

2. A 21 day free Python for OSINT. more

3. Harvard CS50’s Introduction to Programming with Python. Learn Python programming from Harvard University. Topics include database design, scalability, security, and user experience. more

4. A free Golang course with bonus projects. Learn the Go programming language in this full course for beginners. You’ll practice writing performant, idiomatic Go with these hands-on lessons and challenges. more

5. A collection of exploits targeting vBulletin. more

🎥 Watch

1. HackTheBox - Interface walkthrough. Ippsec uses various methods to investigate the site’s API and eventually discovers a vulnerability in the Dompdf library. more

2. Directory Traversal - Lab #1 File path traversal, simple case. This lab contains a file path traversal vulnerability in the display of product images. more

3. All about Nuclei Matchers. In this video, you are going to learn about config files. more

4. Lily walks through TryHackMe - The Diamond Model which includes various components such as the adversary, victim, capability, and infrastructure. more

5. The hacker in the board room: The journey from hacker to CISO with Jason Haddix. more

🎵 Listen

1. Smashing Security 321: Eurovision, acts of war, and Twitter circles - Twitter shares explicit photos without users’ permission, one US company can look forward to a $1.4 billion payout seven years after an infamous cyberattack, and how might hackers target Eurovision? more

2. Critical Thinking - Bug Bounty Podcast Episode 18: Audit Code, Earn Bounties. They dive into everything source-code related: how to get source-code and what to do with it once you have. more

3. Day[0] Bug Bounty Podcast 209 - Bad Ordering, Free OpenAI Credits, and Goodbye Passwords? They open up this weeks bug bounty podcast with a discussion about Google’s recent support for passkeys, tackling some misunderstanding about what they are and how open the platform is. more

4. The Privacy, Security, & OSINT Show 296 - The Argument for a Stock Browser. This week they present an argument supporting the use of an untouched stock browser with no privacy and security hardening. Sharpen your pitchforks. more

5. Intruder Alert Ep. 3 - Hacktivism and Bug Bounties with Ben Sadeghipour (aka Nahamsec). In this episode, Marcus and Nahamsec discuss the notorious APT41 threat group and the growing threat of hacktivism on the cybersecurity landscape. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.