🐝 Hive Five 123 - 100 Bug Bounty rules and Burp Suite Pro tips & tricks talk v2

Hi friends,

Greetings from the hive!

I randomly stumbled upon a subreddit for Volume Eating. You’re probably thinking, what I was. What in the world is that? Well, it turns out that it focuses on low-calorie food that you can consume in high volumes, such as this brownie recipe.

What have you randomly stumbled upon lately?

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. 100 (very) short bug bounty rules by Douglas Day. more

2. Security Fest 2023 contains two days filled with great talks by internationally renowned speakers on some of the most cutting edge and interesting topics in technical information security. day 1 | day 2

3. BSidesSF 2023 talk by Alethe Denis titled HALT AND CATCH FIRE: Social Engineering CTFs for fun to a job as a Professional Red Team Social Engineer. While the contests were fun and seemingly glamorous, the reality of SE for money was much different. more

4. This is a map of 400,000+ GitHub projects. Each dot is a project. Dots are close to each other if they have a lot of common stargazers. more | repo

5. The highly anticipated sequel to Nicolas Gregoire’s epic Burp Suite Pro tips and tricks talk. more | slides

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🏞️ Bee’s Eye View

🔥 Buzzworthy

✅ Changelog

1. nccgroup/LoggerPlusPlus v3.20.0 added colored tags, faster grepping, montoya support and more. more

2. RetireJS/retire.js 4.2.2 is a scanner for detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds. more

📅 Events

1. Free (ISC)², training and exam voucher for Certified in Cybersecurity Certification. more

2. Hardwear.io Security Trainings and Conference USA 2023 (30th May - 3rd June 2023). more

💰 Career

1. Jakoby is looking for employment. Something red team, anything with powershell, and making educational content. more

2. Writing the perfect resume to land your first Go job. Jonathan critiques someone in that exact position. more

3. The Electronic Frontier Foundation (EFF), an established San Francisco-based nonprofit organization defending online privacy and free expression, is looking for an organized and enthusiastic Event Coordinator to join EFF’s fundraising team and bring the digital rights community together. more

4. How to write resume bullets that get interviews. Recruiters don’t read your resume. Instead, they skim through it. more

⚡️ Community

1. Jason shares his thoughts on personal brands. more

2. Jonathan is looking for a lawyer as he’s been subpoenaed in a federal class action lawsuit regarding some security research. more

3. Orange Tsai is back from Taiwan after traveling around the world for two months. He visited Peru, Chile, Mexico, and London. more

4. The Future of LiveOverflow. Fabian discusses his YouTube Financials and what’s next. more

5. How SoCs are training people on linux and teaching them about responding to alerts from EDR or custom detections. more

📰 Read

1. One Bug at a Time. Gavin chronicles their first 15 days of 30 days of bugbounty. During that time, they spent 22.84 hours and found 15 bugs. more

2. Bruteforce vs Permutations, a comparison of which is more interesting between bruteforce or permutation generation. But also, if it’s always worth it. more

3. The AI trust paradox implies that improving AI accuracy and reliability requires extending AI capabilities with access to tools and external data sources. What are some complaints people make when using AI? more

4. Don’t @ Me: URL Obfuscation Through Schema Abuse. A technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by abusing the URL schema. more

5. A Practical Guide for OSINT Investigators to Combat Disinformation and Fake Reviews Driven by AI (ChatGPT). more

📚 Resources

1. macOS Binaries (LOOBins) is designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes. This list does not include overlapping Unix binaries that are detailed in GTFOBins. more

2. OWASP Top 10 for Large Language Model Applications. The project aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs). more

3. Level 1 Threat Hunting Training. Some goals for the class are defining “cyber threat hunting”, identifying how to perform a threat hunt, and more. more | slides

4. bbhunter/Auto_Wordlists generates wordlist in 3 different ways: trusted resolvers, google hacking database, and web fuzzing/discovery wordlists. more

5. freakyclown/Nuclei_templates is a public repo of Nuclei scanner templates. more

🎥 Watch

1. Directory Traversal - Lab #3 File path traversal, traversal sequences stripped. This lab contains a file path traversal vulnerability in the display of product images. more

2. Finding Your First Bug. NahamSec stresses the importance of practical experience in hacking and bug bounty hunting. more

3. Web Hacking with Caido. A core feature that wasn’t mentioned is the concept of an instance. You can deploy caido on any cheap VPS and access your instance remotely. more

4. Taggart takes on Husky’s latest creation: TryHackMe - Weasel. more

5. The Hacker’s Mindset for Beginners. In this video, g0lden talks about how the hacker’s mindset that everyone talks about can be utilized by beginners in the scene. more

🎵 Listen

1. A great soundtrack to listen to while working: Lord Of The Rings. more

2. Black Coffee spiritual DJ set at Mixmag Live, London. An amazing set that bring you to a trance. more

3. Cloak & Dagger is an OSINT Podcast. This week they discuss To Catch a Predator with Griffin Glynn. more

4. The Privacy, Security, & OSINT Show 298 - OSINT Maintenance. This week Jason joins them to talk about the nuances of keeping all your OSINT accounts, tools, and techniques maintained, plus they each share their most recent OSINT successes. more

5. Critical Thinking - Bug Bounty Podcast Episode 20: Hacker Brain Hacks - Overcoming Bug Bounty’s Mental Tolls. In this episode they dive into the world of “hacker brain hacks’’ and overcoming challenges in bug bounty hunting. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.