• Hive Five
  • Posts
  • šŸ Hive Five 127 - Authentication vulnerabilities, Hacking Google Cloud, and Wordlists

šŸ Hive Five 127 - Authentication vulnerabilities, Hacking Google Cloud, and Wordlists

Author

Bee
June 26, 2023

Hi friends,

Greetings from the hive!

Itā€™s getting hot in herre. Iā€™m writing this newsletter while sitting outside, watching kids play around in a water pool.

Earlier today, I went to the gym for the first time in a while.

Hereā€™s to a wonderful summer.

Letā€™s take this week by swarm!

šŸ The Beeā€™s Knees

  1. Authentication Vulnerabilities - Complete Guide. In this video, they cover the theory behind authentication vulnerabilities, how to find these types of vulnerabilities, how to exploit them and how to prevent them. more

  2. Hacking Google Cloud? Every year Google celebrates the best security issues found in Google Cloud. This year LiveOverflow takes a look at the 7 winners to see if we could have found these issues too. more

  3. Microsoft has revamped their security documentation site. Technical guidance that helps security professionals build and implement cybersecurity strategy, architecture, and prioritized roadmaps more

  4. BishopFox/jsluice, written by TomNomNom, is a Go package and command-line tool for extracting URLs, paths, secrets, and other interesting data from JavaScript source code. Fun fact, itā€™s named after a ā€œsluice boxā€ a thing you use to find gold. more

  5. Bug Bounty: Wordlists. You are only so good as your weakest link. And in bug bounty, most peopleā€™s weakest link, and most ignored is always their wordlists. more

ļøšŸ’Ŗ Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

šŸ”„ Buzzworthy

āœ… Changelog

  1. New CVSS. Who dis? The 4.0 spec has a positive line regarding Privileges Required. more

  2. Waymore v1.22 is a way to find more from the Wayback Machine. more

  3. owasp-amass/amass v3.23.3 is an in-depth attack surface mapping and asset discovery. more

šŸ“… Events

  1. Hack The Box meetup in France on 06/29. more

  2. Sanne is a finalist for Woman Hacker of the Year. Go vote for her! more

  3. leHACK kernel panic / democracy daemon crashed edition. We need to remind ourselves the roots and the original ethos of hackers and hacktivists. Runtime: 06/30 to 07/02. more

šŸŽ‰ Celebrate

  1. Sam is super impressed by 17-18 year olds that are participating at Live Hacking Events. Love to see it! more

  2. Damian is cofounding a Legal Tech Startup. Exciting! more

  3. ā€œThe Bug Musketeersā€ earned a 40k bounty at Intigritiā€™s 1337UP0623. Letā€™s go! more

  4. The Critical Thinking podcast recorded a sick pod with 2x MVH Inhibitor. Canā€™t wait to listen! more

  5. Ali finished 4th overall in his first HackerOne Live Hacking Even in London. Amazing! more

šŸ’° Career

  1. Google is hiring Senior Researcher in the Netherlands, Mandiant, Google Cloud. more

  2. Roles for pentesters that are looking to transition. more

  3. Sherrod shares actionable tips for those that want to work in cyber threat intelligence. more

  4. The most important piece of career advice you probably never heard: ā€œFix the lifestyle you want. Then work backwards from there.ā€ more

  5. Farah Hawa shares some learnings from her recent job hunting process, right from applying and interviewing to accepting an offer. more

āš”ļø Community

  1. Hackers bot finally had its Twitter API key banned on June 22nd. The last tweet said: ā€œAs hackers taught us, capitalism corrupts all beautiful tings, and queer will always end victorious. [ā€¦]ā€ more

  2. Caitlin got a beeautiful tattoo during HackerOneā€™s Live Hacking Event in London. more

  3. Dave got a new tattoo with a great story behind it. more

  4. Cyber Kitten is ready for Hacker Summer Camp. more

  5. Katie came full circle, back to where she started. more

šŸ“° Read

  1. Piotr shares a next level phishing scam involving Discord. more

  2. Another bug bounty story by Soroush, taking on the challenge of bypassing a Web Application Firewall (WAF) for XML External Entity (XXE) injection. more

  3. Scan to scam: how thieves can steal credits at cashless music festivals. Convenience is king, especially at music festivals where every extra minute spent in line can prolong the queue with hours. more

  4. AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice. While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass. more

  5. A white paper on Emotional Intelligence. Harnessing OSINT methods to uncover the emotions and moods of individuals. more

šŸ“š Resources

  1. A collection of concise write-ups on small things Josh learned day to day across a variety of languages and technologies. more

  2. mindedsecurity/semgrep-rules-android-security is a compilation of Semgrep rules derived from the OWASP Mobile Application Security Testing Guide (MASTG) specifically for Android applications. more

  3. CVExploits is a database of exploits for all of the old & new common exposures and weaknesses (CVEs) by collecting the exploits automatically from around the internet websites & projects such as (github, gitlab, packet storms ecurity, metasploit modules and many more). more

  4. Destroyed by Breach. Adrian created and started maintaining this research after coming across a fake stat many years ago, that ā€œ60% of small businesses will close up within six months of a cyber attackā€. more

šŸŽ„ Watch

  1. In this 4th video in the series customizing Parrot with ansible, ippsec configures Iptables/UFW and Auditd. more

  2. Ippsec walks through HackTheBox - Stocker. more

  3. Intruder Alert Ep. 3 - Hacktivism and Bug Bounties with Nahamsec. more

  4. Casey delivers ā€œRelease the Hounds, Part 2 - 11 Years Is A Long-Ass Timeā€ as the keynote for BSides Knoxville on May 12th, 2023. This talk covers the history of vulnerability disclosure and crowdsourced security testing platforms, and dives into cybersecurity entrepreneurship. more

  5. The video stresses that there is no one specific path or set of requirements for becoming an ethical hacker or entering the cybersecurity industry, and it is important to avoid the harmful mentality of gatekeeping. more

šŸŽµ Listen

  1. We Hack Purple Podcast 78 with Jason Haddix. They talk about artificial intelligence, and (of course) how to hack it. more

  2. The Privacy, Security, & OSINT Show 301 - Self-Hosted 3: Calendars, Contacts, & Notes. more

  3. Smashing Security 327: Markā€™s metaverse for minors, and getting down to business. more

  4. Critical Thinking - Bug Bounty Podcast Episode 24: AI + Hacking with Daniel Miessler and Rez0. more

  5. Petaflops to the People: from Personal Compute Cluster to Person of Compute with George Hotz of tinycorp. They talk about how tinygrad is taking on Nvidia, Google, and PyTorch with a tiny team, building in public with AMD, hot takes on ggml, Mojo, and GPT-4, and why AI Girlfriend is next. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.