• Hive Five
  • Posts
  • šŸ Hive Five 129 - I miss the old internet

šŸ Hive Five 129 - I miss the old internet

Author

Bee
July 10, 2023

Hi friends,

Greetings from the hive!

Happy belated 4th of July. This new internet got me in my feelings.

This time, TweetDeck has been ā€œimprovedā€ and will move behind a paywall. This also means that one of my favorite Chrome extensions, BetterTweetDeck, is no more.

Letā€™s take this week by swarm!

Shot by TESSĀ 

šŸ The Beeā€™s KneesĀ 

  1. Live web app hacking using Caido with itā€™s co-founder sytten. Caido is a lightweight web security auditing toolkit. moreĀ 

  2. A hacker interview with Ryan Montgomery aka 0day. more

  3. Full Disclosure - DOM-based XSS And Failures In Bug Bounty Hunting. Kuldeep shares a bug bounty failure and 3 actionable takeaways. moreĀ 

  4. Hunting for Nginx Alias Traversals in the wild. This article delves into the intricacies of Nginx, focusing on the location and alias directives that are central to how Nginx handles specific URLs. more

  5. Patch Diffing CVE-2023-28121 to Compromise a WooCommerce. Back in March 2023, Julien noticed an interesting security advisory that was published by Wordfence about a critical ā€œAuthentication Bypass and Privilege Escalationā€ (aka CVE-2023-28121) affecting the ā€œWooCommerce Paymentsā€ plugin which has more than 600. more

ļøšŸ’Ŗ Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

šŸ”„ Buzzworthy

āœ… Changelog

  1. TweetDeck has been ā€œimprovedā€ and will be a paid feature. more

  2. j3ssie/osmedeus v4.5.0 is a workflow engine for offensive security. more

  3. j3ssie/metabigor v1.2.5 is an OSINT tools and more but without API keys. more

  4. For Kali Linux, pip install is on the way out. Installing Python packages must be done via APT, aka. Kali Linuxā€™s package manager. Python packages coming from other sources should be installed in virtual environments. more

šŸ“… Events

  1. NahamSec is thinking about hosting a bug bounty meet up at Defcon with Jason and STƖK. more

  2. STƖK, Dylan, and Jesper broke stuff for science usingā€¦Uranium?! I look forward to seeing the full story. more

  3. Paul started his own company, Coastline Cyber. A boutique cyber security consulting firm. more

  4. People loved Jasonā€™s first live course. The next Bug Hunterā€™s Methodology takes place this weekend. more

  5. FIRST.org (CVSS) removed the previously celebrated self-service provisioned accounts statement to many bug bounty hunters dismay. more | follow-up

šŸŽ‰ Celebrate

  1. Kuldeep was recognized as an SRT Hero and member of the Circle of Trust. Letā€™s go! more

  2. ninetynine was invited to their first Live Hacking Event in Las Vegas no less. Good luck! more

  3. Jane joined Meta to work on Threads. I canā€™t wait to see your influence! more

  4. Ian left his job at Robinhood to work on Seats Aero full-time. Awesome! more

šŸ’° Career

  1. TIL there are severance package hunters. more

  2. Corgi shared her fast food history with a surprising twist: Operation Big Mis-Steak. more

  3. Renniepak shares his struggles with taking time off while being self-employed. more

  4. Fletcher, the CIO of Cisco, shares his journey in the tech industry, emphasizing the importance of passion and attitude in succeeding in the constantly changing field. more

  5. Starting a new job? Here are four actionable tips for new hires which you can implement in your first 90 days. more

āš”ļø Community

  1. If Twitter falls, the OSINT community needs a new home, says fs0c131y ā€” Iā€™m also concerned with fragmentation and losing the overview. more

  2. A discussion around getting maximizing bounty payouts vs proving that actual security vulnerabilities are worth paying for. more

  3. A collection of InfoSec handles on Metaā€™s Twitter clone, Threads. more

  4. What did you buy with your first bounty payout? more | source

  5. It became public that a hacker accessed HackerOne email addresses in a recent disclosed report. more| discussion

šŸ“° Read

  1. A Journey Into Hacking Google Search Appliance. more

  2. CVE-2023-36934 Analysis: MOVEit Transfer SQL Injection. the focus at ProjectDiscovery is on enhancing their open-source solution, Nuclei, by incorporating templates for trending CVEs. more

  3. Exploiting XXE with local DTD files. This little technique can force your blind XXE to output anything you want. more

  4. DNS Analyzer helps you find DNS vulnerabilities with Burp Suite. more | tool

  5. Why ORMs and Prepared Statements Canā€™t (Always) Win. The Sonar Research team discovered several SQL injection vulnerabilities in Soko, a software deployed on the Gentoo Linux infrastructure. These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements. more

šŸ™ Support

Enjoy reading the Hive Five? You can treat me to a coffee!

šŸ“š Resources

  1. A collection of public security research. more

  2. A discussion around disclosing bug bounty reports reports and sharing methodologies. more

  3. Whitecyberduckā€™s useful Cybersecurity Websites. more

  4. Books that have significantly impacted how people do business. more

  5. Sleuthcon 2023 videos have been posted. This conference is designed to highlight the work done by people and organizations to identify and explore cybercrime and financially-motivated cyber threats. more

šŸŽ„ Watch

  1. JWT Authentication Bypass via jwk Header Injection. Learn about JSON Web Token (JWT) vulnerabilities. more

  2. Top 3 bug bounty tips by NahamSec, who made $100K in 2 months. more

  3. Generic HTML Sanitizer Bypass Investigation. LiveOverflow stumbled upon a weird HTML behavior on Twitter and started to investigate it. more

  4. Ippsec takes on another HackTheBox box, Inject. more

  5. Rana is back with Web Security Academy. This time she covers Authentication Vulnerabilities - Lab #1 Username enumeration via different responses. more

šŸŽµ Listen

  1. We Hack Purple Podcast 79 with Isabelle Mauny, where they discuss several of the challenges when creating secure APIs. more

  2. Archwisp shared offline copies of all of the Defcon parties mixes and videos. more

  3. Smashing Security 329: Pornhub, Barbie dolls, and can you trust a free TV? more

  4. Critical Thinking - Bug Bounty Podcast Episode 26: Client-side Quirks & Browser Hacks. more

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. Itā€™s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.