- Hive Five
- Posts
- 🐝 Hive Five #13 “Life is what happens to us while we are making other plans.” ― Allen Saunders
🐝 Hive Five #13 “Life is what happens to us while we are making other plans.” ― Allen Saunders
Photo by Alvaro Reyes / Unsplash
Hi friends,
Greetings from the hive!
Happy Easter! I hope everyone had a wonderful week. Mine was pretty crazy.
After the STOK shout out in Bounty Thursdays, Daniel Miessler surprised me with a glowing review of both my newsletter and website. Being inspired by both, it's definitely humbling and motivating.
Speaking of my website, I published a new post Essential Bug Bounty Books for Beginners and Pros. I also added the option to buy me nectar on my website. First one to do so is 0xtavian, thank again!
Let's take them by swarm.
🐝 The Bee's Knees
States and Nomads: Handling Software Complexity - Forward 3 Web Summit: We routinely make systems that exceed our ability to understand completely. This talk is an exploration of how other, older disciplines have approached these problems, and what we as software engineers can learn from them.
Security YouTuber Drama...: I don't even know what this video is about.
DAY[0] Episode 70 - Google exposes an APT campaign, PHP owned, and Several Auth Issues: A podcast featuring vulnerability research, exploit development, and general security/technology discussion.
Why Isn't Functional Programming the Norm? – Richard Feldman: Richard is a member of the Elm core team, the author of Elm in Action from Manning Publications, and the instructor for the Intro to Elm and Advanced Elm courses on Frontend Masters.
Reverse Engineering For Everyone!: Reverse Engineering For Everyone! A FREE comprehensive reverse engineering course covering x86, x64, 32-bit ARM & 64-bit ARM architectures.
✨ Sponsor
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
🔥 Buzzworthy
📅 Events
SSTIC: For the first time ever, the SSTIC challenge is available in English!
2021 Diana Initiative: Back again in 2021 as a virtual conference, The Diana Initiative is a two-day conference to elevate, inspire, and support women of all races, cultures, and backgrounds through every stage of their information security career with education, collaboration, and resources.
🎉 Celebrate
Ali Tütüncü: Is happy they joined Synack Red Team. Yahoo!
HackerOne: Congrates Todayisnew on reaching the $2 million bounty milestone on HackerOne. Wow!
Rana Khalil 🇵🇸: Achieved a second Youtube channel milestone, 5000 subscribers. Well deserved!
Youssef Sammouda: Had a crazy week in February in which i was able to find 3 interesting account takeovers in Facebook and resulted a total of $100k in bounties. Cha-ching!
zseano 🛡️: Mentions that a @BugBountyHunt3r member found their first bug, a P1 on Google VRP. Amazing!
✅ Changelog
Better T(weet)Deck: Version 4 is live, the result of ~2 years of work, is a huge rewrite and has a lot of cool new features.
VRT v1.10 Released: Flash downgrades and extended automotive categorization: With the vulnerability categorization being central to many security teams’ reporting, it’s essential to get the insight and visibility needed to make decisions.
resync portscanner Armada: Armada /16 Port Scan Demo — 65536 IPs, 7 Ports, 4 total attempts, 1 second timeout each attempt — completed in about 8.9s finding roughly 450 open ports.
💰 Jobs
📰 Articles
Ubiquiti All But Confirms Breach Response Iniquity: For four days this past week, Internet-of-Things giant Ubiquiti did not respond to requests for comment on a whistleblower’s allegations the company had massively downplayed a “catastrophic” two-month breach ending in January to save its stock price.
How Runescape catches botters, and why they didn't catch me: Player automation has always been a big concern in MMORPGs such as World of Warcraft and Runescape, and this kind of game-hacking is very different from traditional cheats in for example shooter games.
Giving Back to the Community with Ben Bidmead aka pry: Collaboration and human connection are significant trends in cybersecurity.
Why we reinforced vulnerability management with a bug bounty program: Information security today is all about keeping one step ahead of those who would do you dirty.
Is Foundational Knowledge (Networking, Coding, Linux) Really That Important When Learning to Hack?: An answer to the common question “what prerequisite knowledge is required to start learning hacking?”.
📚 Resources
Intigriti XSS Challenge 0221 Write-Up: This month’s XSS Challenge was made by @Holme.
Top 25 Vulnerability Parameters based on frequency: For basic researches, top 25 vulnerable parameters based on frequency of use with reference to various articles.
Facebook account takeover due to a bypass of allowed callback URLs in the OAuth flow: This bug could allow a malicious user to takeover Facebook or Instagram accounts due to missing URL path checking in fallback_redirect_uri parameter specified in the Facebook OAuth flow endpoints.
http2smugl: HTTP2 request smuggling security testing tool: This post describes what HTTP2 request smuggling is in detail and suggest an open-source tool http2smugl that detects such kinds of vulnerabilities.
Journeys in Quoteless and Multi Reflection XSS: Cross Site Scripting is a tricky bug to fix and bypasses for these fixes can be even trickier.
🎥 Videos
SQL Injection - Lab #4 SQL injection UNION attack, finding a column containing text: This lab contains an SQL injection vulnerability in the product category filter.
SQL Injection - Lab #5 SQL injection UNION attack, retrieving data from other tables: This video covers Lab #5 in the SQL injection track of the Web Security Academy.
OSINT Efficiency: Extending & Building Tools - Keynote | SANS OSINT Summit 2021: This session takes participants through the process of how to create efficiency with information collection.
🎵 Audio
Interview: Amir Majidimehr, Audiophile Industry Disruptor: In this standalone episode Daniel speaks with Amir Majidimehr.
I Love My Underground Classics: STÖK shares his love for 90s / early 2k underground ish hip hop.
Pentester Diaries Ep2: 2FA Bypass Techniques: In this episode, Jon Helmus speaks with Harsh Bothra, a pentester with an appetite for learning and sharing his knowledge.
Sources and Sinks - Insider Attacks with Katie Paxton-Fear: Vickie Li talks to Katie Praxton-Fear a cybersecurity researcher and lecturer, on how we can mitigate the risks of insider threats.
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- • Deep DISCOUNTS on paid content.
- • Experience continuously added NEW BENEFITS.