🐝 Hive Five 133 - How to Study Bug Bounty Hunting

Hi friends,

Greetings from the hive!

Bram Moolenaar, the creator of VIM, passed away on August 3rd according to his family. His software and approach have profoundly impacted my and many others’ journey.

In addition to his work on Vim, Moolenaar was an advocate for ICCF Holland, supporting AIDS in Uganda. Donate now.

Let’s take this week by swarm!

CleanShot 2023-08-05 at 22.11.38.png

🐝 The Bee’s Knees

1. HTML Over the Wire - A new web app architecture pattern is being adopted by many popular frameworks. Let’s talk about risk! TL;DR: Early web applications made you wait after every click until it could render an HTML response on the server and send it back. more

2. CSRFing VS Code’s Debug Adapter Protocol. Local debug adapter TCP servers, deployed as part of a Debug Adapter Protocol (DAP) implementation used by VS Code, Visual Studio and other development tools, are vulnerable to cross-site request forgery (CSRF) from malicious JavaScript executed in the IDE user’s web browser. more

3. Hahwul is excited to announce the release of his toy project called ‘Noir’. It’s a source code analysis tool that identifies API endpoints, methods, parameters, and more within the source code, providing various formats of output. more

4. How to Study Bug Bounty Hunting. Learning how to hack and applying it to bug bounty can be approached in a variety of ways. While there isn’t a clear-cut path to follow, simply providing a list of recommended resources isn’t always very helpful to all types of learners. more

5. Leaked Secrets and Unlimited Miles: Hacking the Largest Rewards Vendor. Between March 2023 and May 2023, they identified multiple security vulnerabilities within points[.]com, the backend provider for a significant portion of airline and hotel rewards programs. more

Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. HackerOne is letting go of employees. more

2. ZAP is a founding member of the Software Security Project. more

3. An insight into the ongoing NCC layoffs by Tib3rius. more

4. jesseduffield/lazydocker v0.21.1 is the lazier way to manage everything docker. more

5. Intigriti introduces ranged bounties: a flexible and granular bounty mechanism. This addition provides program editors the ability to define minimum and maximum bounty amounts per severity level. more

📅 Events

1. A chance to win a golden ticket to Intel’s Project Circuit Breaker vent. more

2. zomato is running a campaign for SQL injection (50% bonus) on their select assets on HackerOne. more

3. PentesterLab is doing two workshops at DEFCON. more

4. NahamSec, Jason Haddix, and STÖK are hosting a meetup on Thursday. more

5. Betting on Your Digital Rights: EFF Benefit Poker Tournament at DEF CON 31. more

🎉 Celebrate

1. Douglas crossed 20,000 reputation on HackerOne. Let’s go! more

2. d0nut and his partner have been together for 8 years. Congrats! more

💰 Career

1. Things you can do as a candidate to stand out when applying for jobs. more

2. d0nut shares a sad realization: “You’re seldom rewarded for working hard and long hours, but rather for working on the right high impact work.” more

3. Two program/vulnerability management individuals are looking for new roles. more

4. How to manufacture luck and get your next job. more

5. How To Become A Penetration Tester. more

⚡️ Community

1. Ben on exceeding his DEFCON expectations and achievements. more

2. Fishing is something that Kyle likes doing when not researching security stuff. more

3. Corgi on how fascinating it is how much context in media is lost through time/generations. more

4. Hackers are getting ready for H1-813 in Tokyo. more

5. Retired full-time bug hunters share their perspective. more

📰 Read

1. AWS WAF Bypass: invalid JSON object and unicode escape sequences. more

2. Huawei Theme Manager Arbitrary Code Execution. more

3. Wiz Research discovers CVE-2023-2640 and CVE-2023-32629, easy to exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu users. more

4. Don’t you (forget NLP): Prompt injection with control characters in ChatGPT. Like many companies, Dropbox has been experimenting with large language models (LLMs) as a potential backend for product and research initiatives. more

5. Serverless Functions Post-Mortem. Around 2016, the term “serverless functions” started to take off in the tech industry. In short order, it was presented as the undeniable future of infrastructure. It’s the ultimate solution to redundancy, geographic resilience, load balancing and autoscaling. more

🙏 Support

Enjoy reading the Hive Five? You can treat me to a coffee!

You can also share the newsletter with your friends.

💡 Tips

1. Check out The Safe Room show by AWS CIRT on Twitch. They talk about security in the cloud, security trends, and more. more

2. Exploiting SQL injection vulnerabilities is all about your knowledge of the target’s Database Management Systems, reading documentation, and leveraging specific functions. more

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @0xAshFox | AshF0x // Peer | Just a guy trying to get into CyberSecurity. Teaching myself with books and the internet.

2. @adamwathan | Adam Wathan | Creator of @tailwindcss. Listener of Slayer. Austin 3:16.

3. @zeldman | zeldman | Author. Designer. Web Standards Godfather. Employer Brand at @Automattic. Publisher, @AListApart, @ABookApart. Ava’s dad. Pete’s brother. He/him.

4. @n7_sec | n7 | Web App Sec | Bug Bounties | OSCP / CRT

5. @cassidoo | Cassidy | Making memes, dreams, & software!CTO at @contendaco!Married to @ijoosong.I like jokes and mechanical keyboards!She/Her.

🚀 Productivity

1. Delegation hack: for any task you delegate, have the person record a 3 min video of how they do it. more

2. 7 Habits For Effective Text Editing 2.0. A large percentage of time behind the computer screen is spent on editing text. Investing a little time in learning more efficient ways to use a text editor pays itself back fairly quickly. more

3. 6 key components that make up the perfect formula for ChatGPT and Google Bard: Task, Context, Exemplars, Persona, Format, and Tone. more

4. Streamline Your Workflow: How A Personal User Manual Can Improve Collaboration. more

5. How Danny focuses 8+ hours a day. more

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. Best tools that you can embed on a webpage where people can submit questions. more

2. Tuts+ Code (originally Nettuts) is closing — It was one of the main educational resources I’ve leveraged on my journey. more

3. Behind “Hello World” on Linux. What happens when you run a simple “Hello World” Python program on Linux? more

4. Run Llama 2 on your own Mac using LLM and Homebrew. more

5. AI Creativity: Can LLMs Create New Things? Is generative AI output novel creation or simple imitation? more

🧠 Wisdom

1. Stop caring about what you should do. more

💛 Cross-pollination

1. Amazing coffee table books. more

2. Not Today, Pal with Robert Iler and Jamie-Lynn Sigler — I found out that AJ and Meadow from the Sopranos have a podcast, and I couldn’t be happier. more

3. Sounds of Space: Hear the Music of the Universe - more

🐝 Fact

As knowledge about beekeeping spread, so did the search for more sophisticated forms of beehive. While skeps were still widely used, there was continual experimentation with different types of straw for skep-making and with different types of wooden hive. The chief aim was to create a hive that prevented the keeper from having to kill the bees in order to harvest the honey.

This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.