- Hive Five
- Posts
- π Hive Five #18 β Spring, Bugs, and the Crowd
π Hive Five #18 β Spring, Bugs, and the Crowd
Photo by James Wheeler / Unsplash
Hi friends,
Greetings from the hive!
I hope you had a productive week and a relaxing weekend.
Spring cleaning is in full swing in our household, so I spent a majority of my weekend on those tasks. I'm also setting up my new office.
As mentioned in a previous newsletter, I now finally switched to buttondown as my newsletter provider. Let me know if there are any issues.
I also have exciting news to share! I've joined Bugcrowd as the Researcher Experience Manager Bee.
So far in my bug bounty journey I've met amazing people and made some great friends. They're some of the kindest, brightest, and most passionate people I've ever met in my life.
Life is short, hack it! My focus is to provide the best experience possible, putting the community front and center.
We all share a common goal, to make the internet safer, and it takes a crowd.
Let's take this week by swarm!
π The Bee's Knees
USENIX Security '18-Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?: by James Mickens, Harvard University.
The Journey to Try Harder: TJnullβs Preparation Guide for PEN-200 PWK/OSCP 2.0: After releasing the first version of my PWK/OSCP guide, Offsec released an update to the PWK/OSCP and included a key classification system to help students understand how course designation work.
DEFCON 17: Failure: Adam Savage, of MythBusters fame, talks about how he has screwed things up, lost friends and clients, and learned about himself in the process.
CRLF + XSS + cache poisoning = Access to Github private pages for $35k bounty: This video is an explanation of bug bounty report submitted by 17-years-old Robert Chen and 14-years-old Phillip on Hackerone to Github's private bug bounty program.
Cybersecurity Ignorance Is Dangerous: A new book gets the policy recommendations right while making technical errors that could undermine trust in its conclusions, by Tarah Wheeler.
π Sustain-A-Bee
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
π₯ Buzzworthy
β Changelog
Puredns v2.0.0: Better wildcard detection, work around DNS load balancing, very large file support, faster operation, and rewritten in Go.
FHC v0.5.0 - Fast HTTP Checker: Wordlists support for brute-forcing a custom -d/--domain, random user agent per request support.
v1.0.6 Β· projectdiscovery/httpx: Various bug fixes and features.
π Events
Upcoming: GitHub Education: s0md3v, a working professional at @redhuntlabs will join alongside @Th3lazykid. May 18, 7:00 PM.
Ongoing: WPScan - WordPress Security: is giving away a free @offsectraining OCSP (PEN-200) certification course for WPScan's 10th Birthday!
Developing: The Apperta Data Breach Fiasco: The Apperta Foundation, a not-for-profit organization originally created by NHS England and funded by taxpayer money, seems to be embroiled in a very public data breach fiasco of their own making.
Ongoing: Cybrary's Free May Cybersecurity Courses Available Through May 31st: Cybrary's May free courses are now open for enrollments to all users.
News: Verizon sells Yahoo and AOL to private equity firm for $5 billion: Verizon announced that it will sell its digital media unit, including Yahoo and AOL, to private equity firm Apollo Global Management for $5 billion.
π Celebrate
Spanish bug bounty show: Ariel is starting his own streaming show on bug bounty. The idea is to interview the best Latin American and Spanish-speaking hackers. Can't wait!
Ali TΓΌtΓΌncΓΌ: joined the 8000 reputation club on HackerOne. Awesome!
Azeria: is starting their dream job, Chief Product Officer of their favorite Arm security research product. Enjoy it!
Etienne Stalmans: is extremely excited to be joining aiven.io. Yes!
Hakluke started his own company: He quit Bugcrowd to chase his dreams and to obtain wealth, stop trading time for money, and to regain personal freedom. Wish you nothing but the best!
π° Jobs
Advice: Nailing your First Cybersecurity Interview! (Junior Level): some pointers on interviewing for an entry-level cybersecurity position, some questions to expect, and an example response to one of the questions.
Tip: d0nut on infosec roles: He didn't realize that some people were unaware of this, but for those looking for infosec roles currently, employers are generally more interested in hiring defenders rather than pentesters/red team.
Resource: tadwhitaker/Security_Engineer_Interview_Questions: spent a couple hours the spring of 2016 reading through Glassdoor.com to see what users submitted for security questions they'd received while interviewing for security engineer jobs.
Job: Threat Researcher Intern (Part-Time): Binary Defense, headquartered in Stow, Ohio, is a rapidly growing cybersecurity software and services firm with solutions that include SOC-as-a-Service, proprietary Managed Detection & Response software, Security Information & Event Management, Threat Hunting, and Counterintelligence.
Job: Staff DevOps Engineer (Remote, US): At FireEye we are committed to their OneTeam approach combining diversity, collaboration, and excellence.
π° Articles
How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit.
Workplace by Facebook | Unauthorized access to companies environment: A serious vulnerability found in Workplace, a corporate network from Facebook.
Redefining What it Means to be a Hacker with Eric Head aka todayisnew: There is a growing awareness, especially in the media, of hackers representing a force for good and addressing the security needs of an increasingly interconnected society.
π Resources
houssem98/most-segenifcant: Tops of HackerOne reports.
Identify a Facebook user by his phone number despite privacy settings set.
My first OOB XXE exploitation: Check out the other write-ups as well.
π₯ Videos
How to Hunt for Prototype Pollution Vulnerabilities in Open Source Bug Bounty | methodology: A bugbounty master with more than 500 contributions in open source, including 40+ vulnerability disclosures and 90+ security fixes, Arjun Shibu (0xsegf) details how to hunt for Prototype Pollution vulnerabilities in Open Source Software.
ARE CTF CREATORS EVIL?! - A Conversation around realworld CTF's with Adam Langley.: What is a CTF and how do you create one out of a realworld / Bug Bounty perspective?
iOS Hacking - Hacker101 series: 5 videos covering the basics of iOS hacking with your professor dawnisabel.
The World's 1st Open Source Bug Bounty Guide - Methodology, Tools, Resources by Mik317 (50+ CVEs): After a year of securing open source on huntr.dev, Mik_317 (50+ CVEs, 300+ GitHub projects secured) shares his proven methodology, tools, and resources.
Interview with MR_HACKER - top 20 on intigriti - methodology and tips & tricks: It was a new experience for both of them, so please pardon their weird expressions, awkward silences and everything in between.
π΅ Audio
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- β’ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- β’ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- β’ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- β’ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- β’ Deep DISCOUNTS on paid content.
- β’ Experience continuously added NEW BENEFITS.