• Hive Five
  • Posts
  • Hive Five #25 – Open redirects, experience, and being okay

Hive Five #25 – Open redirects, experience, and being okay

Hi friends,

Greetings from the hive!

I hope you had a great weekend. No big updates from me this week. I've started running every day, before I usually took 1 or 2 rest days. I'm also continuing to work on my systems and habits.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. LiveOverflow asks: What are the top arguments why pure "Open Redirects" should be classified as a vulnerability?

  2. Seven years of the GitHub Security Bug Bounty program: Security is core to GitHub’s mission and their Product Security Engineering team is focused on continuously driving improvements to how GitHub develops secure software.

  3. How to solve a challenge from Intigriti in under 60 minutes: Twelve hours before the deadline, the latest XSS challenge from Intigriti was only solved by 14 people. Many people ask them how do they solve those challenges so quickly and the answer to that question is probably experience.

  4. Being Okay With Not Being Okay: Getting Candid with Ben Sadeghipour β€” NahamSec.

  5. My Experience For 2 Years In Bug Bounty Hunting: Ahmad Halabi summarizes their experience during their Bug Bounty journey that they started 2 years ago.

πŸ™πŸ» Enjoy This Newsletter?

  • Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

πŸ”₯ Buzzworthy

βœ… Changelog

  1. honoki/bbrf-server: Update to the bbrf-server image, which now installs with a reverse proxy that compresses data over the wire.

  2. InjuredAndroid - CTF: the walk-throughs now include the solution for flag 18.

πŸ“… Events

  1. Mazin Ahmed is speaking at Bsides Amman: about their ongoing research on cloud security, starting with: Attack Vectors on Terraform Environments! Save the date: July 3rd.

  2. NIST is requesting comments by August 9 on their recommendations for federal vulnerability disclosure: This is important, Jack Cable says. Help our government out by sharing your feedback.

πŸŽ‰ Celebrate

  1. Naomi not Niomi: announces the launch of their new nonprofit, Cybersecurity Gatebreakers Foundation (@cybersecuritygb), dedicated to closing the "demand gap" in cybersecurity. Amazing!

  2. Rocky Bandana: receives a $5,000 bug bounty from Apple. Congrats!

  3. Kishore Krishna: had their first day at the office as a Security Consultant. Woot!

  4. Shaun: received some awesome swag from the BBC. Cool!

  5. meg: celebrates their journey to having a MS in cyber, a CISSP, working on a leading cyber team, and having a cybersecurity brand that is 30K strong. Let's go!

πŸ’° Jobs

πŸ“° Articles

  1. How to get the max out of an IDOR?: If you stick to a specific target, you will be able to understand the functionality in depth, and this knowledge provides you the opportunity to make the most out of a specific bug, since different endpoints means multiple reports.

  2. How We Are Able To Hack Any Company By Sending Message - $20,000 Bounty [CVE-2021–34506].

  3. LEXSS: Bypassing Lexical Parsing Security Controls: TL;DR By using special HTML tags that leverage HTML parsing logic, it is possible to achieve cross-site scripting (XSS) even in instances where lexical parsers are used to nullify dangerous content.

  4. Building XSS Polyglots: XSS polyglots are quite popular among beginners and lazy XSS testers since they only require a single copy and paste.

  5. Lightning Components: A treatise on Apex Security from an External Perspective: The power of custom development on the Salesforce platform using its proprietary programming language, Apex, is undeniable.

πŸ“š Resources

  1. Twitter Q&A with zseano.

  2. Infosec House: A curated list of resources and tools for both offensive/defensive security operations.

  3. Dealing with Burnout.

  4. barrracud4/image-upload-exploits: This repository contains various old image exploits (2016 - 2019) for known vulnerabilities in image processors.

  5. awesome-apisec: A collection of awesome API Security tools and resources.

πŸŽ₯ Videos

🎡 Audio

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.