🐝 Hive Five #30 – The Beekeeper's Bible

Hi friends,

Greetings from the hive!

I hope you had a rejuvenating weekend. I did some soul searching, got a haircut, and started reading a book that I received as a gift - The Beekeeper's Bible: bees, honey, recipes and other home uses.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Introducing the Burp Suite Certified Practitioner accreditation: a three-hour exam that, if you pass, certifies your skills in web security testing.

2. Do NOT use alert(1) in XSS: Using the alert(1) XSS payload doesn't actually tell you where the payload is executed.

3. Google launches their new bug hunters platform: This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues.

4. $25,000 Stealing GitHub API token with a malicious pull request: This video is an explanation of a critical vulnerability in GitHub that was found by Teddy Katz. He got $25,000 from GitHub bug bounty p️rogram.

5. A Look Into zseano's Thoughts When Testing a Target.

🙏🏻 Enjoy This Newsletter?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. Tib3rius releases AutoRecon v2 (beta): Documentation will be updated over the next week or so, but for now please try it out and report any bugs and/or improvements.

📅 Events

1. Free Online Cybersecurity Bootcamp - August 5th: Aimed at people with minimal exposure to cybersecurity. Includes three 1-hour workshops.

2. Introducing Twitter’s first algorithmic bias bounty challenge: Finding bias in machine learning (ML) models is difficult, and sometimes, companies find out about unintended ethical harms once they’ve already reached the public.

3. Harsh Bothra speaking at BSides Berlin: he'll be looking at various attack scenarios that can be exploited if the application is using cookies for authentication.

4. Stefan releases the pfSense Fundamentals Bootcamp 2021.

🎉 Celebrate

1. MorningStar is in the top of the July leaderboard on Bugcrowd. Let's go!

2. Michele Romano turned 18: Congrats!

3. rez0 moved to a new house: Exciting!

4. Celebrating Pentester Nepal's 8th Anniversary w/ Bishal: Yay!

5. Augusto's first bug report was disclosed: Wow!

💰 Career Corner

1. Naffy's company is hiring: "We're currently hiring for Red Team - if you are a strong contender looking for a change please reach out to me via DM and we can chat further."

2. How to get your dream job (Twitter thread).

📰 Articles

1. Pre-Auth RCE in Moodle Part I - PHP Object Injection in Shibboleth: It was found that the Shibboleth authentication module of Moodle suffers from a beautiful Remote Code Execution vulnerability from the unauthenticated perspective.

2. XXE in Public Transport Ticketing Mobile APP: This finding was an another private bug bounty program. The scope of the target was a ticketing android app (Prod). This app was a major Public Transport Ticketing app based out of Germany.

3. Potential remote code execution in PyPI: While PyPI has a security page, they don’t have a clear policy for vulnerability assessments.

4. Zimbra 8.8.15 - Webmail Compromise via Email: Zimbra is a popular webmail solution for global enterprises.

5. XXE Case Studies: The topic of this blog post is inspired by a bug they found earlier on a bug bounty program.

📚 Resources

1. CryptoHack: Get your hands dirty and learn about modern cryptographic protocols by solving a series of interactive puzzles and challenges.

2. What is your favorite Blue Team tool? (thread).

3. V33RU/IoTSecurity101: A Curated list of IoT Security Resources.

4. Active Scanning Techniques: This repository is a collection of different techniques in order to find specific hosts to scan.

5. Blocksec Incidents: A curated list of blockchain security incidents including exchange hacks, DeFi compromises, blockchain attacks, and others.

🎥 Videos

1. Let's Talk Phishing! | Watch Together & Q&A.

2. Hacker Heroes #7 - ceos3c (Interview): They talk to Stefan Rows (@ceos3c) who is a Youtuber, freelancer and crypto enthusiast.

3. The Creepiest OSINT Tool to Date.

4. Hacker Tools - JWT_Tool.

🎵 Audio

1. How to Take Over the World: This podcast analyzes the lives of some of the greatest men and women to ever live. Been loving this podcast (suggested by Daniel Miessler).

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.