Hi friends,
Greetings from the hive!
I hope you had a rejuvenating weekend. I did some soul searching, got a haircut, and started reading a book that I received as a gift - The Beekeeper's Bible: bees, honey, recipes and other home uses.
Let's take this week by swarm!
🐝 The Bee's Knees
Introducing the Burp Suite Certified Practitioner accreditation: a three-hour exam that, if you pass, certifies your skills in web security testing.
Do NOT use alert(1) in XSS: Using the alert(1) XSS payload doesn't actually tell you where the payload is executed.
Google launches their new bug hunters platform: This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues.
$25,000 Stealing GitHub API token with a malicious pull request: This video is an explanation of a critical vulnerability in GitHub that was found by Teddy Katz. He got $25,000 from GitHub bug bounty p️rogram.
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
🔥 Buzzworthy
✅ Changelog
Tib3rius releases AutoRecon v2 (beta): Documentation will be updated over the next week or so, but for now please try it out and report any bugs and/or improvements.
📅 Events
Free Online Cybersecurity Bootcamp - August 5th: Aimed at people with minimal exposure to cybersecurity. Includes three 1-hour workshops.
Introducing Twitter’s first algorithmic bias bounty challenge: Finding bias in machine learning (ML) models is difficult, and sometimes, companies find out about unintended ethical harms once they’ve already reached the public.
Harsh Bothra speaking at BSides Berlin: he'll be looking at various attack scenarios that can be exploited if the application is using cookies for authentication.
🎉 Celebrate
Michele Romano turned 18: Congrats!
rez0 moved to a new house: Exciting!
💰 Career Corner
Naffy's company is hiring: "We're currently hiring for Red Team - if you are a strong contender looking for a change please reach out to me via DM and we can chat further."
📰 Articles
Pre-Auth RCE in Moodle Part I - PHP Object Injection in Shibboleth: It was found that the Shibboleth authentication module of Moodle suffers from a beautiful Remote Code Execution vulnerability from the unauthenticated perspective.
XXE in Public Transport Ticketing Mobile APP: This finding was an another private bug bounty program. The scope of the target was a ticketing android app (Prod). This app was a major Public Transport Ticketing app based out of Germany.
Potential remote code execution in PyPI: While PyPI has a security page, they don’t have a clear policy for vulnerability assessments.
Zimbra 8.8.15 - Webmail Compromise via Email: Zimbra is a popular webmail solution for global enterprises.
XXE Case Studies: The topic of this blog post is inspired by a bug they found earlier on a bug bounty program.
📚 Resources
CryptoHack: Get your hands dirty and learn about modern cryptographic protocols by solving a series of interactive puzzles and challenges.
V33RU/IoTSecurity101: A Curated list of IoT Security Resources.
Active Scanning Techniques: This repository is a collection of different techniques in order to find specific hosts to scan.
Blocksec Incidents: A curated list of blockchain security incidents including exchange hacks, DeFi compromises, blockchain attacks, and others.
🎥 Videos
Hacker Heroes #7 - ceos3c (Interview): They talk to Stefan Rows (@ceos3c) who is a Youtuber, freelancer and crypto enthusiast.
🎵 Audio
How to Take Over the World: This podcast analyzes the lives of some of the greatest men and women to ever live. Been loving this podcast (suggested by Daniel Miessler).
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.