🐝 Hive Five #33 – Live life

Hi friend,

Greetings from the hive!

I hope you had a great weekend. Mine was unexpectedly intense. There was a medical emergency in my family but thankfully all turned out well.

This event further emphasized a recurring thought I've been having, to live life to the fullest. Long-term goals are fine and all but make sure you're making the most out of every day. Let your loved ones know you care and don't forget to be silly once in a while!

In lighter news, I've recently purchased AfterShokz Aeropex, open-ear bone conducted headphones, to accompany me on my daily runs. So far I'm liking them a lot!

Let's take this week by swarm!

🐝 The Bee's Knees

1. How MarkMonitor left >60,000 domains for the taking: Thanks to Nagli and d0xing for helping figure out what was happening with this issue.

2. How does cryptography ACTUALLY work?: In this video they attempt to introduce you to some of the maths behind modern cryptography, which is in a sense how the world around us works now.

3. AutoRecon v2 (Introduction + Plugin Development): The reveal of AutoRecon v2.

4. Zoom RCE from Pwn2Own 2021: On April 7 2021, Thijs Alkemade and Daan Keuper demonstrated a zero-click remote code execution exploit in the Zoom video client during Pwn2Own 2021.

5. Rana Khalil's Web Security Academy Series: This course is based on a Youtube series called the Web Security Academy Series.

🙏🏻 Enjoy This Newsletter?

Join the Hive community! You can reach me on Twitter, or replying to this email also works.

💌 Want to sponsor an issue?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

🔥 Buzzworthy

✅ Changelog

1. ProjectDiscovery Notify v1.0.0: New Features, more Providers.

2. danielmiessler/SecLists Release 2021.3.1.

📅 Events

1. buraaq is giving away a BugBountyHunt3r membership.

2. Six2dez is releasing ReconFTW v2.0: during their talk at @DragonJARCon 2021, 09/01.

3. Bugcrowd releases friends feature: Platform Collaboration in 5 Easy Steps.

🎉 Celebrate

1. Hack The Box reached 700k platform members: Huge congrats!

2. STÖK️ is getting a dog: Yay!

3. Nagli reached the HackerOne top 10 on the 90 day leaderbord: Awesome!

4. d0nut is moving soon. Have fun!

5. shenetworks started a YouTube channel: Go subscribe!

💰 Career Corner

1. "What tool/language was a game-changer for reaching your infosec goals?" asks casey.

2. Grow your best employees or lose them via Travis McPeak.

3. Marcus J. Carey Cybersecurity Job Thread.

📰 Articles

1. Oauth client secret leak and possible IDOR leading to PII Disclosure.

2. Blind XXE Leads to Internal Port Scanning Through SSRF.

3. How to Inspect Network Traffic: Weed out the noise to drill down to what your systems are doing and what could be a true threat.

4. How to set up Docker for Varnish HTTP/2 request smuggling: Alfred Berg, Security Researcher at Detectify, shows you how to set up an environment to test out HTTP/2 request smuggling.

5. Attack Surface Management. You’re (probably) doing it wrong..

📚 Resources

1. AWS/GCP resources via Katie Paxton-Fear.

2. Squid Cache (IBB) disclosed a bug submitted by jeriko_one.

3. A checklist based on the Cloud Security Orienteering methodology.

4. Beginner Burp Suite resources via Naffy.

5. beginner Cybersecurity and Information Security resources via Alexandria.

🎥 Videos

1. Controversial Security - BSides Berlin 2021.

2. Decentralizing Git Workflows with Abbey Titcomb of Radicle: Radicle is a new kind of code collaboration network built entirely on open protocols.

3. Cross-Site Request Forgery (CSRF) | Complete Guide: Covering the theory behind Cross-Site Request Forgery (CSRF) vulnerabilities, how to find these types of vulnerabilities from both a white box and black box perspective, how to exploit them and how to prevent them.

4. "You Changed My Life" with John Hammond (Hacker Heroes #11).

5. Prototype pollution in Google Analytics?! Solution to August '21 XSS Challenge.

🎵 Audio

1. Bug Bounty Reports Discussed 01: Finding bugs in Google VPR without recon - David Schütz.

2. 042: Cherie Hu - The Math Behind Water & Music, and a Successful Newsletter.

3. The InfoSec & OSINT Show 65 - Martina Dove PhD & The Psychology of Scams.

4. Not Investment Advice - Lumber Trader Explains What's Going On With Lumber (Bonus Episode).

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.