🐝 Hive Five #34 – Queen bee

Hi friends,

Greetings from the hive!

I hope you had an awesome weekend. Here in the US, we're enjoying a long one.

I'm toying with launching a Patreon for the Hive community. What to expect:

• Every week I'll post the resources that don't fit in the newsletter

• Newsletter archives

• securibee sticker

• Early access to upcoming content

• Private Discord community for all of the above

• And more

I'd love to get your input. Hit me up.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Snapchat disclosed report - Improper Authentication: Any user can login as other user with otp/logout & otp/login.

2. You don't need a (CS) degree to thrive in tech: Eva's degrees are in Political Science and International Relations. Some of the smartest people they know in tech have degrees in Classics and Ceramics.

3. Lawyers, Bugs, and Money: When Bug Bounties Went Boom: For as long as there have been computers, there have been bugs. That’s damn near 100 years and an uncountable number of bugs, some big, some small, some with wings, some that lived for decades. Part two and Part three.

4. Ben Sadeghipour Live Recon interview w/ Daniel Miessler: This is probably one of the most engaging interviews he has hosted. If you are interested in cyber security, school/certifications, personal growth, mental health or just life, this one is definitely for you!

5. CVE-2021-26084 Remote Code Execution on Confluence Servers.

🙏🏻 Enjoy This Newsletter?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. Nuclei v2.5.0: Nuclei project reached the 5k mark on GitHub yesterday, and here we are with v2.5.0, the next version of the Nuclei engine.

2. People OSINT workflow update by cybersecstu.

3. Pentester Land added lots of new writeups.

📅 Events

1. BeyondTrust’s Women in Security Networking Event on 9/21/21 at 12pm ET: Cassie is looking forward to participating and she will be discussing “Developing a Security Strategy – The Human Factor”.

🎉 Celebrate

1. Sean Melia, HackerOne's 13th million dollar hacker: Congrats!

2. Patrik crossed 1000 vuln reports: In ~9 Years of Bug Hunting. Amazing!

3. Chris Sullo joined ProjectDiscovery: Exciting!

4. Hakluke released CreatorConnect: This is great for orgs who want to produce better cybersecurity content. Awesome!

5. AEMSecurity started a new job: as a Sr. Security Architect at AirGate Technologies Inc. Wonderful!

💰 Career Corner

1. Full time security analyst: DM AEMSecurity for more details.

2. 1Password is hiring a Junior Security Engineer: An amazing place to work, particularly for those with a passion for security and privacy.

3. SynerComm is hiring a Penetration Tester.

4. Entry-level developers hiring thread by Cassidy.

5. Day in the life of an incident responder w/ meg.

📰 Articles

1. Introduction to smart contract security and hacking in Ethereum: Here you'll find resources and complementary educational material to start your journey in security and hacking of smart contracts in Ethereum.

2. How do we secure ManoMano applications with our DIY pipeline ?: Securing ManoMano applications before they get delivered to the production environment is of utmost importance.

3. Automating Authorization Testing: AuthMatrix – Part 1: If you’ve ever encountered a large web application with multiple roles, each with their own distinct permissions, you will understand the pain that comes with testing for authorization issues.

4. How blue teams can defend against Dependency Confusion and other novel supply chain attacks: Supply chain attacks keep evolving, and one of the most interesting methods to emerge lately is Dependency Confusion. Detectify Crowdsource hacker Aleksandr Krasnov shares how security engineers can defend against it.

5. 30 Days Of 120 Days High Frequency Hacking: This small read will act as a “checking in” of 120 Days of frequent hacking.

📚 Resources

1. Go Fuzz Yourself – How to Find More Vulnerabilities in APIs Through Fuzzing [Whitepaper download]: Alissa Knight is a recovering hacker of 20 years, and is one of the leading IoT/connected device hackers in the industry today, so when it comes to hacking APIs she’s seen a lot.

2. More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers.

3. Learning Solidity: The companion to the Youtube tutorials.

4. Smart Contract Security Verification Standard: Smart Contract Security Verification Standard (v1.1) is a FREE 14-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.

5. Beginner Reverse Engineer resources via D4RCKH.

🎥 Videos

1. "Want To Find An RCE To Get Tattoo" with Farah Hawa - Hacker Heroes #12: who is spreading awareness in the world of infosec all over social medias from Youtube to Instagram.

2. BHIS | Uncovering Secrets and Simplifying Your Life with CyberChef - BB King.

3. Building a secure application: the first step | Security Simplified: What should every developer do before they start writing code?

4. Discussing Heap Exploit Strategies for sudo: We have a heap buffer overflow, but how can we exploit this now?

5. CSRF - Lab #1 CSRF vulnerability with no defenses | Long Version: This lab's email change functionality is vulnerable to CSRF.

🎵 Audio

1. Thinkst Canary researcher roundup Q3 2021: Grab quarterly reviews by sec researchers with decades in the field.

2. The Privacy, Security, & OSINT Show: 225-Lessons Learned This Week.

3. We Hack Purple Podcast: Episode 46 with Sunny Wear.

4. The Swyx Mixtape: Why Invest in Developer Community? GitHub OCTO Speaker Series.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.