🐝 Hive Five 88 – The Age of Universal XSS, and One Takeover to Rule Them All

Hi friends,

Greetings from the hive!

I hope you had a good weekend. Sadly, one of our pets is sick, so that's been taking up a lot of my thoughts and time. Going to the vet again this week. I hope he feels better soon.

Here's something that I couldn't fit in the newsletter, if you're using Obsidian, there's now an official Dracula theme.

Let's take this week by swarm!

🐝 The Bee's Knees

1. The Age of Universal XSS: In August 1996, Internet Explorer joined the JavaScript security scene after they added JScript. During this era from around 1996-2000, tons of bugs were found what we would call today "Universal Cross-site Scripting".

2. Pre-Auth Remote Code Execution - Web Page Test: Louka's first ManoMano article, since joining in early April 2022.

3. Breaking Bitbucket - Pre Auth Remote Command Execution (CVE-2022-36804): Often when performing application security research, they come across other researchers who have found critical vulnerabilities in software that can inspire them to dig deeper as well. This was the case when they read the blog post from William Bowling about his RCE finding in GitHub Enterprise.

4. One takeover to rule them all: Because of Covid, the first quarantine in France occurred in March 2020. During that time Gwendal wrote a Python script to detect Subdomain Takeover.

5. Fuzzing XSS Sanitizers for Fun and Profit | Tom Anthony: In 1998 Tom was arrested for hacking, and was told he was looking at over 270 years in prison. Time for a career change! Tom went on to a life as an academic, earning a PhD in Artificial Intelligence, before starting a career as an SEO consultant (you think telling people you are a hacker is bad).

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition.

You can also follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. Sharpener v2.0: Now supports Collaborator tab's icon.

2. Deadfinder 1.1.0: Find dead-links (broken links).

3. Initigriti - Edit & Remove Messages: Communicating with others about a bug or vulnerability that has been found and submitted as report is one of the necessary key features for a bug bounty platform.

🎉 Celebrate

1. rhys is wrapping up at Heroku after 9.5 years: Wow!

2. Brute Logic celebrates his 10th year: Congrats!

3. Ali Tütüncü found his first exceptional bug: Yay!

4. Celebrating aging programmers: Let's go!

5. Alex Birsan finished H13493 in first place: Well done!

💰 Career

1. After a bit of a hiatus - Serra will be looking for a backend development role outside of security.

2. Risky biz is looking for a talented audio producer/editor.

3. NCC Group exploit development group is hiring.

4. Resume advice from a hiring manager.

5. Matt's x things he learned in 10 years at AWS.

⚡️ Community

1. What is your hacker "origin story"?: Ray asks.

2. Ben recently started making content he enjoys making: "For the longest time I was making YouTube videos, I was making content I thought others wanted to see. [...]"

3. Darknet Diaries top 12 most downloaded episodes.

4. Masonhck357 shifting focus into learning due to dry spell.

5. Fisher's first flight in a long while, with destination H13493.

📰 Articles

1. Exploiting Web3’s Hidden Attack Surface - Universal XSS on Netlify’s Next.js Library: On August 24th, 2022, they reported a vulnerability to Netlify affecting their Next.js "netlify-ipx" repository which would allow an attacker to achieve persistent cross-site scripting and full-response server side request forgery on any website out of the box.

2. How Omer and Asi Abused Repository Webhooks to Access Internal CI Systems at Scale: As adoption of CI systems and processes becomes more prevalent, organizations opt for a CI/CD architecture which combines SaaS-based source control management systems (like GitHub or GitLab) with an internal, self-hosted CI solution (e.g. Jenkins, TeamCity).

3. AttachMe - critical OCI vulnerability allows unauthorized access to customer cloud storage volumes: Before it was patched, AttachMe could have allowed attackers to access and modify any other users' OCI storage volumes without authorization, thereby violating cloud isolation. Upon disclosure, the vulnerability was fixed within hours by Oracle. No customer action was required.

4. SSRF vulnerabilities and where to find them: Server-Side Request Forgery (SSRF) occurs when an application accepts a URL (or partial URL) from the user, then accesses that URL from the server. It’s important to note that SSRF is only a vulnerability if there is some security impact.

5. A Guide to DNS Takeovers - The Misunderstood Cousin of Subdomain Takeovers: Let's start with this: A DNS takeover is not the same as a subdomain takeover. Subdomain takeovers are old news. Hackers who caught onto them early made busloads of bounties by automating their detection and exploitation. They're still out there, but competition is fierce.

📚 Resources

1. Beginner API hacking resources.

2. Hitcon 2022 videos: Taiwan's leading cybersecurity conference.

3. Video series for hak5 devices/flipper payload development.

4. Taggart launches Python For Defenders Part 1: A free course that will familiarize you with the Python language, and the Jupyter environment for creating reusable notebooks for security operations.

5. How to get good at reverse engineering in 2 weeks.

🎥 Videos

1. Traveling? Drinking? Exercising? If you do, be VERY careful what you share online - OSINT tools!: It's scary what you can find out about people based on their social media posts - including their drinking and exercise habits. With just a few tools and techniques you can use Open Source Intelligence (OSINT) to find all kinds of information about people.

2. Security Spotlight: Turning Authorization Vulns into Compilation Errors in Rust: When authorization services have errors, what happens?! Join Kyle and Nathanial as they dive deep into Dacquiri, Rust, and Authorization.

3. How to turn bugs into a "passive" income stream! ft Detectify's Almroot: Crowdsource focuses on the automation of vulnerabilities rather than fixing bugs for specific clients.

4. Smart Contract Series - Episode 04 - Analyzing A Smart Contract Vulnerability Worth $600,000+: A vulnerability in Port Finance could potentially allow $20M-$25M in total losses, but someone was able to identify it using their bug bounty program on Immunefi before it was exploited.

5. Day[0] #152 - An iOS Bug, Attacking Titan-M, and MTE Arrives: This week they've got some summer highlights - the impact of MTE on Android, an iOS vuln and some primitive chaining in a Titan M exploit.

🎵 Audio

1. Darknet Diaries Ep. 124 - The Scammer Who Got Rich Invoicing Facebook & Google for $100 Million: What do you get when you combine social engineering, email, crime, finance, and the money stream flowing through big tech? Evaldas Rimašauskas comes to mind. He combined all these to make his big move. A whale of a move.

2. The Privacy, Security, & OSINT Show #279 - Comms Ownership & Open Databases: This week they discuss true ownership of our communications including phone numbers, email addresses, domains, and monikers, and present two OSINT updates including a new open people search database available for download.

3. Smashing Security #290 - Uber, Rockstar, and crystal balls: Researchers reveal how your eyeglasses could be leaking secrets when you’re on video conferencing calls, they take a look at the recent data breaches involving Uber and Grand Theft Auto 6, and they cast an eye at what threats may be around the corner.

4. Risky Business #679 - A look at Uber's very bad week.

5. Malicious Life - King Kimble (Kim DotCom): The US government says that Kim Schmitz, better know as Kim DotCom, is the leader of a file sharing crime ring. He sees himself as an internet freedom fighter: a fugitive on the run from vindictive overly-powerful governments. Can King Kimble escape the wrath of the USA?

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.