🐝 Hive Five 89 – Never dupe again, best bugs people have found, and hacking Google

Hi friends,

Greetings from the hive!

This week I'm starting with some sad news. As I mentioned previously, our dog was having health issues. Sadly, we lost him last week. After trying everything, numerous tests, and visits to the vet, he passed away in my arms at home.

Sometimes, I still want to take him out for a walk or bring him his food.

I implore you to give your pet some extra love. Take your dog for a walk without technology, and savor the moment. Just you and your best friend.

I wish I could, if only for one more time.

Let's take this week by swarm!

🐝 The Bee's Knees

1. What's the best bug people have found?: renniepak asks.

2. How ANYONE can track your car using only your license plate.

3. LevelUpX - 8 Ways to (Almost) Never Get a Dupe Again with InsiderPhD: In this video, Katie walks us through how to become better hunters by teaching us how we can avoid dupes. Katie's tips include how to develop expertise, exploring geographic or payment gates, playing to your strengths, and more!

4. Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes ($50K+ Bounty Earned): In March 2022, they teamed up on a private Bug Bounty program organized by Whitejar to search for bugs on a website that was using Akamai CDN.

5. H4CK1NG G00GL3: The best way to stop a hacker is to think like one.

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition.

You can also follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. Fleex adopts HashiCorp Packer as a build system.

2. Hack The Box Penetration Tester path has arrived.

3. hahwul/dalfox v2.8.2: DalFox is an powerful open source XSS scanning tool and parameter analyzer, utility.

4. ZephrFish/BurpFeed v1.0.1: Hacked together script for feeding urls into Burp's Sitemap.

5. dnsx v1.1.1: Added CAA dns query, added CDN detection, added AXFR zone transfer detection.

📅 Events

1. Nicolas Grégoire is working on a new version of his Burp Pro tips and tricks talk: targeted for 2023.

2. Cybersecurity Summit 2022 - A Truesec Event - November 16, 2022: Cybersecurity is a two-sided setup. The Red Team versus the Blue Team - a comprehensive offensive and defensive approach with one common goal - to improve an organization's cybersecurity capacity. Which team will you play for?

3. Fetch the Flag CTF - November 9 (hosted by Snyk): Ready to take your security skills to the next level? Compete in 16 hands-on hacking challenges in Fetch the Flag CTF.

🎉 Celebrate

1. Tanner Gill was promoted to senior developer at 1Password: Congrats!

2. Jenish bought his first car: Drive safe!

3. Celebrating Pentesterlab et al: Thank you!

4. Corben found numerous critical bugs in crypto companies: Wow!

5. Sunil reached $100K+ on Bugcrowd: Awesome!

💰 Career

1. AASLR - Job Hunting Like a Hacker with Jason Blanchard.

2. EFF is hiring Associate General Counsel.

3. Favorite offsite activies/ice breakers: Sarah asks.

⚡️ Community

1. XSS severity discussion: via Renniepak.

2. Corben challenges himself to find a buyer for a domain name.

3. Michael Skelton bought a goat farm.

4. EdOverflow et al enjoyed BountyCon and Singapore.

5. hakluke sold their house and bought a caravan.

📰 Articles

1. Daniel commentating on the "Glitched on Earth by humans" talk by Lennert: "Another of my top 2022 talks".

2. Corben hacked a gaming company this year: Find out how he did it.

3. The Thorny Problem of Keeping the Internet’s Time: In 1977, David Mills, an eccentric engineer and computer scientist, took a job at COMSAT, a satellite corporation headquartered in Washington, D.C.

4. ZTH-CH4 - Hook & Sling - Phishing For Gold: There are hundreds if not thousands of blog posts, awareness articles, and documentation on phishing, user awareness, and breaking down specifics.

5. Exploits Explained - 5 Unusual Authentication Bypass Techniques: Ozgur Alp is a member of the Synack Red Team and has been awarded SRT of the Year 2021, Most Trusted Hacker 2021, Mentor of the Year 2022 and SRT Grand Champion for 2019, 2020 and 2021. New authentication methods are working wonders to boost cybersecurity at many organizations.

📚 Resources

1. 2FA Bypass Techniques mindmap.

2. FFuF resources via Tushar.

3. Security and Privacy Conference Deadlines: An easy way to find CFP deadlines.

4. HardwareAllTheThings: A list of useful payloads and bypasses for Hardware and IOT Security.

🎥 Videos

1. Hack websites demo and how to get paid for real hacks: Vickie Lee demos Insecure Direct Object References (IDOR) and tells us how to get into bug bounty.

2. HackTheBox - Scrambled.

3. HackerOne's h1-702 Paid How Much??!: NahamSec vlogs about the event.

4. Day[0] 154 - SoCs with Holes, Crow HTTP Bugs, and Bypassing Intel CET: Starting off with meme vulnerabilities in UNISOC BootROMs, and ending with a discussion about bypassing CFI/Intel CET and some fun issues in-between.

5. Bellingcat Hackathon - Action Transcription: A tool for creating a repository of transcribed videos.

🎵 Audio

1. Smashing Security #291 - Deepfake dangers, AI image opt out, and controlling your urges: Anti-porn “shameware” apps take a privacy pounding, is your image already being used by AI, and deepfake danger continues to deepen.

2. The Privacy, Security, & OSINT Show #280 - The Future Of Extreme Privacy: This week they offer a glimpse into the major projects they are working on for the next level of Extreme Privacy.

3. Malicious Life - What it’s Like to Fight LulzSec - ML B-Side: The name Lulzsec is probably very familiar to listeners who were around in 2011, when this hacking group was at the peak of its nefarious activity.

4. Risky Business #680 - Uber, Rockstar Games hacker arrested.

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.