🐝 Hive Five 93 – Supercharge your hacking, web app checklist, and community

Hi friends,

Greetings from the hive!

I hope you had a good weekend. First of all, happy Halloween 👻

Last week, d0nut tweeted some productivity thoughts about how a browser should have vertical tabs. Then someone reminded me that Edge has this feature which I may have to give another go.

I also came across a new browser that builds upon that process called SigmaOS. I haven’t tried it, but it looks interesting.

Speaking of vertical column layouts, lately I've been thinking about how beneficial a TweetDeck column UI is. It gives you an overview, and each column can be highly filtered and customized.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Justin Gardner web app checklist.

2. Tinker on community: "Humans are social creatures". "No man is an island." "There is strength in numbers." "Community is everything." No, but really. That darwinian "survival of the fittest" when applied to humans is groups protect us as individuals. It has allowed us to thrive as a species.

3. DEF CON 30 videos are available: Learn the magical musical mysteries of the the DEF CON 30 badge and more.

4. A Historical Collection of Reentrancy Attacks: A chronological and (hopefully) complete list of reentrancy attacks to date.

5. How to supercharge your hacking - mindset, workflow, productivity and checklist: Approaching a target to hack can feel like climbing a mountain. You may face large scopes, confusing applications, complex user hierarchies…the list goes on.

🔥 Buzzworthy

✅ Changelog

1. ProjectDiscovery httpx v1.2.5.

2. reconFTW v2.5: New vars added to cfg file to choose amass or subfinder and more.

3. What's new in Python 3.11.

4. Chameleon v1.1.0: Better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies.

5. Apple bug bounty program upgraded

📅 Events

1. Awesome Cybersecurity Conferences: Watch the latest awesome security talks around the globe.

2. DC608 will have a special guest this week.

🎉 Celebrate

1. zseano's family is getting bigger: Congrats!

2. Celebrating your worth with Cassie: Get it!

💰 Career

1. 10/27/2022 Cybersecurity Job Thread by Marcus J. Carey.

2. Writing a better resume.

3. 5 essential LinkedIn profile tips for working professionals: LinkedIn profiles are dynamic, so here are the 5 changes we working professionals can make to set ourselves for future success.

4. How to Quit Your Boring Job - Turn a Passion into a Career.

5. HackerOne's Hacker Success Managers.

⚡️ Community

1. LiveOverflow's request for Elon.

2. XNL-н4cĸ3r is enjoying live performances: "In the last few weeks I have been to see Sugababes and Natalie Imbruglia 🎶 This week is back to the Metal 🤘 Conjurer, then Despised Icon and Decapitated, and then Damnation Festival."

3. jub0bs is working on a CORS middleware library: Functional options with a twist.

4. STÖK and his dog winning prizes: "Practice, A LOT of practice, and dedication. (Just as in bounties) [...]"

📰 Articles

1. Memory corruption vulnerabilities in Edge: Memory corruption issues in the browser process are typically some of the most severe issues in Chromium and browsers that are based off it. Such issues can include use-after-free (UAF) problems, as well as out-of-bounds (OOB) reads and out-of-bounds writes.

2. Why Apple Keeps Winning: People are blown away that Apple keeps winning while its competitors are floundering. It’s a simple formula. Make consistently super-high-quality products that work together as part of an ecosystem.

3. How Brett Became A Penetration Tester: This series of blog posts was sparked from a recent internal discussion and is really just to learn how penetration testing individuals “got their start” or became interested with security, hacking, and anything else within our industry.

4. Audio OSINT: Open-source intelligence analysis often heavily relies on video analysis. There will be use cases for researchers to look at video footage to find people, buildings or other things that will be a form of verification and or validation based on analyzing video footage using OSINT techniques.

5. How to Weaponize the Yubikey: A couple of years ago, they had a YubiKey that was affected by a security vulnerability, and to fix the issue, Yubico sent them a brand new YubiKey for free.

📚 Resources

1. 33 quick and simple Twitter threads about OSINT.

2. Terminal Velocity book by rwxrob: First and foremost an online knowledge base of tips and tricks for becoming your best self when faced with a UNIX (or Linux) terminal. This also just so happens to be a book.

3. Resolvers Reconftw: Resolvers updated daily for reconFTW with dnsvalidator.

4. Advice for getting more into vulnerability research by Alex.

🎥 Videos

1. HackTheBox - Trick walkthrough.

2. CSRF/Markup Injection/Prototype Pollution/SOME/Cookie Toss?! Solution to October '22 XSS Challenge.

3. Attack Surface Management Series - Autonomous System Numbers: Autonomous System Numbers (ASN) are a goldmine for offensive security.

4. Intigriti's Live Hacking Event with The Paranoids (Yahoo) 1337UP0822: Their first live hacking event in two years, these events nurture the uniques skills of ethical hackers to deliver an accelerated testing period of Yahoo.

5. What functionalities are most often vulnerable to SSRFs? Case study of 124 bug bounty reports.

🎵 Audio

1. DAY[0] 161 - XMPP Stanza Smuggling in Jabber and a Cobalt Strike RCE [Bug Bounty Podcast]: Several fun issues this week, from a Cobalt Strike RCE, a couple auth bypasses, and stanza smuggling in Jabber.

2. Breadcrumbs episode 23 bonus episode - Breaking in to Infosec - With Tom and Rae: In this bonus episode, Tom Hocker and Rae Baker sit down to talk about their respective journeys in to infosec.

3. Smashing Security #295 - Slushygate, sextortion, and nano-targeting: What is slushygate and how does it link to sextortion in the States? What is the most impersonated brand when it comes to delivering phishing emails? And what the flip is nano-targeting?

4. TKP #150 Insights - Making (Even) Better Decisions: We discuss the three types of decision-makers, how to control your emotions when making decisions, why it’s crucial to look at every decision differently, the processes for coming to the right decision, and how to learn from your mistakes when you get it wrong.

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have **every cloud resource you need** at an affordable price.

Subscribe to the Hive Five to read the rest.