🐝 Hive Five 94 – XSS Hunter is being deprecated, what sucks about recon, and DevOps is bullshit

Hi friends,

Greetings from the hive!

I hope you and yours are in good health! Our family has been sick for a couple of weeks now, which makes one appreciate the healthier times.

This and some additional circumstances caused the later arrival of the newsletter.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Exploiting Static Site Generators - When Static Is Not Actually Static: Over the last ten years, we have seen the industrialization of the content management space. A decade ago, it felt like every individual and business had a dynamic WordPress blog, loaded up with a hundred plugins to do everything from add widgets to improve performance.

2. XSS Hunter is being deprecated on February 1st, 2023: To continue to utilize their subdomains post-deprecation, all users will have to take some action. For more information on next steps, please read the FAQ.

3. HTTP/3 Connection Contamination Made Simple - James Kettle (albinowax): For the full technical details, check out the writeup.

4. phillipwylie Talks About His Favorite Tools, Switching Careers, And Pentesting.

5. The OpenSSL punycode vulnerability (CVE-2022-3602): Overview, detection, exploitation, and remediation: On November 1, 2022, the OpenSSL Project released a security advisory detailing a high-severity vulnerability in the OpenSSL library. Deployments of OpenSSL from 3.0.0 to 3.0.6 (included) are vulnerable and are fixed in version 3.0.7. The vulnerability is tracked as CVE-2022-3602.

🔥 Buzzworthy

✅ Changelog

1. Pentester Land blog update: You can now easily navigate between blog categories using a "Filter by category" button.

2. ShadowClone update: ShadowClone allows you to distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.

3. Mara on Rustlang v1.65.0: As is tradition, a thread with some of the highlights.

🎉 Celebrate

1. Nathaniel on sobriety being his best adult decision: Let's go!

2. Masonhck357 finally crossed the 3,000 mark: Congrats!

3. Julien Ahrens crossed $500,000 mark in total bounties for this year: Wow!

4. John Hammond will be keynoting our Technical Track at Security BSides Cayman Islands 2023: Awesome!

💰 Career

1. Open roles where good leaders are hiring (ex-Tweeps).

2. Ivy Fae is looking for work: a Sr. Software Engineer with 12 years experience (mainly microsoft stack/azure). Has a lot of security interest and is also very interested in pentesting.

3. IBM is sponsoring 4 FREE programs for anyone looking to get into Cybersecurity with NO experience.

4. Sudden traumatic job loss is awful: here are some resources Runa used.

5. Paranoids are hiring a Product Security Engineer II.

⚡️ Community

1. Runa Sandvik on the passing of Vitali Kremez: "Security researcher @VK_Intel went missing after scuba diving in Florida on Sunday morning. The Coast Guard recovered his body today. Over the years, I'd talked to him about everything from malware analysis to diving with sharks. You'll be missed, Vitali."

2. zonduu on adding researchers to duplicated reports: "I strongly believe researchers should be added to the original report when we submit a duplicate report @Hacker0x01 [...]"

3. Tinker on Twitter & Mastodon DMs: "In Mastodon the admin(s) of each server can read your DMs. In Twitter, the IT admins and privileged users can also read your DMs. They're Direct messages (DMs) They're not Private messages (PMs)."

4. Hacker AFK - the_arch_angel: Hackers live varied lives, each as unique as the last. Check out who they are away from keyboard, what you find will surprise you.

5. Masonhck357 is back home: After 4 months of traveling, he's back home in San Diego.

📰 Read

1. What Twitter Got Wrong and How To Fix it: Elon Musk just announced the plan for Twitter Blue, which will cost $8/month.

2. Ben on blue teaming: "The problem with blue teaming even at the furthest end of the scale, you’re totally vulnerable to survivorship bias. [...]"

3. Greg asks "what sucks the most about doing recon?".

4. Upcoming infosec content creators.

5. DevOps is Bullshit: DevOps started as a well-intentioned set of practices and culture. Over the years, it has devolved into an unholy beast of division and tunnel vision.

📚 Resources

1. How to learn hacking via Ben.

2. Learn AWS, Google Cloud, or Cloud native tools for free.

3. Prerequisite knowledge before starting to learn about web vulns via Justin.

4. A complete bug bounty guide via 0xblackbird.

5. Awesome Kubernetes (K8s) Security.

🎥 Watch

1. Kernel Exploitation on HEVD #4: Uninitialized Stack Variable.

2. How g0lden Automates His Subdomain Recon! (Automation Series).

3. DAY[0] 163 - A Galaxy Store Bug, Facebook CSRF, and Google IDOR [Bug Bounty Podcast]: Several simple bugs with significant impacts, XSS to being able to install apps, CSRFing via a Captcha, and a Google IDOR.

4. U-M SUMIT 2022 - Adventures in Securing At-Risk People with Runa Sandvik and Elodie Vialle: Watch a recording of the Security at University of Michigan IT (SUMIT) symposium keynote event, Adventures in Securing At-Risk People.

5. HackTheBox - Moderators walkthrough.

🎵 Listen

1. Smashing Security #296 - Twitter turmoil, AI animal chatters, and metaverse at work: Twitter has a new chief twit in the form of Elon Musk and he’s causing problems, scientists say artificial intelligence may help us communicate with animals, and is the office of the future set in the metaverse?

2. Risky Business #683 - OpenSSL bug is a fizzer, ASD responds to Medibank hack.

3. The Privacy, Security, & OSINT Show #283 - Announcements, Updates, & News.

4. Darknet Diaries EP 127 - Maddie: Maddie Stone is a security researcher for Google’s Project Zero. In this episode we hear what it’s like battling zero day vulnerabilities.

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have **every cloud resource you need** at an affordable price.

Subscribe to the Hive Five to read the rest.