🐝 Hive Five 99 – Ethical hacking in 15 hours, the secret of bug bounty automation, and exploring prompt injection attacks

Hi friends,

Greetings from the hive!

The common thread throughout success in all areas is systems—dieting, productivity, newsletters, podcasts, etc. You name it.

While I have read and discovered many via others and designed several myself, my issue currently is that I don’t have them all laid out and organized, which in and of itself is another system. So this is something I’ll work on to improve.

What are you looking to improve?

Let's take this week by swarm!

🐝 The Bee's Knees

1. Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1). more

2. Jupyterthon 2022 Day 1 of Infosec Jupyterthon 2022 Conference. An open community event for security researchers to share their experience and favorite notebooks with the InfoSec community. more | day 2

3. Cori shows us how easy it is to set up a phishing campaign and hack companies. more

4. The secrets of automation-kings in bug bounty. For those looking to make big money in the world of bug bounty, finding 1day (or 1month) web exploits that haven't made their way into scanners yet can be the key to success. more

5. Exploring Prompt Injection Attacks. Have you ever heard about Prompt Injection Attacks? Prompt Injection is a new vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning. more

️💪 Sponsor

Want me to write about your company? Sponsor the Hive Five.

🔥 Buzzworthy

✅ Changelog

1. Nuclei v2.8.0: Fuzz all the way. New fuzzing capabilities, shared variables for workflows, GitHub/AWS S3 template downloads, integration with asnmap, uncover, and httpx, and of course much more. more

2. New npm features for secure publishing and safe consumption. Two new features for a safer npm package ecosystem experience: granular access tokens and the npm code explorer. more

📅 Events

1. New Burp Suite API, and PortSwigger wants your feedback! more

2. SANS Holiday Hack Challenge & KringleCon. Join the global cybersecurity community in its most festive cyber security challenge and virtual conference of the year. more

3. 2022 is almost over, which means your professional development stipend is about to expire! Josh collected some suggestions in this thread. more

🎉 Celebrate

1. Mustafa Can İPEKÇİ received his recognition swag from Synack. Yes! more

2. After 9 years at securitum Michał Bentkowski is starting a new journey at Google VRP. Awesome! more

3. Orange Tsai and team become Pwn2Own champion and Master of Pwn for the second time. Wow! more

4. Harsh Jaiswal and iamnoooob joined Project Discovery. Exciting! more

5. obront.eth has earned $100k+ from auditing. Congrats! more

💰 Career

1. The Paranoids are expanding their summer intern program. more

2. specters is looking for red team/prod sec opportunities. He hacks cars but wants to expand outwards to become a better hacker. more

3. AppSec interview insights by d0nut. more

4. What to do when you get laid off… Getting laid off can be really stressful, and trying to handle the pressure alone can feel impossible. more

5. Make sure you know to succeed in 2023 - ace the job interview, negotiate more money and change your life. more

⚡️ Community

1. Gunnar Andrews started their own Discord, feel free to join if you want to chat with them and other bug bounty folks. more

2. Jason Haddix update on his son's situation, he continues to be in sustained low-grade pain. more

3. Researcher Spotlight: anhnt1337. As a 3rd year student at University, Nguyen Tuan Anh aka anhnt1337, began his career path with an internship. After graduating from university, he worked as an Application Security Engineer. more

📰 Read

1. Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass. This writeup talks about a successful collab on a private program hosted on Bugcrowd. more

2. Pre-Auth RCE with CodeQL in Under 20 Minutes. The target? pgAdmin. Or to be more precise, the web interface if you run pgAdmin in server mode. more

3. Hijacking GitHub repositories by deleting and restoring them. Recently, they encountered an obscure security measure while researching GitHub repositories: the popular repository namespace retirement. This security measure was implemented by GitHub to protect (popular) repositories against repo jacking (i.e. hijacking attacks). more

4. Exploiting an N-day vBulletin PHP Object Injection Vulnerability. vBulletin is one of the most popular proprietary forum solutions over the Internet. more

5. Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential for unauthorized database access. more

📚 Resources

1. Red teamers and offensive security use cases for Wireshark. more

2. Your guide to joining and using Mastodon. more

3. Offensive Software Exploitation (OSE) Course. This repository is for the Offensive Software Exploitation Course at Champlain College. more

4. m0bilesecurity/Frida-Mobile-Scripts. more

5. daffainfo/all-about-apikey: Detailed information about API key / OAuth token (Description, Request, Response, Regex, Example). more

🎥 Watch

1. Can You Spot The Vulnerability? more

2. HackTheBox - Outdated solved by ippsec. more

3. Day[0] Bug Bounty Podcast 173 - Remotely Controlling Hyundai and a League of Legends XSS. A variety of issues this week, DOM Clobbering, argument injection, a filesystem race condition, cross-site scripting, and a normalization-based auth bypass. more

4. Live Hacking On Indeed with Tess. more

🎵 Listen

1. Smashing Security #301: AI chatbot or the start of Skynet? Eufy privacy, and hot desks. more

2. Risky Business #688: APT41 pickpockets Uncle Sam. more

3. Human Factor Security Episode 183: Kate Mullin – CISO Voices. A six-part series where Jenny talks to CISOs about how they view their role, the industry and the threat landscape called CISO Voices. more

Subscribe to the Hive Five to read the rest.