• Hive Five
  • Posts
  • 🐝 Hive Five 103 – 2022 CVE data review and bypass firewalls with of-CORs

🐝 Hive Five 103 – 2022 CVE data review and bypass firewalls with of-CORs

Author

Bee Gagliardi
January 09, 2023

Hive Five

By securibee 🐝

Hi friends,

Greetings from the hive!

I hope you had a great first week of 2023.

If you’ve been following my Tweets, you know that I’ve been working on my first Ghost site. I enjoy the project and love learning new things and designing websites.

Taking on this new project and working with an unknown platform is further reinforced by something I read a couple of weeks ago, to make success controllable.

Couple this with focusing on what you can control, and you win, even if it fails, as you acquire new skills and make new relationships.

Let’s take this week by swarm!

🐝 The Bee’s Knees

  1. Live Recon Interview in the Smart Contract Series with ret2jazzy. more

  2. Bypass firewalls with of-CORs and typo-squatting. more | video | repo

  3. 2022 was a record-breaking growth year for CVE data. Jerry goes through the data and highlights some of the most interesting data points. more | repo

  4. Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and more. more

  5. The Top 10 web hacking techniques of 2022 nominations are open. more

️πŸ’ͺ Sponsor

Want me to write about your company? Sponsor the Hive Five.

πŸ”₯ Buzzworthy

βœ… Changelog

  1. Intigriti has a new content creator: CryptoCat. more

  2. reconFTW v2.5.1 is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. more

  3. DOMPurify 2.4.3 is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. more

πŸ“… Events

  1. OWASP Vulnerability Management Guide on January 12th. more

  2. First episode of the Critical Thinking Bug Bounty Podcast comes out today (Monday). more

πŸŽ‰ Celebrate

  1. MrTuxracer on his first bug of 2023: A quite crazy authentication bypass affecting a firewall vendor. Keep an eye out for CVE-2023-22620. Keep it up! more

  2. Masonhck357 found his first crit of the year on a 3 year old program. Yessir! more

  3. Valerio Brussani celebrates 2022. Awesome! more

  4. Jason Haddix will be the new CISO and Hacker in Charge at BuddoBot Inc. Let’s go! more

πŸ’° Career

  1. Top 3 things you need to change in 2023 if you’re serious about getting a job in 2023 and more. more

⚑️ Community

  1. zseano is still having a rough time, dealing with sickness. Feel better soon! more

  2. I_Am_Jakoby is looking to collaborate with content creators in the cyber security field. Anyone interested? more

  3. Alethe had a awful experience with CompTIA. more

  4. Yassine Aboukir is flying out of Bali. Safe travels! more

  5. MrTuxracer shares his Bug Bounty goals for 2023. Crush it! more

πŸ“° Read

  1. Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys. more

  2. Corben Leo hacked a large company (70k+ employees) through social engineering. Legally of course. more

  3. Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory. more

  4. Why 2022 was a record-breaking year in bug bounty awards for GitLab. more

  5. The Auditooor Grindset. So, you want to become a smart contract auditor. more

πŸ“š Resources

  1. Offensive Security & Reverse Engineering (OSRE) course. This is the whole course that was covered at Champlain College during Spring 20/21. more | labs| notes | slides

  2. Adrian on how to become a Web3 Bug Bounty Hunter in 2023. more

  3. The top 20 bug bounty creators according to Intigriti. more

  4. A collaboratively curated list of awesome Open-Source Intelligence (OSINT) Resources by ARPSyndicate. more

  5. Educational content related to Smart contract auditing and web3 security throughout the 365 days of the year by Sm4rty-1. more

πŸŽ₯ Watch

  1. I Hope This Sticks: Analyzing ClipboardEvent Listeners for XSS by spaceraccoon, a NahamCon2022EU talk. more

  2. sec4dev 2022 talk: Scaling AppSec by Clint Gibler. more

  3. HackTheBox - Health - 00:00 - Intro more

  4. Another NahamCon2022EU talk: Hunting for Amazon Cognito Security Misconfigurations by Yassine. more

  5. LevelUpX - Series 13: SPI Flash for Bug Bounty Hunters with Nerdwell. more

🎡 Listen

  1. Darknet Diaries top 13 most listened to episodes. more

  2. The Privacy, Security, & OSINT Show 287 - Listener Questions, UNREDACTED 5, & OSINT 10. more

  3. Malicious Life - Cyberbunker, Part 1. more

  4. Huberman Lab - Jocko Willink: How to Become Resilient, Forge Your Identity & Lead Others. more

  5. Derek Sivers – How to Live as a Creator and Why You Should Focus Like a Monomaniac. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.

Become a paying subscriber of Premium to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In.

A subscription gets you:

  • β€’ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
  • β€’ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
  • β€’ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
  • β€’ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
  • β€’ Deep DISCOUNTS on paid content.
  • β€’ Experience continuously added NEW BENEFITS.