• Hive Five
  • Posts
  • 🐝 Hive Five #12 β€œIn three words I can sum up everything I've learned about life: it goes on.” ― Robert Frost

🐝 Hive Five #12 β€œIn three words I can sum up everything I've learned about life: it goes on.” ― Robert Frost

Hi friends,

Greetings from the hive!

I hope you had an awesome week. Mine was pretty sweet, had some good food, and there were several sunny days. I even figured out that light-mode works wonders when working outside in bright weather.

My website received some major improvements (changelog). Most notably, I added a become a supporter section, currently just a buy me a coffee link, and a custom 404 page, with a random bee fact!

Let's take this week by swarm!

Brought to you by

DigitalOcean - Get $100 to try it out: I use their VPS for all of my recon needs. Other things you can do: build apps, host websites, run open source software, learn cloud computing, and more – every cloud resource you need at an affordable price.

🐝 The Bee's Knees

  1. Recovering a full PEM Private Key when half of it is redacted: A write-up covering how given a partially redacted PEM, the whole private key can be recovered. The Twitter user, SAXX, shared a partially redacted private RSA key in a tweet about a penetration test where they had recovered a private key.

  2. TomNomNom talk about Networking Fundamentals: Let's learn a bit about networking. Slides

  3. Hidden OAuth attack vectors: The OAuth2 authorization protocol has been under fire for the past ten years. You've probably already heard about plenty of "return_uri" tricks, token leakages, CSRF-style attacks on clients, and more.

  4. Chapter 1 Security Fundamentals - Alice and Bob Learn Application Security: Tanya and guests answer and discuss questions about chapters of her book.

πŸ”₯ Buzzworthy

πŸ“… Events

  1. Announcing Uber’s Bug Bounty April Promo Event

  2. !!Con - Call for Talk Proposals!: !!Con is back for their eighth year of celebrating the joy, excitement, and surprise of computing, and want you to submit a talk proposal.

  3. March XSS Challenge - Intigriti: Find a way to execute arbitrary javascript on this page and win Intigriti swag.

πŸŽ‰ Celebrate

  1. Nicolas GrΓ©goire: Company is 10 years old. Congrats!

  2. Nathan Cavitt: Has his Bug Bounty Bday. What an amazing year!

  3. Prash: Had his last day at @Hacker0x01. Excited for what's next!

  4. d0nut πŸ¦€: Is feeling better and tackled a bug in resync, allowing it to run 4x faster. Yeet!

βœ… Changelog

  1. Burp Suite HTTP logger: Sneak preview of the native HTTP logger that is coming soon to Burp Suite.

  2. BBRF v1.1.1 by Pieter: Has been released with a number of cool improvements.

  3. OSINT VM: The 2021.1 release of the TraceLabs OSINT VM is out, this is a major release which includes a new menu, default browser change (#Chromium) and a new updater process.

  4. Telegram Voice Chats 2.0: Channels, Millions of Listeners, Recorded Chats, Admin Tools: Voice Chats first appeared in December, adding a new dimension of live talk to Telegram groups - now, they are available in channels too.

πŸ’° Jobs

πŸ“° Articles

  1. APT Encounters of the Third Kind: A few weeks ago an ordinary security assessment turned into an incident response whirlwind.

  2. One day short of a full chain: Part 3 - Chrome renderer RCE: This is the last post of a series in which I exploit three bugs that can be used to form an exploit chain from visiting a malicious website in the beta version of Chrome 86 to gain arbitrary code execution in the Android kernel.,

  3. Thoughts on Threat Modeling: Personal views on threat modeling, how I approach threat modeling and what has worked for me (both as a Platform Security Engineer and vulnerability researcher).

πŸ“š Resources

  1. Simpsonpt/AppSecEzine: Only just found out about AppSec Ezine and it has been releasing for 7 years!

  2. New to bounties? by bugcrowd: They created a page containing links to everything you need to know including free educational resources, researcher docs, how to find bugs, beginner resources, how to get private invites, and more.

  3. noraj/OSCP-Exam-Report-Template-Markdown: Now you can be efficient and faster during your exam report redaction.

  4. Abusing Data Protection Laws For D0xing & Account Takeovers: A paper on Abusing Data Protection Laws For D0xing & Account Takeovers, leading to over 5 figures in bounties.

  5. GraphQL hacking thread by Rami: Awesome collection of GraphQL resources.

πŸŽ₯ Videos

  1. AMA - Bug Bounty with Alex Chapman (Public): Alex Chapman talks about his approach to bug hunting, why he hunts on our platform and about his favorite scene from the movie Hackers.

  2. $Echo - Nahamcon 2021 CTF Walkthrough: Optional's method for working through the $Echo challenge for Nahamcon 2021.

  3. Function hooking, detours, inline asm & code caves [Game Hacking 101]: What happens if we want to do something which takes up more space than we actually have available to us?

  4. The HackerCON: Hacking is NOT a Crime and Red Team Village "The HackerCON" streamed on Saturday, March 27, 2021.

  5. SQL Injection - Lab #4 SQL injection UNION attack, finding a column containing text: Rana covering Lab #4 in the SQL injection track of the Web Security Academy.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.

Become a paying subscriber of Premium to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In.

A subscription gets you:

  • β€’ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
  • β€’ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
  • β€’ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
  • β€’ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
  • β€’ Deep DISCOUNTS on paid content.
  • β€’ Experience continuously added NEW BENEFITS.