• Hive Five
  • Posts
  • 🐝 Hive Five 127 - Authentication vulnerabilities, Hacking Google Cloud, and Wordlists

🐝 Hive Five 127 - Authentication vulnerabilities, Hacking Google Cloud, and Wordlists

Author

Bee Gagliardi
June 26, 2023

Hi friends,

Greetings from the hive!

It’s getting hot in herre. I’m writing this newsletter while sitting outside, watching kids play around in a water pool.

Earlier today, I went to the gym for the first time in a while.

Here’s to a wonderful summer.

Let’s take this week by swarm!

🐝 The Bee’s Knees

  1. Authentication Vulnerabilities - Complete Guide. In this video, they cover the theory behind authentication vulnerabilities, how to find these types of vulnerabilities, how to exploit them and how to prevent them. more

  2. Hacking Google Cloud? Every year Google celebrates the best security issues found in Google Cloud. This year LiveOverflow takes a look at the 7 winners to see if we could have found these issues too. more

  3. Microsoft has revamped their security documentation site. Technical guidance that helps security professionals build and implement cybersecurity strategy, architecture, and prioritized roadmaps more

  4. BishopFox/jsluice, written by TomNomNom, is a Go package and command-line tool for extracting URLs, paths, secrets, and other interesting data from JavaScript source code. Fun fact, it’s named after a “sluice box” a thing you use to find gold. more

  5. Bug Bounty: Wordlists. You are only so good as your weakest link. And in bug bounty, most people’s weakest link, and most ignored is always their wordlists. more

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

Changelog

  1. New CVSS. Who dis? The 4.0 spec has a positive line regarding Privileges Required. more

  2. Waymore v1.22 is a way to find more from the Wayback Machine. more

  3. owasp-amass/amass v3.23.3 is an in-depth attack surface mapping and asset discovery. more

📅 Events

  1. Hack The Box meetup in France on 06/29. more

  2. Sanne is a finalist for Woman Hacker of the Year. Go vote for her! more

  3. leHACK kernel panic / democracy daemon crashed edition. We need to remind ourselves the roots and the original ethos of hackers and hacktivists. Runtime: 06/30 to 07/02. more

🎉 Celebrate

  1. Sam is super impressed by 17-18 year olds that are participating at Live Hacking Events. Love to see it! more

  2. Damian is cofounding a Legal Tech Startup. Exciting! more

  3. “The Bug Musketeers” earned a 40k bounty at Intigriti’s 1337UP0623. Let’s go! more

  4. The Critical Thinking podcast recorded a sick pod with 2x MVH Inhibitor. Can’t wait to listen! more

  5. Ali finished 4th overall in his first HackerOne Live Hacking Even in London. Amazing! more

💰 Career

  1. Google is hiring Senior Researcher in the Netherlands, Mandiant, Google Cloud. more

  2. Roles for pentesters that are looking to transition. more

  3. Sherrod shares actionable tips for those that want to work in cyber threat intelligence. more

  4. The most important piece of career advice you probably never heard: “Fix the lifestyle you want. Then work backwards from there.” more

  5. Farah Hawa shares some learnings from her recent job hunting process, right from applying and interviewing to accepting an offer. more

⚡️ Community

  1. Hackers bot finally had its Twitter API key banned on June 22nd. The last tweet said: “As hackers taught us, capitalism corrupts all beautiful tings, and queer will always end victorious. […]” more

  2. Caitlin got a beeautiful tattoo during HackerOne’s Live Hacking Event in London. more

  3. Dave got a new tattoo with a great story behind it. more

  4. Cyber Kitten is ready for Hacker Summer Camp. more

  5. Katie came full circle, back to where she started. more

📰 Read

  1. Piotr shares a next level phishing scam involving Discord. more

  2. Another bug bounty story by Soroush, taking on the challenge of bypassing a Web Application Firewall (WAF) for XML External Entity (XXE) injection. more

  3. Scan to scam: how thieves can steal credits at cashless music festivals. Convenience is king, especially at music festivals where every extra minute spent in line can prolong the queue with hours. more

  4. AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice. While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass. more

  5. A white paper on Emotional Intelligence. Harnessing OSINT methods to uncover the emotions and moods of individuals. more

📚 Resources

  1. A collection of concise write-ups on small things Josh learned day to day across a variety of languages and technologies. more

  2. mindedsecurity/semgrep-rules-android-security is a compilation of Semgrep rules derived from the OWASP Mobile Application Security Testing Guide (MASTG) specifically for Android applications. more

  3. CVExploits is a database of exploits for all of the old & new common exposures and weaknesses (CVEs) by collecting the exploits automatically from around the internet websites & projects such as (github, gitlab, packet storms ecurity, metasploit modules and many more). more

  4. Destroyed by Breach. Adrian created and started maintaining this research after coming across a fake stat many years ago, that “60% of small businesses will close up within six months of a cyber attack”. more

🎥 Watch

  1. In this 4th video in the series customizing Parrot with ansible, ippsec configures Iptables/UFW and Auditd. more

  2. Ippsec walks through HackTheBox - Stocker. more

  3. Intruder Alert Ep. 3 - Hacktivism and Bug Bounties with Nahamsec. more

  4. Casey delivers “Release the Hounds, Part 2 - 11 Years Is A Long-Ass Time” as the keynote for BSides Knoxville on May 12th, 2023. This talk covers the history of vulnerability disclosure and crowdsourced security testing platforms, and dives into cybersecurity entrepreneurship. more

  5. The video stresses that there is no one specific path or set of requirements for becoming an ethical hacker or entering the cybersecurity industry, and it is important to avoid the harmful mentality of gatekeeping. more

🎵 Listen

  1. We Hack Purple Podcast 78 with Jason Haddix. They talk about artificial intelligence, and (of course) how to hack it. more

  2. The Privacy, Security, & OSINT Show 301 - Self-Hosted 3: Calendars, Contacts, & Notes. more

  3. Smashing Security 327: Mark’s metaverse for minors, and getting down to business. more

  4. Critical Thinking - Bug Bounty Podcast Episode 24: AI + Hacking with Daniel Miessler and Rez0. more

  5. Petaflops to the People: from Personal Compute Cluster to Person of Compute with George Hotz of tinycorp. They talk about how tinygrad is taking on Nvidia, Google, and PyTorch with a tiny team, building in public with AMD, hot takes on ggml, Mojo, and GPT-4, and why AI Girlfriend is next. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.

Become a paying subscriber of Premium to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In.

A subscription gets you:

  • • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
  • • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
  • • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
  • • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
  • • Deep DISCOUNTS on paid content.
  • • Experience continuously added NEW BENEFITS.