🐝 Hive Five #19 – Be Stubborn, Invitations, and How to Create Luck

Hi friends,

Greetings from the hive!

I hope you had a fruitful week. My first week at Bugcrowd was a blast! I'm still getting situated but I've already learned a lot and met some awesome people. I can't wait to keep the momentum going and get after it.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Mathy Vanhoef: found some design and implementation flaws in Wi-Fi again. All Wi-Fi devices are affected. It was a long ~9 months embargo, over this time a lot of info has been collected and that info now available at FragAttack.

2. Learn Exploit Development during COVID-19: With so many countries recommending self-isolation in the past little while they thought it might be useful to recommend some excellent learning resources to help enable you make the most of the extra time you might find yourself with.

3. Hack Chat // Eva Galperin // Hunting Bad Actors and Eradicating Stalkerware: In this episode of Hack-Chat Eva discusses how she started in cyber security as well as tracking actors while pitching AV companies to alert users of security threats of stalkerware.

4. Pega Infinity hotfix released after researchers flag critical authentication bypass vulnerability: Users of the Pega Infinity enterprise software platform are being advised to update their installations after a vulnerability was discovered by samwcyo/CVE-2021-27651-PoC.

5. How to Create Luck: Your entire worldview will change once you realize that luck can be created. More precisely, you can actively create optimal conditions for lucky things to happen to you.

💌 Bee Awesome

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

👉 Your company here?

🔥 Buzzworthy

✅ Changelog

1. d0nut recently finished resync's new HTTP client: Which is capable of nearly 20,000 HTTP requests a second (with tons of features like rate limiting, requesting across hundreds of hosts, and custom request logic).

2. Bugcrowd expiring invites – program invites update: Starting today, May 17th at 17:00 Pacific Time (UTC-7), unaccepted invites will now expire after 8 calendar days.

3. pencode v0.3 released: This version adds support for a few different hashing algorithms, and string casing.

4. ffuf - add TLS SNI support #440.

5. YesWeBurp 2.0 - Burp Suite extension is available.

📅 Events

1. James Kettle announces upcoming Black Hat talk: HTTP/2: The Sequel is Always Worse.

2. KNOXSS giveaways: Would you like to get a free KNOXSS Pro subscription?

3. dawgyg is thinking about writing a book: After giving his citysecs talk it got him thinking about writing a book about his life.

4. !!Con 2021 is ongoing - May 15-22: (pronounced “bang bang con”) is a week of ten-minute talks to celebrate the joyous, exciting, and surprising moments in computing.

🎉 Celebrate

1. HolyBugx: Had an amazing event, placed #1 after a week of hunting on Zseano's first virtual live hacking event FirstBlood, and was rewarded the HackerOne NFT and some great bounties. Amazing!

2. Heath Adams: shouts out people he loves and had great interactions with in the field. Love it!

3. Alex Chapman: managed to nail a RCE after a very hard week of hacking. Persistence is key!

4. Robert Vulpe: is happy to share that they got OSWE certified. Congrats!

5. hipotermia: bought a house and finally have their own space to work. Well deserved!

💰 Jobs

1. Threat Hunting & Intelligence Security Expert: Europe South-France-France-Lannion.

2. Leviathan Security has several open positions.

📰 Articles

1. Think outside the box with Satyam Gothi: An interview with RogueSMG a security analyst in Securelayer7, a bug bounty hunter, and also a content creator.

2. Mass Assignment exploitation in the wild - Escalating privileges in style.

3. Cr0wnGhoul 1ETH Puzzle: You’ve Got Mail Write-up: Cr0wn_Gh0ul launched a new puzzle with a 1 Eth and 800 Matic prize recently.

4. Auth Bypass in https://nearbydevices-pa.googleapis.com: a malicious attacker could have full CRUD (Create, Read Update, Delete) access to all Google Fast Pair devices.

5. Internet Scanning: Definition, Benefits, Brief History and Tools: Since its inception, the concept known as the "Internet" has been shaped and reshaped under a constant barrage of new ideas and architectural improvements.

📚 Resources

1. Thread of favorite Burp plugins - Kishore Krishna.

2. linux-default-file-locations: Default locations for files on various Linux distros.

3. Big list of http static server one-liners: Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000.

4. hmaverickadams/External-Pentest-Checklist: The Cyber Mentor's external pentest playbook course.

5. LinkShare: Goal is to have users come and post infosec links, then those users can vote on others, maybe save them.

🎥 Videos

1. Carl Farterson Community DeFi Bug Hunt @ Immunefi: Carl Farterson of the Best Practicers joins Immunefi to host a livestreamed community DeFi bug bounty hunt.

2. Blind MongoDB NoSQL Injection - HackTheBox Cyber Apocalypse CTF.

3. IKR! I NEED TO START TO DISTRUBUTE MY NMAP SCANS - Bounty Thursdays #28: If you're are a cybersecurity professional or curious about testing for bugs, searching for vulnerabilities, pwning boxes, doing bug bounty, pentesting, CTF, web app testing, offensive security, app sec then this is the show for you.

4. Free Automated Recon Using Github Actions | Ft. Project Discovery: Set up your own fully automated recon setup for free.

5. InfoSec Unplugged - Talk with KeepItTechie: Josh is a tech professional and YouTube content creator.

🎵 Audio

1. Layer8 podcast episode 58: Siobhan Kelleher - "Be Stubborn and Want to Learn".

2. Titan Talks Ep 2 - Casey John Ellis: Guest is Casey John Ellis, the founder of Bugcrowd and Disclose.io — covered a lot of ground about entrepreneurship, founder DNA, competition, and priorities. Transcript.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.