🐝 Hive Five #23 – Grateful, curious, and cautious

Hi friends,

Greetings from the hive!

I hope you had a great week and a relaxing weekend. STÖK tweeted about the importance of focusing and being truly grateful for what you have, and I couldn't agree more. To add to this, try having the mindset of acknowledging what you get to do instead of what you need to do.

Let's take this week by swarm!

🐝 The Bee's Knees

1. How to Analyze Code for Vulnerabilities: Vickie will go through the basics of how to review your code for vulnerabilities and some tactics for performing an effective security code review on your application.

2. Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug: polkit is a system service installed by default on many Linux distributions. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit.

3. Two weeks of securing Samsung devices: Part 1: After spending two weeks looking for security bugs in the pre-installed apps on Samsung devices, they were able to find multiple dangerous vulnerabilities.

4. Burp Macros: What, Why & How?: If so, then this blog is for you. Obviously, you can automate the process by writing a python code, however, that requires scripting knowledge. It also requires time and effort on your part to write the code. So, let’s try to overcome these challenges using Burp Macros.

5. How Hackers Used Slack to Break into EA Games: The group of hackers who stole a wealth of data from game publishing giant Electronic Arts broke into the company in part by tricking an employee over Slack to provide a login token, Motherboard has learned.

🙏🏻 Enjoy This Newsletter?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. ho • no • ki: is trying something new, bbrf.me now defaults to a demo server so you can test BBRF without having to deploy your own server.

2. VSCode - Remote Repositories: With this, you can quickly browse, search, edit, and commit to any remote GitHub repository (and soon, Azure Repos) directly from within VS Code, no clone necessary.

3. Improving Report Quality through Submission Editing by the Bugcrowd ASE Team: Bugcrowd’s Application Security Engineers now have the ability to edit submissions when triaging vulnerability reports.

4. PwnMachineV2: a new version of the self hosted pwning environment for Bug Bounty: With this new version, you will have a full web interface, which will be better to use the different features.

📅 Events

1. STÖK️: His CHPO/STÖK colab signature blueglass / UV adaptable Smokey glasses drop in June.

🎉 Celebrate

1. N7⚡️: Got their first job as a PenTester, became Bugcrowd MVP (2021 Q1), and finished their 4 year Cyber degree. Amazing!

2. meg: is super stoked to share that they're working at IBM Security on the X-Force Incident Response team now. Congrats!

3. Nagli: Leveled up to 0x03 on Synack RedTeam. Woot!

💰 Jobs

1. VP, Information Security: Lead Netflix’s information security strategy, including product, studio, and enterprise security.

📰 Articles

1. Testing Two-Factor Authentication: This post provides a whirlwind tour of common 2FA mechanisms and detailed information on testing them.

2. What is a Prototype Pollution vulnerability and how does page-fetch help?: Prototype Pollution is a problem that can affect JavaScript applications.

3. Solution and explanation of tips for Intigriti's 0521 XSS challenge  by GrumpinouT: GrumpinouT explains their solution for the challenge and the tips that were given.

4. Bypassing 2FA using OpenID Misconfiguration: Two factor authentication is rapidly becoming a norm in all authentication systems, however faulty implementation can often times render the defense mechanism useless.

5. Your E-Mail Validation Logic is Wrong: If you thought validating email was simple, it isn't.

📚 Resources

1. Best conference talks or print resources for up-and-coming-leaders Jason Haddix thread.

2. What makes you want to hack a bounty program? Ben Sadeghipour thread.

3. How to find WordPress plugin vulns.

4. Vatican .va (Holy See)ccTLD Zone Data.

5. Active Scanning Techniques: This repository is a collection of different techniques in order to find specific hosts to scan.

🎥 Videos

1. SQL Injection - Lab #11 Blind SQL injection with conditional responses: This lab contains a blind SQL injection vulnerability.

2. Tips to get a job in cybersecurity.

3. Binary Exploitation Deep Dive: Return to LIBC (with Matt).

4. Jackpotting Fortune-500 Treasuries - Martin Doyhenard & Gaston Traberg: In this talk, they will present two critical vulnerabilities recently found during our assessment performed over Oracle’s ERP, using them to introduce the audience to the ERP’s post-exploitation world.

5. Phillip Wylie interviews Masonhck3571.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.