🐝 Hive Five #36 – Eat the frog

Hi friends,

Greetings from the hive!

I hope you had a relaxing weekend. The main theme of mine was audio. I was reminded of the Libby app via a Tweet and am looking forward to listening to audiobooks once again. During my morning run, I've been listening to a great investigative podcast. I linked it in the Audio section.

What did you do this weekend? Let me know on Twitter or Discord.

Let's take this week by swarm!

🐝 The Bee's Knees

1. We Can Find Them: A wonderful h@cktivitycon talk by Truffle Security introducing the TruffleHog the Chrome Extension.

2. Hacking CloudKit - How I accidentally deleted your Apple Shortcuts: TL;DR. CloudKit, the data storage framework by Apple, has various access controls. These access controls could be misconfigured, even by Apple themselves, which affected Apple’s own apps using CloudKit.

3. A Detroit community college professor is fighting Silicon Valley’s surveillance machine. People are listening.: Chris Gilliard grew up with racist policing in Detroit. He sees a new form of oppression in the tech we use every day.

4. Down the Rabbit Hole: Unusual Applications of OpenAI in Cybersecurity Tooling: This is the blogpost version of a talk spaceraccoon gave to the National University of Singapore Greyhats club.

5. International Security Conference - ZeroNights 2021: The Main, Web Village, and Defensive Track talks and slides are available online.

🙏🏻 Enjoy This Newsletter?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. AutoRecon v2 is officially released: The README has also been updated.

2. Release v1.10 · j3ssie/metabigor: Refactor and fix some bugs. Add option to run Nmap concurrently from Rustscan result.

📅 Events

1. Full Stack Web Attack (FSWA) Training Course 2021: Full Stack Web Attack is not an entry-level course - 8th-11th of November, 2021 GMT-6.

🎉 Celebrate

1. John Hammond: had his birthday. Congrats again!

2. Tib3rius: and cinzinga got first blood on John Hammond's hard web app challenge in the hacktivitycon2021 CTF. Woohoo!

3. hipotermia: marked 1 year since they started doing BB full time. Amazing!

4. Justin Tobin: and @bbuerhaus @LeFevre and @cybourgeoisie solved the BoredApeYC puzzle. Wow!

5. hg_real: started bug hunting on game companies 6 Months ago. Woot!

💰 Career Corner

1. Krebs Stamos Group - Security Researcher Purple Team: An ideal candidate will have experience applying a range of offensive security tactics across a variety of operating systems while thinking with an adversary mindset.

2. How to build a successful infosec career - lcamtuf thread.

3. Beth Hoyt is looking for remote jr. Pen Tester job: They have eJPT, Security+ and MCSE. Experience in WSUS, DPM and 10 years as an admin.

4. Apple Security Researcher, Information Security: AIS Assurance is seeking a security researcher to join their Applied Research team.

5. Bugcrowd Community Development Manager: Lead the creation and buildout of Researcher-focused education and community content, provide sponsorship opportunities and run community-focused events, moderate Bugcrowd community spaces, and design, execute, and manage partnership initiatives to expand relationships within the community.

📰 Articles

1. Go Blogs Hacktivitycon 2021 Writeup [Golang SSTI]: This was their first ever jeopardy style CTF and for most my team mates as well.

2. The Asian Cyber Security Challenge 2021 (ACSC) CTF: The goal of the competition was to select the 15 players under the age of 26 to represent Asia in the International Cybersecurity Challenge (ICC).

3. All Your (d)Base Are Belong To Us, Part 1: Code Execution in Apache OpenOffice (CVE-2021–33035): Venturing out into the wilderness of vulnerability research can be a daunting task.

4. The Show Must Go On: Securing Netflix Studios At Scale: In 2017, Netflix Studios was hitting an inflection point from a period of merely rapid growth to the sort of explosive growth that throws “how do we scale?” into every conversation.

5. Thoughts on the OWASP Top 10 2021: "The list’s biggest problem is that it doesn’t have a clear identity."

📚 Resources

1. Westar Bumblebee box writeup.

2. Devansh Blockchain Security checklist.

3. CryptoHack courses: A curated sets of challenges into guided tours, introducing our players to the fundamentals of modern cryptography.

4. Dorks collections list: Google, Bing, Ecosia, Yahoo or Yandex.

5. Cross-Site WebSocket Hijacking thread by Paul Seekamp.

🎥 Videos

1. How to search for XSS (with blacklisted HTML tags): Learn how to test for cross-site scripting vulnerabilities if the target applications have a denylist in place, not allowing certain HTML tags and event handlers.

2. Building a secure application in five steps | Security Simplified: If you are into building software, you’ve probably heard of the software development life cycle (SDLC).

3. 0day shares his journey on becoming #1 on tryhackme, learning how to hack, resources and more!: Ryan AKA 0day is currently the #1 hacker on TryHackMe's platform.

4. Obfuscated Password Manager?! Solution to September '21 XSS Challenge.

5. Detecting Exploits - OMIGod (Linux Logging with Auditd).

🎵 Audio

1. Root of Evil - The True Story of the Hodel Family and the Black Dahlia: A friend suggested this investigative podcast.

2. The Changelog - Software Development, Open Source: Why Neovim?

3. Indie Hackers #255: Growth Tactics, Audience Building, and Brains with Julian Shapiro of Demand Curve.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.