- Hive Five
- Posts
- ๐ Hive Five 43 โ Magic
๐ Hive Five 43 โ Magic
Photo by Rhett Wesley / Unsplash
Hi friends,
Greetings from the hive!
I finished reading a man's search for meaning and found it to be enlightening. I also read a bit about Frankl's logotherapy. The other book that I'm still reading is Ikigai.
What are you reading?
Let's take this week by swarm!
๐ The Bee's Knees
How do you tell if a problem is caused by DNS?: A lot of people have server issues (โmy server is down! or itโs slow!โ), but they canโt tell if the problem is caused by DNS or not.
Sitecore Experience Platform Pre-Auth RCE: One of the missions at Assetnote is to secure the attack surfaces of enterprises around the world. In order to achieve that goal, their security research team cannot solely rely on the public disclosure of vulnerabilities.
Anatomy of a Terminal Emulator: Weโll talk about the different parts of the terminal and how they interact, build a small program to read input from the shell and understand how itโs interpreted, discuss how to create a user interface in the terminal and finally see how we can use all of this to cause some mischief.
Introducing CookieMonster: a tool for breaking stateless authentication: When you log into a website, many web frameworks will issue you a cookie as proof that you have correctly authenticated. In the past, this token was just a random identifier that was assigned to the user in the application's database.
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
๐ฅ Buzzworthy
โ Changelog
Octavian refactored axiom: A nice update refactoring axiom-init, axiom-ssh, axiom-fleet, and axiom-power.
Cloudmapper 2.10.0 released: Mostly to update packages but a number of PRs have been merged. By updating botocore, ap-northeast-3 resources are now collected.
Semgrep 0.70+: Now supports scanning Terraform source files (HCL) for misconfigurations and security flaws.
PentesterLab released 5 new snippets: For the code review challenges golang_12, python_02, typescript_01, typescript_02, and typescript_03.
๐ Events
Truesec Cyber Security Summit: on November 9th.
Jetpack Acquires WordPress Vulnerability Database WPScan: WPScan is used across the WordPress ecosystem to learn about new vulnerabilities to WordPress core, themes, and plugins.
Pwn2Own Austin 2021 - Schedule and Live Results: This yearโs consumer-focused event is their largest ever with 58 total entries from 22 different contestants.
Trick & Treat! Paying Leets and Sweets for Linux Kernel privescs and k8s escapes: For the next 3 months (until January 31 2022), we will pay 31,337 USD to security researchers that exploit privilege escalation in our lab environment with a patched vulnerability, and 50,337 USD to those that use a previously unpatched vulnerability, or a new exploit technique.
๐ Celebrate
Ian Carroll was awarded a $75,000 bounty: Amazing!
Omar Espino is in the top of GoogleVRP 2021: Congrats!
samczsun reached 1st place on the Ethereum bounty leaderboard: Wow!
BSides Ahmedabad Dungeon CTF winners: Congrats all!
๐ฐ Career Corner
Alissa Knight is hiring at Quontic: They're growing their red team and are looking for a threat hunter/penetration tester (ALL locations/remote work).
LilMzMuffinCup is looking for a cybersecurity role: She recently completed a cybersecurity education program and she acquired her CySA+.
Netflix Security Assurance & Metrics role: Netflix is looking to shape their metrics investment.
Assetnote is hiring a front-end engineer: Their team is made up of passionate hackers who are focused on building the best attack surface management platform.
Google is hiring a Security Technical Program Manager, Platforms & Ecosystems.
๐ฐ Articles
BOF2shellcode: For the red teaming they often have a need to run offensive tools on a target machine without dropping the tool on disk.
Finding and Fixing DOM-based XSS with Static Analysis โ Attack & Defense: Despite all the efforts of fixing Cross-Site Scripting (XSS) on the web, it continuously ranks as one of the most dangerous security issues in software.
How SSL certificates are leaking sensitive information: SSL certificates mark the first step in a commitment to user safety and security and HTTPS, SMTPS, IMAPS, POP3S have become the standard protocol for web traffic.
Honoring Elliot HarmonโEFF Activism Director, Poet, Friendโ1981-2021.
Malicious code analysis - Abusing SAST (mis)configurations to hack CI systems: They recently found a new method that allows secure code analysis mechanisms to be bypassed and even worse โ abused to execute malicious code on their host.
๐ Resources
Awesome Google VRP Writeups: New writeups from the GitHub repository "awesome-google-vrp-writeups".
Cobalt Strike Built-In Lateral Movement Capabilities Based On CONTI Leak Mind Map.
Fast Google Dorks Scan: The OSINT project, the main idea of which is to collect all the possible Google dorks search combinations and to find the information about the specific web-site: common admin panels, the widespread file types and path traversal. The 100% automated.
๐ฅ Videos
Can Hackers Get Into Every Device?: Have you ever heard the sentence that every device can be hacked?
Top 5 Cryptocurrency Security Tips from Coinbase: Learn how to keep your account secure from Trust and Safety experts at Coinbase.
How to run an XXE injection via an SVG Image Upload: Learn how you can run a successful XXE injection via an image upload functionality.
Women in OSINT | Rae Baker - Graphic Designer Turned Senior OSINT Analyst & Educator.
๐ต Audio
Automators - Automating with Ryan J A Murphy: He shares automation tips for Obsidian, augmented intelligence, and automated parenting.
Hidden Brain - Work 2.0, The Obstacles You Don't See: A new podcast I subscribed to. (Suggested by co-worker)
Former Developer Turned Security Advocate | A Conversation With Rey Bango | The Hacker Factory With Phillip Wylie: Rey Bango goes from a long-time developer to security advocate and freelance pentester.
MalwareTech Podcast - Facebook Outage & Whistleblower, Server Astrology, Twitch Breach: First in-person episode, featuring: shenetworks, Dr Tran, MalwareTech.
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- โข Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- โข Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- โข EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- โข MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- โข Deep DISCOUNTS on paid content.
- โข Experience continuously added NEW BENEFITS.