🐝 Hive Five 44 – Hyper scheduling

Hi friends,

Greetings from the hive!

I hope you had a fruitful week and a relaxing weekend. While listening to one of my weekly podcasts, I heard about time blocking or hyper scheduling.

Having seen it mentioned before, I've decided to implement it. Coincidentally, I received an invite to the next-gen calendar called cron. So it seems that the universe is with me on this one.

What new things are you trying out?

Let's take this week by swarm!

🐝 The Bee's Knees

1. We Know Which Private Keys Are Bad: Asymmetric private keys are among the most often leaked out. A new open source tool driftwood will immediately tell you if one is sensitive. Read full blog post.

2. Advice for young hackers. Getting started in cybersecurity: In this video, they talk about their journey in cybersecurity, how they learned their skills, and what newcomers can do to get started.

3. honoki/bugbounty-openvpn-socks: This project uses Docker to run multiple VPN tunnels simultaneously from the same machine, and exposes a SOCKS proxy for each separate VPN connection. If you are using tools without built-in proxy support, you can use proxychains to force everything through the proxy regardless.

4. ChaosDB Explained - Azure's Cosmos DB Vulnerability Walkthrough: This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where they were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers.

5. Secondary Contexts by 0xAwali: A collection of over 100 different examples of secondary context related vulnerabilities in web applications.

🙏🏻 Enjoy This Newsletter?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. New Release - FullHunt Public API: FullHunt is releasing a public API to find all attack surfaces, exposed services, DNS records, subdomains, and public assets for free.

2. Three new PentesterLab videos: Covering the code review of PHP snippet #01, #02 and #03.

3. Corben Leo rewrote gau: This includes speed improvements, a new provider (urlscan), loading options from configuration files, new filter support, socks5 proxy support, and more.

📅 Events

1. spaceraccoon is co-organizing a Bug Bounty Quarter: @kickino will speak about "Report Medley — What Makes a Bug Report Great?".

🎉 Celebrate

1. Josh got a $10k bounty from Microsoft: Let's go!

2. It was STÖK's birthday: Happy birthday!

3. Luke celebrates Katie: Awesome!

4. Ankit received another bounty: Keep it up!

5. Mustafa found an interesting SQLi: Amazing!

💰 Career Corner

1. ca$s:e cage is hiring (remote): Third Party Risk Analyst, Assurance Analyst, Compliance Analyst, Program Manager Policies & Procedures, and Program Manager Security Awareness.

2. Bishop Fox is hiring (remote US): Just opened up 2 positions on our Cosmos team: Sr Attack Surface Intelligence(ASI) Analyst and Sr Adversarial Operator.

3. Sera sharing her journey: From highschool dropout to senior seceng.

4. Rachel Tobac sharing her journey: My job path to get to this was so non linear it’s interesting to look back — neuroscience and behavior research to rat lab to teaching to UX research to hacking.

📰 Articles

1. Practical Security Recommendations for Start-ups with Limited Budgets.

2. Exploiting CSP in Webkit to Break Authentication & Authorization: When it comes to the web, browsers are the first line of defense.

3. Harvest Finance Uninitialized Proxies Bug Fix Postmortem.

4. IDOR through MongoDB Object IDs Prediction: This post assumes that you have a fair understanding of what an IDOR is.

5. Simple SSRF Allows Access To Internal Assets: While taking a look at one of the host targets at Synack everything seemed to be a dead end as two hosts were only available on scope, and one of them was hosting a web server.

📚 Resources

1. hakluke on Burp usage (replies): Find out where people spent the majority of their time in Burp.

2. All about bug bounty: These are bug bounty notes that they have gathered from various sources, you can contribute to this repository too.

3. Useful sed scripts: This was born in 4-5 hours of recapping sed (and many hours learning it in the first place).

4. Sysmon Cheatsheet: All sysmon event types and their fields explained.

5. Awesome Web Archiving: An Awesome List for getting started with web archiving.

🎥 Videos

1. 4 job families in cybersecurity.

2. Isabelle Mauny API security talk with We Hack Purple: Isabelle Mauny of 42Crunch fame talks about API security as well as demonstrates APIsecurity.io with Tanya Janca and We hack Purple.

3. Staying sane in bug bounties: zseano's talk for Ekoparty Security Conference.

4. BountyTraining - Getting a feel for your target with BugBountyHunter: What does it mean to actually to "get a feel for things"?

5. I quit my IT job for YouTube and bounty - bounty vlog #0: Series on their bounty journey with all the details, like time spent and money earned.

🎵 Audio

1. STÖK tells us to listen to TOOL: I wholeheartedly agree. While you're at it check out this video of their drummer Danny Carey.

2. The Next Generation of Hackers with Deviant Ollam: In episode three of Hacker Valley Red, Chris and Ron are joined by Deviant Ollam, a hacker to the bone and one of Chris’ inspirations in security.

3. The Stack Overflow Podcast - Web3 won't save us.

4. Focused - Hyper-Scheduling Revisited: Mike and David return to the subject of hyper-scheduling after they've both been at it a few years.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.