🐝 Hive Five 46 - Melliferous

Hi friends,

Greetings from the hive!

I’m thankful for all of the wonderful people I’ve met on my journey so far.

After further researching stoicism, I discovered the Latin phrase amor fati, translated as “love of fate”.

I’ll be adopting this mindset from now on, and when something unfortunate happens, I’ll embrace it and say thanks instead.

What are you thankful for?

Let's take this week by swarm!

🐝 The Bee's Knees

1. Monitor trending CVEs: Data comes from Twitter + NIST NVD APIs - back-end: Python, Flask, PostgreSQL, and Redis - front-end: React + Bootstrap.

2. $16k Stealing secrets.yaml from GitLab using stored XSS - Hackerone bug bounty: This video is an explanation of a bug bounty report submitted to GitLab bug bounty program via Hackerone by William Bowling.

3. Wordpress Plugin Update Confusion - The full guide how to scan and mitigate the next big Supply Chain Attack: A couple of month ago while browsing twitter on a weekend Nagli stubmled upon a rather interesting post from @vavkamil.

4. Finding XSS on .apple.com and building a proof of concept to leak your PII information: Back in February of this year zseano hacked with members of BugBountyHunter.com on a public bug bounty program and we chose Apple as our target.

5. Enzyme Finance Price Oracle Manipulation Bug Fix Postmortem: In 2020 and at the beginning of 2021, one of the worst phrases you could hear either as a DeFi security researcher or developer was, “Project X was hacked due to Price Oracle manipulation using flashloans.

🙏🏻 Enjoy This Newsletter?

Share with your friends or buy me a coffee.

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

• TCM Security Academy - courses, bundles, gift certs, and access passes. Cybersecurity Training That Doesn't Break the Bank. Don't overspend on your education!

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. Param Miner now supports using header smuggling to identify back-end headers: Thanks to a quality contribution from @_danielthatcher.

2. PentesterLab has a new design.

3. SecLists update 2021.4.

📅 Events

1. PentesterLab holiday specials.

2. Awesome Cyber Monday deals - 2021.

3. InfoSec Cyber Monday Deals 2021.

4. Discord Nitro deal: Holiday BOGO Promo.