- Hive Five
- Posts
- 🐝 Hive Five 50 – The internet runs on free open-source software
🐝 Hive Five 50 – The internet runs on free open-source software
Bee
December 26, 2021
Hi friends,
Greetings from the hive!
First of all, I wish you happy holidays and an awesome New Year. Second, I hope you got a step closer to reaching your goals this year. Do remember, it's about the journey, not the goal.
Sillily enough, someone had to point out that this was my 50th newsletter. What a ride!
Thank you all for being a part of the journey. Onwards and upwards.
Let's take this week by swarm!
🐝 The Bee's Knees
Sam and co. found some fun vulns on Instapage and Hubspot: Here's a thread with a couple mini writeups for them, with @bbuerhaus, @sshell_, and @xEHLE_.
Jack is heading to Congress: "Some news! I've now finished at Stanford and will be headed to Congress, via the TechCongress program. I'll be working full-time for a Congressional office on tech policy. Excited to dive into the world of policy!"
Cache Poisoning at Scale: Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks.
PHP LFI with Nginx Assistance: This post presents a new method to exploit local file inclusion (LFI) vulnerabilities in utmost generality, assuming only that PHP is running in combination with Nginx under a common standard configuration.
The internet runs on free open-source software. Who pays to fix it?: Yazici is a member of the Log4J project, an open-source tool used widely to record activity inside various types of software. Also read The Asymmetry of Open Source.
🙏🏻 Support the Hive
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
🔥 Buzzworthy
✅ Changelog
OWASP Mobile Security Testing Guide v1.3.0: New privacy chapter, iOS Bin, protection, debug symbols, iOS loaded native libs, and more.
Dalfox 2.7: DalFox is an powerful open source XSS scanning tool and parameter analyzer, utility.
🎉 Celebrate
HolyBugx crushing their goals: Congrats!
Tuan Anh Nguyen's Bugcrowd stats: Amazing!
Andy bought their dream car: Let's go!
Mustafa first blooded the HackerOne CTF (for the second time): Awesome!
ITSecurityguard is getting a new puppy: Exciting!
💰 Career Corner
LOOKING: rcon_joe needs a job: A self taught js/ts dev with a lot of cloud and backend design experience. Quick learner and very determined. LA based.
ADVICE: On looking for a job: After a year of recovering, they finally decided to return to the job market in mid October.
ADVICE: The polar bear method: They started their career as an high school drop-out with nearly no coding experience.
ADVICE: Ask life-changing questions, invest like the top 1%.
OSINTCurious - Interview with UnleashedOsint: Our ChristinaLekati, LorandBodo & Webbreacher spoke to Sarah about her career, teaching youth in online safeguarding practices, OSINT ethics and much more.
📰 Articles
Daniel compares his Top Four Security Podcasts/Newsletters: His top four recommendations are Darknet Diaries, Risky Business, Unsupervised Learning, and TL;DRSec.
A Scam Study - Too-Good-To-Be-True Deal Sites Lurking in Your Social Media: If you don’t spend much time in the r/Scams subReddit, you really are missing out.
Sam thinks his router or ISP has been hacked: I think my router or ISP has been hacked, but it's the strangest thing of all time: every time I send an HTTP request to an IP address, a follow up HTTP request is sent to the exact same URL by a Digital Ocean box. I've confirmed that...
EFF - Stalkerware - 2021 in Review: Stalkerware—that is, commercially-available apps that can be covertly installed on another person’s device for the purpose of monitoring their activity without their knowledge or consent—is nothing new, but 2021 has underscored just how prevalent and dangerous these apps continue to be and how important it is for companies and government to take action to rein them in.
📚 Resources
Ultimate Reconnaissance RoadMap for Bug Bounty Hunters & Pentesters: This article is targeting anyone who is a bug bounty hunter and penetration tester.
🎥 Videos
Log4j RCE vulnerability explained with bypass for the initial fix (CVE-2021-44228, CVE-2021-45046): This video is an explanation of the recent RCE vulnerability in Log4j (CVE-2021-44228, CVE-2021-45046) that affect many Java applications across the whole Internet. Importantly, the initial fix deployed can also be bypassed so even those who patched may still be vulnerable.
Log4j Lookups in Depth // Log4Shell CVE-2021-44228 - Part 2: In this video we dig a layer deeper into Log4j.
Farah's sf vlog - Bugcrowd office tour, meeting my colleagues.
Ben Eater - Networking tutorial series: giving people a better understanding of how the Internet works.
🎵 Audio
Human Factor Security Episode 175 - Robert O’Brien: They chat about the ethos behind the company, how personality and humour can be used in training and how there should be no tick box exercises when improving employee security behaviour.
How Alethe became a social engineer: Professionally she tries to trick people to give her passwords and access that she shouldn’t have.
David Choe On Finding Beauty in Brokenness: Can art and happiness coexist? Is great art only forged through pain? And is suffering integral to creativity?These are just a few of the many questions explored in today’s colorful excavation of David Choe’s fascinating soul.
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to the Hive Five to read the rest.
Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In