🐝 Hive Five 55 – Nightingale

Hi friends,

Greetings from the hive!

I hope you had a lovely weekend. I watched the movie The Nightingale, and it left me speechless. This review sums it up perfectly: "A superb, albeit harrowing drama about colonial violence, misogyny, and racism."

Have you watched anything lately that made an impact on you?

Let's take this week by swarm!

🐝 The Bee's Knees

1. Escalating Your Bugs With GDPR Impact: GDPR was a landmark piece of data privacy legislation that was passed in the EU, it offers a ton of security for EU citizens, but it also puts some pretty stringent requirements on organizations which process this data. For bug bounty hunting this is great, we can really prove and explain the impact.

2. State of OSINT 2022: A community project to capture the views and experiences of OSINT practitioners. Read expert's views on the best (and worst) of OSINT, their favorite tools and techniques, and how they think the landscape is changing.

3. How I hacked my way to the top of DARPA’s hardware bug bounty: Go inside one of the most technically challenging bug bounties ever with the researcher who subverted secure hardware designed by MIT and the University of Cambridge.

4. Webcam Hacking (again) - Safari UXSS by Ryan Pickren: Gaining unauthorized camera access via Safari UXSS: the story of how a shared iCloud document can hack every website you've ever visited. It's been over a year since their last Apple camera hacking project, so they decided to give it another go.

5. Solarwinds Web Help Desk - When the Helpdesk is too Helpful: The CVE for this issue is CVE-2021-35232.

🙏🏻 Support the Hive

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Become a sponsor

🔥 Buzzworthy

✅ Changelog

1. Pentester Land added 16 new writeups.

2. DOMPurify v2.3.5 release: A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks.

3. Osmedeus v4.0.1 release: A Workflow Engine for Offensive Security.

4. PentesterLab added various subtitles to their videos.

📅 Current Events

1. d0nut's Rusty giveaway: Like rustlang? Maybe a little Rust-curious? He's giving away a 1 Year license to jetbrains' entire product suite ($250 value) to the individual that submits the most exciting or interesting rust project.

2. Hussein released a bug bounty course: The workshop he gave at Threat Con is now live on Udemy.

3. RazzorSec x QuillAudits UnChained 2022 - Official Trailer: Come witness a one-of-a-kind blockchain security event with speakers across the globe on 26th February 2022.

4. OWASP DevSlop - OAuth 2.0 Hacking for Beginners with Farah Hawa: An introduction to some authentication flows in OAuth 2.0 followed by a demo of some common bug types that can be found in them. Takes place on Sunday, February 6, 2022.

🎉 Celebrate

1. You can now become a sponsor to d0nut: Show him love!

2. Sunil reached his Q1 goal in 1 month: Killing it!

3. Julien scored their highest single bounty: Amazing!

4. Corben is ready for new adventures: Go get 'em!

5. hg_real took a well deserved break after reporting 40 GameSec bugs: Looking good!

💰 Career Corner

1. Ghost is hiring community, engineering & infrastructure roles.

2. ʝօɦռռʏӼʍǟֆ is hiring a Senior Technical Trainer.

3. Things people wished they knew earlier in their career: via casey.

4. Salary negotiation tips: via casey.

5. What a career in Open Source look like: Emma Irwin, Senior Program Manager, from Microsoft's Open Source Program Office speaks through her own journey in open source and resources that she created as a result of her OSPO research.

📰 Articles

1. Overview of network pivoting and tunneling: This an english translation of an article they wrote in french on Orange Cyberdefense blog.

2. Eliminating Authorization Vulnerabilities with Dacquiri.

3. Path Traversal Paradise: This blog will be about all the different kinds of Path Traversals and Local File Inclusion vulnerabilities that they have found in Synack Red Team.

4. 3 part series - How bxmbn made $16,500 hacking CDN caching servers.

5. Cracking a $2 million crypto wallet: In early 2018, Dan Reich and a friend decided to spend $50,000 in Bitcoin on a batch of Theta tokens, a new cryptocurrency then worth just 21 cents apiece.

📚 Resources

1. Frida HandBook: It's a small, free web handbook to learn about binary instrumentation using Frida.

2. Data Engineering Zoomcamp: Free Data Engineering course.

3. Favicon Map: Shodan collects the favicon images for all devices it finds on the Internet.

4. OneListForAll: Rockyou for web fuzzing.

5. Advanced SQL Injection Cheatsheet: This repository contains an advanced methodology of all types of SQL Injection.

🎥 Videos

1. IppSec tackles HackTheBox - Anubis.

2. Intro to Pentesting by Mantis: A short introduction to penetration testing and the OWASP frameworks.

3. InfoSec Unplugged - Talk w/ Alissa Knight: They talk about her cyber security career, the good and the bad of hacking banks and medical apps, API security, hacking cars, creativity in report writing

4. Injecting code into any Homebrew Cask by attacking GitHub Actions script: This video is an explanation of the vulnerability in GitHub Actions script used by Homebrew repository to automatically merge some commits.

5. Open Redirect Leading to OAuth Access Token Disclosure!: Learn about Open Redirect vulnerabilities.

🎵 Audio

1. Human factory security - Episode 177 Lauren Zink: On this episode Jenny chats with Lauren Zink who will be familiar to many in the security industry as an authority on security awareness and communications.

2. The Privacy, Security, & OSINT Show #248 - Privacy vs. COVID: This week Jason joins them to discuss privacy complications (and solutions) regarding COVID.

3. Risky Business #652 - Cyber Partisans take down Belarusian rail systems.

4. EFF How to fix the internet - Data Doppelgängers: On this episode of How to Fix the Internet, Ethan Zuckerman, a long-time friend and tech pioneer, joins EFF’s Cindy Cohn and Danny O’Brien to discuss ways to fix surveillance advertising and online speech to make the internet a better place for everyone.

5. Darknet Diaries - #109 TeaMp0isoN: TeaMp0isoN was a hacking group that was founded by TriCk and MLT.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.