• Hive Five
  • Posts
  • 🐝 Hive Five 57 – Saved You One Click

🐝 Hive Five 57 – Saved You One Click

Photo by Sigmund / Unsplash

Hi friends,

Greetings from the hive!

I hope you had a wonderful weekend. How’s the weather where you are? Unfortunately, over here, it went from warm temperatures to ice cold. We had some snow over the weekend.

Speaking of the unexpected, I learned that Netflix has a different release schedule for new seasons per region.

Enough chitchat. Let's take this week by swarm!

🐝 The Bee's Knees

  1. An XSS on Facebook via PNGs & Wonky Content Types: Content uploaded to Facebook is stored on their CDN, which is served via various domains (most of which are sub-domains of either akamaihd or fbcdn).

  2. Sudo Exploit for Ubuntu 20.04 LTS: This is the end. We finally develop a working sudoedit exploit for Ubuntu 20.04.

  3. 100 hours of bug bounty on a public Hackerone program - Bounty vlog #1 Stripe.

  4. "Zero-Days" Without Incident - Compromising Angular via Expired npm Publisher Email Domains: Recently Matthew took an interest in the npm registry due to it’s critical role in the security of managing packages for all of JavaScript and Node. Bonus read.

  5. Top 10 web hacking techniques of 2021: Welcome to the Top 10 (new) Web Hacking Techniques of 2021, the latest iteration of our annual community-powered effort to identify the most significant web security research released in the last year.

πŸ™πŸ» Support the Hive

  • Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

πŸ”₯ Buzzworthy

βœ… Changelog

  1. PentesterLab released the last 3 challenges for the HTTP Badge.

  2. New ZAP Networking Layer: The latest Weekly and Live ZAP releases are now using a completely different networking stack. Previously, ZAP used code written for Paros Proxy on top of an old and out of date version of the Apache Commons HttpClient library.

  3. reconFTW v2.2: a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.

  4. Osmedeus v4.0.2: A Workflow Engine for Offensive Security.

  5. Semgrep's February 2022 Updates - Developer Feedback, Editor, and much more.

πŸ“… Current Events

  1. 2022 security conferences people are looking forward to.

  2. SE Village operator humanhacker has been banned from the conference due to COC violations: Also DEF CON Group DCG414 has been disbanded due to COC violations by the group's primary point of contact.

  3. Celebrate Valentine's Day with Hack The Box: A new Valentine'ss Day tournament is coming,

  4. OWASP DevSlop - Attacking JSON Web Tokens with Louis Nyffenegger: Scheduled for Feb 18, 2022.

πŸŽ‰ Celebrate

πŸ’° Career Corner

πŸ“° Articles

  1. Bug bounty hunter to working at Microsoft: In this blog post they'll be going over the differences between bug hunting as a hobby and vulnerability research as a job.

  2. I Used Apple AirTags, Tiles and a GPS Tracker to Watch My Husband’s Every Move.

  3. Google Vulnerability Reward Program - 2021 Year in Review: Last year was another record setter for their Vulnerability Reward Programs (VRPs). Throughout 2021, they partnered with the security researcher community to identify and fix thousands of vulnerabilities – helping keep their users and the internet safe.

  4. CVE-2022-21703: cross-origin request forgery against Grafana: This post is a writeup about CVE-2022-21703, which is the result of a collaborative effort between bug-bounty hunter abrahack and jub0bs.

  5. A technique to semi-automatically find vulnerabilities in WordPress plugins.

πŸ“š Resources

πŸŽ₯ Videos

🎡 Audio

  1. Privacy, Security & OSINT #250 - Consequences of Product Refunds: This week they discuss the ways your store refunds are monitored and used against you, plus a new flag-planting lesson regarding vehicle insurance companies.

  2. Smashing Security #261 - North Korea hacked, DEA cosplay, and Horizon Worlds drama: Who's wearing the pyjamas while they take down North Korea's internet? Is it a case of cop or cosplay in Oregon? And what's to fear about the metaverse?

  3. Risky Business #654 - FBI arrests deeply annoying cryptocurrency influencers.

  4. Darknet Diaries #110 - Spam Botnets: This episode tells the stories of some of the worlds biggest spamming botnets.

  5. Malicious Life - The Greatest Espionage Operation Ever, Part 1.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.

Become a paying subscriber of Premium to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In.

A subscription gets you:

  • β€’ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
  • β€’ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
  • β€’ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
  • β€’ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
  • β€’ Deep DISCOUNTS on paid content.
  • β€’ Experience continuously added NEW BENEFITS.