🐝 Hive Five 79 – Mediocre security engineers and Empathy as a Service

Hi friends,

Greetings from the hive!

A recent Tweet of mine was a quote saying that life begins at the end of your comfort zone. I know that it can be scary. But, you have to trust the process.

Say you want to improve your writing. Turn it into a habit. Writing. Every. Day. Follow writers you admire, copy and remix their work. Create a swipe file of things that stand out to you and analyze it.

Speaking of writing, I finally released a new blog post. It might be a simple TIL post, but it still has value.

Through self-reflection, I noticed flaws that prevented me from posting. One of them was that I wouldn't post something unless I deemed it perfect, preventing me from posting anything.

So now, I'm identifying myself with the type of person I want to be by releasing earlier and iterating on it. Thus, not only increasing my luck surface but also establishing a bias towards action.

How are you challenging yourself? Let me know 🙏

Let's take this week by swarm!

🐝 The Bee's Knees

1. Bug Bounty Redacted #5 - Second Order Subdomain Takeovers & Logic Bug DoS.

2. BSidesSF 2022 - Keynote - We Need More Mediocre Security Engineers (Jackie Bow): The field of information security remains one of the most isolated - and at times, elitist - bastions in tech. We self-impose the highest cost of entry - be extraordinary or get out.

3. Exploiting Arbitrary Object Instantiations in PHP without Custom Classes: During an internal penetration test, they discovered an unauthenticated Arbitrary Object Instantiation vulnerability in LAM (LDAP Account Manager), a PHP application. PHP’s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects.

4. Diana Initiative 2020 - Tracy Z. Maleeff - Empathy as a Service to Create a Culture of Security: So-called "soft skills" are greatly undervalued in the Information Security industry. The very core of security involves humans.

5. 988 Suicide & Crisis Lifeline: A historical day for suicide prevention & mental health in the U.S.! The National Suicide Prevention Lifeline, now known as the 988 Suicide & Crisis Lifeline, can be more easily reached by calling or texting 988, or chatting on https://988lifeline.org/. Jen Easterly shared her own personal story last year.

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition or buying me a coffee.

You can also share the newsletter with your friends and follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. ProjectDiscovery TLSX release update: TLSX has been updated to include new options for detecting TLS misconfigurations.

2. Dacquiri - A compile-time authorization framework in.

3. DOMPurify 2.3.9: A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

4. Vite 3 is out: Vite is powering a renewed innovation race in Web frameworks. Nuxt 3 uses Vite by default. SvelteKit, Astro, Hydrogen, and SolidStart are all built with Vite. Laravel has now decided to use Vite by default.

5. WAFW00F v2.2 Release: WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

📅 Events

1. May Contain Hackers 2022 (July 22-26): Nicolas Grégoire will be there too!

2. GirlsWhoHack Soldering Class - Hope Conf 7/22, 7/23, 7/24: The class is aimed at kids, adults are welcome if there is room.

🎉 Celebrate

1. Ben's marriage visa was approved: Amazing news!

2. Aditya is traveling all over the UK: Have fun!

3. Valerio Brussani is listed as Hero in Synack's Acropolis: Congrats!

4. Ben started streaming on Twitch 3 years ago: Time flies!

💰 Career Corner

1. Shreyas on why people change jobs every few years.

2. Janahan on how to ask for a raise.

⚡️ From the Community

1. Joo made ffuf stickers: Available at @MCH2022Camp (and possibly DEFCON).

2. Amazing hardware hackers to follow: via specters.

3. C1phy - Hacker Interview: A unique chance to sit down with C1phy/@marcolivermunz and ask him a couple of questions.

4. Alex Chapman et al discussing bug bounty.

5. Story - The NPMJS Claim.

📰 Articles

1. It’s impossible to find every vulnerability, so we don’t try to: Security static analysis tools generally seem to throw a ton of false positives. Did you know there’s a reason for that, that’s rooted in math?

2. Going beyond Alert with XSS: This post discusses three XSS cases that they have escalated its vulnerability to higher severity in order to assess the possible risks.

3. Bug Bounty Collaboration and Manual Exploitation of an Interesting Boolean SQL Injection · H3K: This blog post describes how collaboration and re-checking your notes after a period of time can aid in finding critical vulnerabilities.

4. From Bug Bounty Hunter, to Engineer, and Beyond.

5. Get Your Kicks on Route Sixty-Sink - Identifying Vulnerabilities Using Automated Static Analysis: An open-source tool that enables defenders and security researchers alike to quickly identify vulnerabilities in any .NET assembly using automated source-to-sink analysis.

📚 Resources

1. Bug Bounty Wordlists: A repository that includes all the important wordlists used while bug hunting.

2. tes5hacks/good-tools.

3. tanprathan/MobileApp-Pentest-Cheatsheet: The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.

4. Eradicating Vulnerability Classes slides (LocoMocoSec talk).

5. WarCon 2022 – Modern Initial Access and Evasion Tactics.

🎥 Videos

1. Z-winK's Bug Bounty Bootcamp: How to get started in ethical hacking and infosec.

2. Ippsec tackling HackTheBox - Acute.

3. More Z-winK - Hunting IDOR (Part 2): In this presentation, Z-winK will build on his latest series and will take you through a deeper dive into hunting IDOR (Insecure Direct Object Reference) for big dollars.

4. How to write a banger blogpost (Hacking the Google algorithm) - STÖK Security Fest 2022: So you did some awesome research, wrote a pretty epic write-up and now you want to share the results with the world.

5. Command Injection - Lab #5 Command injection with out-of-band data exfiltration: In this video, Rana covers Lab #5 in the Command Injection module of the Web Security Academy.

🎵 Audio

1. Cybersecurity Web Podcast #3 - Lily Clark.

2. Malicious Life - Silk Road: The Amazon of drugs, Part 1.

3. The Privacy, Security, & OSINT Show #270 - OSINT Tool Updates: This week they explain numerous updates to the online OSINT search tools and offer some general usage tips.

4. Smashing Security #283 - Disney's social dumpster fire, Anom phones, and TikTok tragedies: A self-proclaimed "super hacker" causes problems in the Magic Kingdom, criminals regret trusting Anom phones, and law suits are filed against TikTok.

5. Layer 8 Podcast Episode 87 - Steven Harris, aka NixIntel: A talk with Steven Harris, aka @nixintel who is an Executive Board Member with @OSINTCurious and is currently employed by Qomplx to perform investigations. He also teaches SEC 487 for SANS.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.