🐝 Hive Five #8 - “Do what you can, with what you have, where you are.” ― Theodore Roosevelt

Hi friends,

Greetings from the hive!

We're nearing the end of February and I'm glad to say that I started this year off swinging. I've already worked on several projects, some security related, and earlier in January I sent out the very first edition of this newsletter. Time flies when you're having fun!

How's your year been so far?

As they say in Age of Empires, "start the game already!".

The Bee's Knees

• How I cut GTA Online loading times by 70%: GTA Online. Infamous for its slow loading times. After returning back to the game, t0st discover that it still loads just as slow as the day it was released 7 years ago. It was time. Time to get to the bottom of this.

• Programming Talks: Veit Heller's wonderful collection of talks on programming language specifics as well as a more general section they call "theory".

• Black Hat 2020 Talks: Now in its 23rd year, Black Hat USA is the world's leading information security event, providing attendees with the very latest security research, development and trends.

• Why Time Is Our Most Precious Resource: Time (or the lack thereof) has haunted Polina Marinova Pompliano for as long as she can remember. She writes about how one should learn paired with action. There's no time to wait. Whatever you want to accomplish, do it today.

• Top 10 web hacking techniques of 2020: the Top 10 (novel) Web Hacking Techniques of 2020, PortSwigger's annual community-powered effort to identify the must-read web security research released in the previous year.

Buzzworthy

Celebrations

• Julien Ahrens Tweet: First computer build since 2008 and it's a beast!

• Mustafa Can İPEKÇİ Tweet: Made the top 10 for last 365 days on web apps at Synack!

• Somdev Sangwan Tweet: Their project "Arjun" is a part of Kali Linux now!

Jobs

• dawgyg@Braze Tweet: Braze is looking for a Sr. Cloud Security Engineer.

• Julien Ahrens Tweet: One of their German customers is actively looking for a full-time senior security analyst with 5+ years of itsec/pentesting experience.

Resources

• STÖK asks for Java deserialization resources

• A Journey Combining Web Hacking and Binary Exploitation in Real World!: Orange Tsai addresses the technique that was part of one of his Red Team engagements last year, presented in OWASP Hong Kong 2021.

• Awesome Google VRP Writeups: A list of writeups from the Google VRP Bug Bounty program maintained by David Schütz.

• An Exploration of JSON Interoperability Vulnerabilities: The same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks.

• Web Development for Beginners - A Curriculum: Azure Cloud Advocates at Microsoft are pleased to offer a 12-week, 24-lesson curriculum all about JavaScript, CSS, and HTML basics.

• Security cheat sheets: To-the-point cheat sheets outlining best practices for building modern and secure web applications.

• SSRF to RCE with Jolokia and MBeans: Excellent write-up. RIP cat.

• A thread written by @sarah_edo: Golang for JavaScript developers.

• Learn Go with Tests: Learn test-driven development with Go Translations.

• Finding Evil Go Packages: Michael Henriksen investigates supply chain attacks in Golang.

• White Box Web Application Pentesting: This writeup is all about so-called "white box" approach of pentesting web applications.

• Red Team Stories: The Gordian Lock: Today's story is about one of Will Butler's favorite red team strategies: finding and using custom application layer bugs.

• Go: The Complete Developer's Guide (Golang): This course is designed to get you up and running as fast as possible with Go.

• Poisoning your Cache for 1000$ - Approach to Exploitation Walkthrough

• A Vim Guide for Advanced Users: Welcome to the third part of this series aimed to help you unleash a power never seen on Earth using the Almighty Vim.

• 7 Burp Suite Professional-exclusive features to help you test smarter: So, you've downloaded Burp Suite Professional. What now?

• Nuxt Performances slides: Debbie O’Brien covers Nuxt webpack PWA Nuxt performances.

• Optimizing Nuxt Apps without removing features: Slides by Filip Rakowski talks, making your Nuxt apps faster than ever.

• Nick || hunt4p1zza: An epic thread by Nick about how Autorepeater works magic in automating access control or other types of tests if you know how to configure it.

• European Internet Archive: The European Internet Archive is a free service which provides access to historical versions of websites.

• rand0h asking about kubernetes: Good resources to get conversational in k8s, when you've got decent cloud background/understanding.

• A Journey Into the Beauty of DNSRebinding - Part 1: Giovanni Guido and Alessandro Braccio show a practical example of DNS Rebinding attack against UPnP services exposed in a local network.

• agmmnn/awesome-blender: A curated list of awesome Blender add-ons, tools, tutorials and resources for 3D Artists, Hobbyists, Developers, Researchers.

• Everyday Data Science: Andrew Carr wrote a book to inspire and encourage people to be aware of their lives, be mindful of what is happening around them, and take control with the techniques often used in data science.

• CVE-2020-8625: A Fifteen-Year-Old RCE Bug Returns in ISC BIND Server: Lucas Leong says it was a great submission that was close to earning a larger payout and decides to look at the bug in further detail.

• reconftw: This is a simple script intended to perform a full recon on an objective with multiple subdomains.

• How I made $101,578.04 selling colors online draculatheme.com/pro/journey A visual timeline... 👇: Zeno, creator of Dracula theme, shares his journey of monetizing an open source project.

• Ben Sadeghipour: As promised, Ben finally pushed an update to the “Resources for Beginner Bug Bounty Hunters” repo on GitHub!

• Encoding Mutations: A Base64 Case Study: This writeup, by netspooky, is a quick rundown of how Base64 works, and how ambiguity in the decoding process can be used to an attacker or defender's advantage.

• Paul McMillan Tweet: Paul shares how Netflix tries to be deeply on the side of the researcher as program managers.

• Running an OnionShare anonymous dropbox on a Raspberry Pi: Now that the command line version of OnionShare has better support for running on headless Linux servers, Micah Lee shares how to set up a dedicated Raspberry Pi anonymous dropbox server.

• Mistakes I’ve Made as an Engineering Manager: Sarah Drasner shares her experiences as an engineering manager, talks about learning moments, and mistakes that she's made.

• Big bugs: bitbucket pipelines kata containers build container escape: Researcher Alex Chapman (axjchapman) identified a vulnerability in Kata Containers which could allow processes running in the Kata VM to write to supposedly read-only volume mounts.

• Tap your phone at Gold Coast bus stops to access my website: Josh was out late one night when he stopped and looked at the bus timetable sign at a local bus stop, intriqued by it's NFC tag.

• Closing the Loop: Practical Attacks and Defences for GraphQL APIs: Developers must carefully consider the attack surface of their GraphQL schemas and implement secure access controls to protect user data.

Videos

• Rails Best Practices I: Semicolon & Sons shares some of their favorite practices applicable to Ruby on Rails (and to web development on small teams generally),

• Abusing unicode characters to PWN Intigriti XSS challenge [I WON!]: Goat Sniff shares how they won the Intigriti XSS challenge.

• How I Found My First Bug (and earned $1k!) - Business Logic Tips: Katie shares the story of their first bug(s), how they found them, and what the bugs were.

• Android Hacking Workshop by @B3nac Sec: Get an insider look on how @B3nac Sec approaches his Android targets with live demos from the Injured Android application!

• A SCARY phishing Attack (And how to clean it up!) using Office 365.: Email phishing attacks are scary, and it can sometimes be hard to defend against and to clean up.

• SQL Injection | Complete Guide: Rana Khalil covers the theory behind SQL injection vulnerabilities, how to find these types of vulnerabilities from both a white box and black box perspective, and how to exploit them and how to prevent them.

• Axiom Demo - Resolving 6 million domains in 5 minutes with 100 instances!: pry0cc resolves 6 million subdomains from projectdiscovery chaos, using dnsx with axiom over 100 instances which took about 5 minutes in total!

• CS 253 Web Security: This course is a comprehensive overview of web security, covering the fundamentals as well as the state-of-the-art in web security.

• CNIT 129S: Ch 1: Web Application (In)security: A college lecture based on "The Web Application Hacker's Handbook", 2nd Ed.

• Awk in 20 Minutes: Awk is a tiny programming language and a command line tool.

• A dupe led Gal Nagli to find a Web Cache Poisoning vulnerability which was escalated to 0 interaction stored XSS.

Audio

• The OSINT Intelligence Cycle: Very first Radio Secjuice show, talking about the OSINT intelligence cycle with special guests from the law enforcement and military intelligence domains.

Images

• Amazing 2021 National & Regional Awards Winners of the Sony World Photography Awards - The World Photography Organisation, a leader in the international photography scene, has recently announced the 2021 National and Regional Awards winners of the Sony World Photography Awards.

Articles

• Coded Resistance: Freedom Fighting and Communication: Ways the Black community has fought back through intricate networks and communication aimed at avoiding surveillance.

• Request For Comment: dioterms open-source VDP policy: disclose.io is as an open-source policy standardization project, intended to give organizations a "shovel-ready" VDP boilerplate to use.

• SolarWind, enough with the password already!: This is a much delayed discussion on the complexity and nuance of the SolarWind hack.

• Anime Is Booming. So Why Are Animators Living in Poverty?: The workers who make the Japanese shows the world is binge-watching can earn as little as $200 a month.

• A thread written by @AssemblyFour: A thread about the proposed Online Safety Bill and their concerns ranging from privacy and safety, to enforcement and moral policing. (AUS)

• Explainer: The Online Safety Bill: The Online Safety Bill was introduced in December with the aim to “improve and promote Australia’s online safety. (AUS)

• The Future of Web Software Is HTML-over-WebSockets: The future of web-based software architectures is already taking form, and this time it’s server-rendered (again).

• TraceLabs Global Search Party 2020–02– Mentoring LHS: CyberSecStu share some of their methodology for competing in TraceLabs Global Search Parties, as this may also be of useful for you whether you’ve taken part before or not.

• Google Cloud vs AWS Onboarding Comparison: Kevin goes over their experience redeeming credits for major cloud providers, two in particular: AWS and Google Cloud.

Subscribe to Premium to read the rest.