🐝 Hive Five 83 – How to prepare for a tech talk, IDORs and UUIDs, and Web Hacker’s Weapons

Hi friends,

Greetings from the hive!

I hope you had a good time during my absence. I made it back from DEF CON but I was accompanied by Covid. I spent this past week recovering. Though I'm still not 100%, here's this week's Hive Five and a short rant.

I'm not a fan of American lawn culture. It feels obsessive. Not to mention that it doesn't look appealing at all to me. What prompted this was Adriana's war on lawns.

More shine to real nature, creativity, and being different.

Let's take this week by swarm!

🐝 The Bee's Knees

1. You Have One New Appwntment - Hacking Proprietary iCalendar Properties.

2. Kernel Exploitation on HEVD #2 : Write What Where (Arbitrary Overwrite).

3. How Chelsea does (and doesn’t) prepare a talk for a tech conference.

4. IDORs with unpredictable IDs are valid vulnerabilities: It’s an eye-door, get it? There is an interesting debate around bug reports of IDORs with IDs which are not predictable.

5. Web Hacker's Weapons: A collection of cool tools used by Web hackers.

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition.

You can also follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. HackerOne now supports copy and pasting of attachments.

2. Param miner has arrived at ZAP.

3. Findomain v8.2.0: It's a release with minor changes, security fixes, some development configurations added and that's it.

4. ysoserial.net v1.35: Deserialization payload generator for a variety of .NET formatters.

📅 Events

1. Uncurled – the presentation Tuesday August 23, 2022: Everything Daniel knows and learned about running and maintaining Open Source projects for three decades.

🎉 Celebrate

1. Ben broke his large bounty cycle: Let's go!

2. Nagli had a blast in Vegas: On to the next one!

3. XNL-н4cĸ3r ended their bounty drought: Congrats!

4. Ben Bidmead got a new job: Have fun!

💰 Career Corner

1. Marcus J. Carey - 08/19/2022 Cybersecurity Job Thread.

2. Google dork for pentesting jobs via Paul.

⚡️ From the Community

1. d0nut's dream is to no longer work a 9-5: Instead he wants to build really cool, high performance, high quality rust tools and libraries.

2. Viktor's first time at DEF CON.

3. sw33tLie had a blast at the Vegas Bug Bash: "I hope everyone doing bug bounties gets to experience a LHE at least once. It feels unreal to meet all the folks you've been working with in the past years."

4. dawgyg and Rhynorater are going to try and get the bug bounty monthly meet ups back on track.

5. Labda started streaming HackTheBox sessions.

📰 Articles & Threads

1. Things TESS learned at the Bugcrowd Bug Bash: "There's seriously a lot going in the backend when we make a submission. [...]"

2. Intro to Cross-chain bridges and its security: Blockchain enables various opportunities for its users. There are many takes on how blockchain should behave and what it should offer.

3. Discovering Domains via a Time-Correlation Attack on Certificate Transparency: Many modern websites employ an automatic issuance and renewal of TLS certificates. For enterprises, there are DigiCert services. For everyone else, there are free services such as Let’s Encrypt and ZeroSSL. There is a flaw in a way that deployment of TLS certificates might be set up.

4. The 160 Hours Bug Bounty Hunting Challenge.

5. IAM Whoever I Say IAM - Infiltrating VMWare Workspace ONE Access Using a 0-Click Exploit.

📚 Resources

1. dh0ck/Wi-Fi-Pentesting-Cheatsheet: Personal notes used to pass the OSWP exam.

2. trickest/wordlists: These wordlists are based on the source code of the CMSes/servers/frameworks here.

3. payloadbox/sql-injection-payload-list: SQL Injection Payload List.

4. Command Line Text Processing: From finding text to search and replace, from sorting to beautifying text and more.

🎥 Videos

1. Ippsec takes on HackTheBox - Timelapse.

2. Floerer - Hacker Interview.

3. An overlooked parameter leads to a critical SSRF in Dropbox bug bounty program.

4. Discover Vulnerabilities in Intel CPUs!: In this video we explore the basic ideas behind CPU vulnerabilities and have a closer look at RIDL.

5. Katie Paxton-Fear - The Bug Bounty Hunter & YouTube Creator.

🎵 Audio

1. The New Guy at the Office Is a Secret Super Hacker - Darknet Diaries Ep. 36 - Jeremy From Marketing: Penetration testers are good guys, hired by companies to hack into their own networks by any means necessary. Pro hacker and ex-marine "Tinker" goes undercover as a marketing temp for the toughest crack of his career.

2. Smashing Security 286 - Hackers doxxed, Pornhub probs, and Co-op security measures: Pornhub has a problem, the UK's Co-op supermarket is accused of big brother tactics, and we take a look at a security researcher's attempt to reveal the true identify of hackers.

3. Malicious Life - "A CISO's Nightmare": Israel Baron on Railway Security.

4. The Privacy, Security, & OSINT Show #275 - Archived Site Removal & Breaches Galore.

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.