🐝 Hive Five 84 – Let's Hack GraphQL, A ‘Master Class’ in Bug Bounty, and How to Be Happy

Hi friends,

Greetings from the hive!

I hope you're doing well. I'm still recovering from the after-effects of Covid. I hadn't considered its effect on my body in the form of less stamina and endurance, plus muscle fatigue in my legs.

On another note, a bunch of dope albums dropped last week! Pun intended. DJ Khaled - GOD DID, Meechy Darko - Gothic Luxury, and JID - The Forever Story.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Z-winK University - Let's Hack GraphQL - Introspection, Playground, Queries, Mutations, and Fun!.

2. NahamSec - Attack Surface Management Series - EP2 - Shodan.

3. Gamified Hacking Ep 7 | How Hunting Broken Access Control Can Be EASY! Part 1 PwnFox: This is the first video where we FINALLY start some real exploitation.

4. Dorks collections list: List of Github repositories and articles with list of dorks for different search engines.

5. Vulnerabilities list: Here is a non exhausted list of vulnerabilities that they use as a reminder with links for reference. It’s based on many different resources available on the Internet.

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition.

You can also follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. DOMPurify 2.4.0: DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks.

2. Dacquiri 0.5.0-rc1: A framework that turns authorization vulnerabilities into compiler errors.

3. nixintel updated their OSINT resources.

📅 Events

1. Rami 2x Pentesterlabs giveaway - closes September 1.

2. GovTech (Singapore) two competitions: STACK the Codes Oct-15 Nov and STACK the Flags Capture-the-Flag: 2-4 Dec.

3. BSides Gold Coast - October 22.

4. curl up 2022 take 2 - September 15.

5. CrikeyCon - September 3: A grass-roots Australian security conference based in Brisbane. CrikeyCon VIII.

🎉 Celebrate

1. Team p4fg and co won best team and best PoC at 1337up0822: Congrats!

2. shubs et al participated in the yeswehack LHE and came 2nd: Let's go!

3. It was Katies birthday: Yay!

4. Sean received a fat bounty: Wow!

5. Rotem Bar and team received a P1: Dream work!

💰 Career Corner

1. EFF is hiring: Bay area friends. Take a look at this (non-tech-focussed, but still hella nerdy people role).

2. 5 Resume Mistakes You MUST Avoid (with real examples).

3. Ask HN - Contractors, what is your hourly rate?.

⚡️ From the Community

1. Katie on watching STÖK do a show and tell: "Listening and watching @stokfredrik do a show and tell is pure joy, entertainment and plain old showman ship WITH technical breakdowns to be jealous of."

2. spaceraccoon from Vegas to Singapore.

3. BusesCanFly is no longer a GreyNoise intern: "as of today, im officially no longer a @GreyNoiseIO intern 😢 it's been a seriously cool and fun summer, it was amazing to work with everyone. [...]"

4. Silvio on the hacker community and hacker cons.

5. Sam Curry et al have been working on some neat stuff: "[...] Found >50 critical bugs on a large target as a small team, wrote a long blog post for it (pending approval) - Collaborated with @infosec_au on an 0day (pending approval) Wish I could share them both now!"

📰 Articles

1. Recon and Vulnerability Scanner via Trickest and GitHub: This blog post will demonstrate how to create a synergy between GitHub Actions and Trickest Platform. You only need to push nuclei templates and root domains to the repository and wait for new results.

2. Browser-Powered Desync Attacks - A New Frontier in HTTP Request Smuggling: The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end... until now.

3. But You Told Me You Were Safe - Attacking the Mozilla Firefox Renderer (Part 2): Note that a for ... in loop will traverse all properties found in the prototype chain, and not only the properties found on the object itself. Therefore, by invoking the code shown above after we have polluted Object.prototype, we can cause tab.setAttribute to be called with arbitrary parameters.

4. Command Injection in the GitHub Pages Build Pipeline: This was definitely one of the more fun bug bounties they did, because it combines multiple GitHub-specific features with some more traditional Hack The Box-esque techniques (e.g. using --checkpoint-action).

5. GraphQL Batching Attacks - Turbo Intruder: What Are Batching Attacks In GraphQL? GraphQL allows for multiple queries to be sent to the server in one single request in order to reduce the number of requests [1] that the server has to process.

📚 Resources

1. Inventory: Asset inventory on public bug bounty programs.

2. PentesterLab talk - SAML - Ruxmon Sept 2022 (slides): An Introduction to SAML and its security.

3. subdirectories-discover wordlist: Perfect wordlist to discover directories and files on target site with tools like ffuf.

4. dmw94/bazzellpy: A library for Pythonistas to call Michael Bazzell's OSINT tools as functions.

🎥 Videos

1. Ippsec walking through HackTheBox - Talkative.

2. CrikeyCon 2021 keynote - Casey Ellis - Release the Hounds Part 2: It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers.

3. Minecraft Force-OP Exploit: They investigate how Herobrine got OP on their server and they look back at the network protocol vulnerability they reported in march.

4. Setting Up Whonix for ANONYMOUS Tor Browsing.

5. Security Flash - Apple Vulnerability (CVE 2022-32893): Last week, Apple warned of new security vulnerabilities affecting MacOS Monterey 12.5.1, iOS 15.6.1, and iPadOS 15.6.1. According to Apple, each of these flaws could potentially lead to arbitrary code execution.

🎵 Audio

1. The Privacy, Security, & OSINT Show #276 - When Google Attacks: This week they break down a recent report of Google terminating services of users who photographed their toddlers nude, the impact of their account loss, and solutions to prevent your own issues.

2. Risky Business #675 - The problem with Mudge's whistleblowing complaint.

3. A ‘Master Class’ in Bug Bounty - Jason Haddix on the Paranoids’ Program: The podcast welcomes its first outside guest: Jason Haddix, a bug bounty veteran who has participated in hundreds of programs over his career.

4. LinkedIn is a Bigger Security Threat Than You Think - Darknet Diaries Ep. 122: Lisa: Before Lisa Forte helped companies secure their networks, she protected merchant ships from IRL pirates! She has some amazing lessons from the high seas that apply to everyday security, including why talking to people on social media - especially when you're emotional - is the biggest threat of all.

5. We Hack Purple Podcast Episode 58 - Sherif Koussa: In this episode they talked about how we could prevent the next Log4J. They covered government regulations, industry compliance, tooling, SBOMs, inventory, incident response, and more.

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.