- Hive Five
- Posts
- 🐝 Hive Five 85 – Three JavaScript Security Legends & Full-time bug bounty vs Salaried position
🐝 Hive Five 85 – Three JavaScript Security Legends & Full-time bug bounty vs Salaried position
Photo by Ferenc Almasi / Unsplash
Hi friends,
Greetings from the hive!
I hope you’re doing well. This weekend I went through the most challenging physical test of my life. It’s surprising how much one can take on by putting their mind to it.
Although I’m hurting right now, I enjoyed it. Challenging yourself is something everyone should do.
Even if you think you can’t do something, the outcome might surprise you. You got this!
Let's take this week by swarm!
🐝 The Bee's Knees
Returning to Defcon Post FBI Arrest: Marcus Hutchins travels over to Vegas for the first time since his legal case ended.
Peter Eckersley, one of the original founders of Let's Encrypt, passes away at 43.
NCC Con Europe 2022 – Pwn2Own Austin Presentations: Cedric Halbronn, Aaron Adams, Alex Plaskett and Catalin Visinescu presented two talks at NCC Con Europe 2022. NCC Con is NCC Group’s annual private internal conference for employees.
Tetsuji - Remote Code Execution on a GameBoy Colour 22 Years Later: It’s that time of year again - the Binary Golf Grand Prix is back for a third year running. The theme this year was to produce a binary that crashes a given program.
hakluke's hakscale: It allows you to scale out shell commands over multiple systems with multiple threads on each system. The key concept is that a master server will push commands to the queue, then multiple worker servers pop commands from the queue and execute them.
🙏 Support the Hive
Enjoy reading the Hive Five? Consider sponsoring the next edition.
You can also follow me on Twitter.
🔥 Buzzworthy
✅ Changelog
tlsx v0.0.7: Fast and configurable TLS grabber focused on TLS based data collection.
Burp Suite price increases: They are increasing prices for Burp Suite Professional and Burp Suite Enterprise Edition, due to a significant increase in costs caused by global inflation.
📅 Events
NULLCON GOA SEP 2022 - Training: 6-8 Sept | Conference: 9-10 Sept.
Idea Exchange Conference - September 6-9, 2022: For the first LYT Conference, they had 4,916 unique attendances. It was amazing energy.
Announcing Pwn2Own Toronto 2022 and Introducing the SOHO Smashup - December 6-8, 2022.
🎉 Celebrate
Clint's tl;dr sec has over 12k subscribers: Nice one!
Vegeta passed eCPPTv2: Well done!
Z-winK collabed with CharlieEriksen: Love to see it!
💰 Career Corner
Heather D. is looking for a new network engineering job: They were recently laid off. Hit them up!
Ping Identity is looking for Product Security Engineer.: At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise.
Certs vs. Experience and Training? How and where to get started.
⚡️ From the Community
zseano is now a stay at home dad: "[...] very grateful for the bug bounty industry because I get to spend all day with my son & never miss a moment and then hack/work in the evenings."
shubs's research topic idea: "I think someone should research whether or not it is possible to get command execution with an arbitrary file write in Windows C:/ - where no web accessible directory exists (so no easy shell upload). [..]"
Farah's challenging herself to learn code review: "Challenging myself to learn code reviews (with a focus on PHP web apps) in the next 21 days. [...]"
📰 Articles, Discussions & Threads
Exploiting Improper Validation of Amazon Simple Notification Service SigningCertUrl: This is the “text notes” version of their DEF CON 30 Cloud Village Lightning Talk.
Discussion on full-time bug bounty vs security job via Z-winK.
Bypassing ModSecurity for RCEs: Firewalls stop attacks. They can recognize them with their database of various rules that describe what an attack looks like. These rules are created by hand or automated analysis of thousands of actual attacks.
So You Wanna Pwn The Kernel?: The aim for this post is to provide some insights into getting into Linux kernel vulnerability research and exploit development (VRED).
📚 Resources
A series of mini-projects used to learn C for beginners: This repo is a collection of assignments and mini-programs/projects for beginners trying to learn C.
Code understanding tools: While working on various tasks in osint (Open Source Intelligence), sometimes there is a need to quickly understand someone else's code.
Android Reports and Resources: A big list of Android Hackerone disclosed reports and other resources.
🎥 Videos
He tried to hack me...: using a copyright infringement warning?!
Three JavaScript Security Legends: In this video they talk about the first JavaScript vulnerabilities in 1997, and how the field was dominated by three "XSS" legends.
Smart Contract Series - Intro to Smart Contracts: Ever wanted to learn about smart contracts? Well you're in luck! NahamSec partnered with Halborn to learn the basics of smart contracts, how they work and what tools to use!
Enumerate Podcast ep. 1: A new podcast about cybersecurity news and popular culture.
🎵 Audio
The Privacy, Security, & OSINT Show #277 - Burner Backfires & VoIP Updates: This week they explain how a recent client became exposed via temporary "burner" numbers and email, revisit VoIP solutions with a fresh look, and more.
[Security Nation] Gordon “Fyodor” Lyon on Nmap, the Open-Source Security Scanner: In this episode of Security Nation, Jen and Tod chat with Gordon “Fyodor” Lyon, author of the widely used open-source Nmap Security Scanner.
Software Bill of Materials (SBOM) [ML B-side]: What are SBOMs and how useful are they in cybersecurity? Nate Nelson talks to two experts: Allan Friedman (CISA) and Chris Blask (Cybeats).
Smashing Security #287 - Lost in translation, spiders, and slapping tortillas – with Mikko Hyppönen.
Risky Business #676 - Okta, Authy users among Twilio hack targets.
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- • Deep DISCOUNTS on paid content.
- • Experience continuously added NEW BENEFITS.