🐝 Hive Five 85 – Three JavaScript Security Legends & Full-time bug bounty vs Salaried position

Hi friends,

Greetings from the hive!

I hope you’re doing well. This weekend I went through the most challenging physical test of my life. It’s surprising how much one can take on by putting their mind to it.

Although I’m hurting right now, I enjoyed it. Challenging yourself is something everyone should do.

Even if you think you can’t do something, the outcome might surprise you. You got this!

Let's take this week by swarm!

🐝 The Bee's Knees

1. Returning to Defcon Post FBI Arrest: Marcus Hutchins travels over to Vegas for the first time since his legal case ended.

2. Peter Eckersley, one of the original founders of Let's Encrypt, passes away at 43.

3. NCC Con Europe 2022 – Pwn2Own Austin Presentations: Cedric Halbronn, Aaron Adams, Alex Plaskett and Catalin Visinescu presented two talks at NCC Con Europe 2022. NCC Con is NCC Group’s annual private internal conference for employees.

4. Tetsuji - Remote Code Execution on a GameBoy Colour 22 Years Later: It’s that time of year again - the Binary Golf Grand Prix is back for a third year running. The theme this year was to produce a binary that crashes a given program.

5. hakluke's hakscale: It allows you to scale out shell commands over multiple systems with multiple threads on each system. The key concept is that a master server will push commands to the queue, then multiple worker servers pop commands from the queue and execute them.

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition.

You can also follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. tlsx v0.0.7: Fast and configurable TLS grabber focused on TLS based data collection.

2. curl 7.85.0.

3. Burp Suite price increases: They are increasing prices for Burp Suite Professional and Burp Suite Enterprise Edition, due to a significant increase in costs caused by global inflation.

📅 Events

1. NULLCON GOA SEP 2022 - Training: 6-8 Sept | Conference: 9-10 Sept.

2. BSides Melbourne - 9-11 Sept.

3. Offensive Lateral Movement Workshop - Sept (TBD).

4. Idea Exchange Conference - September 6-9, 2022: For the first LYT Conference, they had 4,916 unique attendances. It was amazing energy.

5. Announcing Pwn2Own Toronto 2022 and Introducing the SOHO Smashup - December 6-8, 2022.

🎉 Celebrate

1. Clint's tl;dr sec has over 12k subscribers: Nice one!

2. Ben and smiegles bug bounty forum is 6 years old: Congrats!

3. Vegeta passed eCPPTv2: Well done!

4. Z-winK collabed with CharlieEriksen: Love to see it!

5. Paul Seekamp's book is used in onboarding: Awesome!

💰 Career Corner

1. Heather D. is looking for a new network engineering job: They were recently laid off. Hit them up!

2. Ping Identity is looking for Product Security Engineer.: At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise.

3. Hiring Twitter thread via shenetworks.

4. Certs vs. Experience and Training? How and where to get started.

5. LinkedIn hack for job search:

⚡️ From the Community

1. dawgyg on HackerOne LHE invitations.

2. zseano is now a stay at home dad: "[...] very grateful for the bug bounty industry because I get to spend all day with my son & never miss a moment and then hack/work in the evenings."

3. shubs's research topic idea: "I think someone should research whether or not it is possible to get command execution with an arbitrary file write in Windows C:/ - where no web accessible directory exists (so no easy shell upload). [..]"

4. Farah's challenging herself to learn code review: "Challenging myself to learn code reviews (with a focus on PHP web apps) in the next 21 days. [...]"

📰 Articles, Discussions & Threads

1. Jack Clark spicy take about AI policy.

2. Exploiting Improper Validation of Amazon Simple Notification Service SigningCertUrl: This is the “text notes” version of their DEF CON 30 Cloud Village Lightning Talk.

3. Discussion on full-time bug bounty vs security job via Z-winK.

4. Bypassing ModSecurity for RCEs: Firewalls stop attacks. They can recognize them with their database of various rules that describe what an attack looks like. These rules are created by hand or automated analysis of thousands of actual attacks.

5. So You Wanna Pwn The Kernel?: The aim for this post is to provide some insights into getting into Linux kernel vulnerability research and exploit development (VRED).

📚 Resources

1. Current links from the OSINT Inception start-me project.

2. Awesome Shodan Search Queries.

3. A series of mini-projects used to learn C for beginners: This repo is a collection of assignments and mini-programs/projects for beginners trying to learn C.

4. Code understanding tools: While working on various tasks in osint (Open Source Intelligence), sometimes there is a need to quickly understand someone else's code.

5. Android Reports and Resources: A big list of Android Hackerone disclosed reports and other resources.

🎥 Videos

1. He tried to hack me...: using a copyright infringement warning?!

2. Three JavaScript Security Legends: In this video they talk about the first JavaScript vulnerabilities in 1997, and how the field was dominated by three "XSS" legends.

3. Smart Contract Series - Intro to Smart Contracts: Ever wanted to learn about smart contracts? Well you're in luck! NahamSec partnered with Halborn to learn the basics of smart contracts, how they work and what tools to use!

4. Ippsec walks through HackTheBox - Noter.

5. Enumerate Podcast ep. 1: A new podcast about cybersecurity news and popular culture.

🎵 Audio

1. The Privacy, Security, & OSINT Show #277 - Burner Backfires & VoIP Updates: This week they explain how a recent client became exposed via temporary "burner" numbers and email, revisit VoIP solutions with a fresh look, and more.

2. [Security Nation] Gordon “Fyodor” Lyon on Nmap, the Open-Source Security Scanner: In this episode of Security Nation, Jen and Tod chat with Gordon “Fyodor” Lyon, author of the widely used open-source Nmap Security Scanner.

3. Software Bill of Materials (SBOM) [ML B-side]: What are SBOMs and how useful are they in cybersecurity? Nate Nelson talks to two experts: Allan Friedman (CISA) and Chris Blask (Cybeats).

4. Smashing Security #287 - Lost in translation, spiders, and slapping tortillas – with Mikko Hyppönen.

5. Risky Business #676 - Okta, Authy users among Twilio hack targets.

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.