- Hive Five
- Posts
- π Hive Five 94 β XSS Hunter is being deprecated, what sucks about recon, and DevOps is bullshit
π Hive Five 94 β XSS Hunter is being deprecated, what sucks about recon, and DevOps is bullshit
Hi friends,
Greetings from the hive!
I hope you and yours are in good health! Our family has been sick for a couple of weeks now, which makes one appreciate the healthier times.
This and some additional circumstances caused the later arrival of the newsletter.
Let's take this week by swarm!
π The Bee's Knees
Exploiting Static Site Generators - When Static Is Not Actually Static: Over the last ten years, we have seen the industrialization of the content management space. A decade ago, it felt like every individual and business had a dynamic WordPress blog, loaded up with a hundred plugins to do everything from add widgets to improve performance.
XSS Hunter is being deprecated on February 1st, 2023: To continue to utilize their subdomains post-deprecation, all users will have to take some action. For more information on next steps, please read the FAQ.
HTTP/3 Connection Contamination Made Simple - James Kettle (albinowax): For the full technical details, check out the writeup.
phillipwylie Talks About His Favorite Tools, Switching Careers, And Pentesting.
The OpenSSL punycode vulnerability (CVE-2022-3602): Overview, detection, exploitation, and remediation: On November 1, 2022, the OpenSSL Project released a security advisory detailing a high-severity vulnerability in the OpenSSL library. Deployments of OpenSSL from 3.0.0 to 3.0.6 (included) are vulnerable and are fixed in version 3.0.7. The vulnerability is tracked as CVE-2022-3602.
π₯ Buzzworthy
β Changelog
Pentester Land blog update: You can now easily navigate between blog categories using a "Filter by category" button.
ShadowClone update: ShadowClone allows you to distribute your long running tasks dynamically across thousands of serverless functions and gives you the results within seconds where it would have taken hours to complete.
Mara on Rustlang v1.65.0: As is tradition, a thread with some of the highlights.
π Celebrate
π° Career
Ivy Fae is looking for work: a Sr. Software Engineer with 12 years experience (mainly microsoft stack/azure). Has a lot of security interest and is also very interested in pentesting.
IBM is sponsoring 4 FREE programs for anyone looking to get into Cybersecurity with NO experience.
Sudden traumatic job loss is awful: here are some resources Runa used.
β‘οΈ Community
Runa Sandvik on the passing of Vitali Kremez: "Security researcher @VK_Intel went missing after scuba diving in Florida on Sunday morning. The Coast Guard recovered his body today. Over the years, I'd talked to him about everything from malware analysis to diving with sharks. You'll be missed, Vitali."
zonduu on adding researchers to duplicated reports: "I strongly believe researchers should be added to the original report when we submit a duplicate report @Hacker0x01 [...]"
Tinker on Twitter & Mastodon DMs: "In Mastodon the admin(s) of each server can read your DMs. In Twitter, the IT admins and privileged users can also read your DMs. They're Direct messages (DMs) They're not Private messages (PMs)."
Hacker AFK - the_arch_angel: Hackers live varied lives, each as unique as the last. Check out who they are away from keyboard, what you find will surprise you.
Masonhck357 is back home: After 4 months of traveling, he's back home in San Diego.
π° Read
What Twitter Got Wrong and How To Fix it: Elon Musk just announced the plan for Twitter Blue, which will cost $8/month.
Ben on blue teaming: "The problem with blue teaming even at the furthest end of the scale, youβre totally vulnerable to survivorship bias. [...]"
DevOps is Bullshit: DevOps started as a well-intentioned set of practices and culture. Over the years, it has devolved into an unholy beast of division and tunnel vision.
π Resources
π₯ Watch
Kernel Exploitation on HEVD #4: Uninitialized Stack Variable.
How g0lden Automates His Subdomain Recon! (Automation Series).
DAY[0] 163 - A Galaxy Store Bug, Facebook CSRF, and Google IDOR [Bug Bounty Podcast]: Several simple bugs with significant impacts, XSS to being able to install apps, CSRFing via a Captcha, and a Google IDOR.
U-M SUMIT 2022 - Adventures in Securing At-Risk People with Runa Sandvik and Elodie Vialle: Watch a recording of the Security at University of Michigan IT (SUMIT) symposium keynote event, Adventures in Securing At-Risk People.
π΅ Listen
Smashing Security #296 - Twitter turmoil, AI animal chatters, and metaverse at work: Twitter has a new chief twit in the form of Elon Musk and heβs causing problems, scientists say artificial intelligence may help us communicate with animals, and is the office of the future set in the metaverse?
Risky Business #683 - OpenSSL bug is a fizzer, ASD responds to Medibank hack.
The Privacy, Security, & OSINT Show #283 - Announcements, Updates, & News.
Darknet Diaries EP 127 - Maddie: Maddie Stone is a security researcher for Googleβs Project Zero. In this episode we hear what itβs like battling zero day vulnerabilities.
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have **every cloud resource you need** at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- β’ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- β’ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- β’ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- β’ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- β’ Deep DISCOUNTS on paid content.
- β’ Experience continuously added NEW BENEFITS.