🐝 Hive Five 128 - The Rise of the AI Engineer

Hi friends,

Greetings from the hive!

This weekend turned out to be a forced dopamine detox. First, due to Reddit’s new API policy, my Reddit app of choice is no longer.

Then, on Saturday, Twitter implemented some bizarre rate-limiting and broke all sorts of functionality, such as advanced search queries. RIP TweetDeck?!

This trend of a less open and user-friendly web is extremely disappointing.

We crave transparency, closeness, innovation, and collaboration.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Reversing Citrix Gateway for XSS. One of the targets Assetnote looked at late last year was Citrix Gateway. Citrix Gateway is another of these “all-in-one” network devices, combining a load balancer, firewall, VPN, etc. more | advisory

2. Yassine talks about the road to Most Valuable Hacker and working while traveling the world. more

3. How Graham got hired on Google’s red team. A summary of all the information he learned while looking for new jobs and how he ended up getting hired by Google. more

4. The boom, the bust and the adjust. In this article, Maor covers the industry dynamic from different points of view and how each entity affected the other. more

5. The Rise of the AI Engineer. We are observing a once in a generation “shift right” of applied AI, fueled by the emergent capabilities and open source/API availability of Foundation Models. more | AI Engineer Summit

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. Canada announced new immigration pathways that are tech friendly. more

2. DOMPurify 3.0.4 is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. more

3. Burp Suite Professional now has a powerful yet simple scripting language, BCheck, that allows you to quickly build on our world class scanning engine. more

📅 Events

1. Security’s Got Talent! Share your story in this short video contest! How has your password manager changed your life? more

🎉 Celebrate

1. Youssef won first place in the Meta Bug Bounty Researcher Conference. Amazing! more

2. Phillip is going all in on his new show, the Phillip Wylie Show. Let’s go! more

3. Matti brought home 4 trophies and a 40k bonus in Intigriti’s latest LHE. Congrats! more

4. TheOubliette made some awesome metal tags for Defcon. Wow! more

5. Tuan is taking part in a Las Vegas LHE for the first time. I’m rooting for you! more

💰 Career

1. Mandiant is hiring a Senior Technical Researcher for the Advanced Research and Collection team. more

2. Bugcrowd is hiring a Junior Security Engineer. A purple team job on a great team. more

3. Learn how to become the go-to AI person on your team by creating the internal prompt library. more

4. How to make $200K+ as a dev. Moving up the career ladder and into higher salary bands as an engineer requires growth. But it’s less about code than you might think. more

5. The Advantage Of Being A Little Underemployed. To realize how outdated the five-day, 40-hour workweek is, you have to know where it came from. more

⚡️ Community

1. Follow along with Monke’s 30 days of bug bounty challenge — I would link to a search query but Elon has broken that as well. more

2. Masonhck357 is aiming for a top 100 spot in Bugcrowd. You got this! more

3. STÖK is enjoying the silence before the Las Vegas storm. more

4. Nathaniel shares his experience with ADHD, medication, and exercise. more

5. Osirys made a slick custom (private) tool to find out valid addresses, mobile numbers, and various IDs for other countries for login/signup forms. more

📰 Read

1. Hacking Auto-GPT and escaping its docker container. They showcase an attack which leverages indirect prompt injection to trick Auto-GPT into executing arbitrary code. more

2. Jonathan Bouman takes a closer look at an app that allows one to report improper behavior at work. more

3. The massive bug at the heart of the npm ecosystem. Bad actors can hide malware & scripts in direct or transitive dependencies that go undetected. more

4. nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover. more

5. Stored XSS to Account Takeover (ATO) via GraphQL API. Late last year, during a HackerOne LHE, Peter found an extremely challenging vulnerability on a major brand’s web site involving several layers of exploitation. more

📚 Resources

1. All ProjectDiscovery Tools in 30 minutes. more

2. HTTPLeaks aims to enumerate all possible ways, a website can leak HTTP requests. In one single HTML file. more

3. alephsecurity/research contains research material, tools and Proof-of-Concepts for Aleph research findings. more

4. 25 book recommendations by Katie. They range from genres but roughly overlap with her audience’s interests of technology, information security or hacking and work or productivity. more

5. A Practical Guide to GNU find With Examples. more

🎥 Watch

1. Learn how to intercept Android App Traffic with BurpSuite. more

2. Ippsec walks through HackTheBox - Pollution. more

3. Securing Open Source Dependencies talk by Rana Khalil at NahamCon 2023. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. more

4. Finding Your First API Bug, a NahamCon 2023 by InsiderPhD. more

5. How to scale your cloud infrastructure (hosting CTFs) with the CTF wizard himself, John Hammond. more

🎵 Listen

1. Lex Fridman Podcast #387 - George Hotz: Tiny Corp, Twitter, AI Safety, Self-Driving, GPT, AGI & God. George Hotz is a programmer, hacker, and the founder of comma-ai and tiny corp. more

2. Malicious Life - Sony BMG’s Rootkit Fiasco. An arrogant and ill-advised decision to include a rootkit in its music CDs cost Sony BMG a lot of money - and painted it as a self-centered, self-serving company that cares more about its bottom line than its customers. more

3. Smashing Security 328: UPS smishing, ChatGPT 101, and storing secret files. UPS delivers some smishing advice (but have they kept something under wraps?), they ask ChatGPT to take a long hard look at itself, and they debate what the penalty should be for taking national secrets home with you. more

4. Critical Thinking - Bug Bounty Podcast Episode 25: 2xMVH & Multi-million dollar hacker Inhibitor181. In this episode they talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! They chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. more

5. The Privacy, Security, & OSINT Show 302 - Self-Hosted 4: The Next Level. This week they continue the self-hosted series with a discussion about password managers, 2FA, Docs, Photos, Backups, Comms, and Media. more

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

Subscribe to the Hive Five to read the rest.