Hi friends,
Greetings from the hive!
Happy belated 4th of July. This new internet got me in my feelings.
This time, TweetDeck has been “improved” and will move behind a paywall. This also means that one of my favorite Chrome extensions, BetterTweetDeck, is no more.
Let’s take this week by swarm!

Shot by TESS
🐝 The Bee’s Knees
Live web app hacking using Caido with it’s co-founder sytten. Caido is a lightweight web security auditing toolkit. more
A hacker interview with Ryan Montgomery aka 0day. more
Full Disclosure - DOM-based XSS And Failures In Bug Bounty Hunting. Kuldeep shares a bug bounty failure and 3 actionable takeaways. more
Hunting for Nginx Alias Traversals in the wild. This article delves into the intricacies of Nginx, focusing on the location and alias directives that are central to how Nginx handles specific URLs. more
Patch Diffing CVE-2023-28121 to Compromise a WooCommerce. Back in March 2023, Julien noticed an interesting security advisory that was published by Wordfence about a critical “Authentication Bypass and Privilege Escalation” (aka CVE-2023-28121) affecting the “WooCommerce Payments” plugin which has more than 600. more
️💪 Sponsor
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
🔥 Buzzworthy
✅ Changelog
TweetDeck has been “improved” and will be a paid feature. more
j3ssie/osmedeus v4.5.0 is a workflow engine for offensive security. more
j3ssie/metabigor v1.2.5 is an OSINT tools and more but without API keys. more
For Kali Linux, pip install is on the way out. Installing Python packages must be done via APT, aka. Kali Linux’s package manager. Python packages coming from other sources should be installed in virtual environments. more
📅 Events
NahamSec is thinking about hosting a bug bounty meet up at Defcon with Jason and STÖK. more
STÖK, Dylan, and Jesper broke stuff for science using…Uranium?! I look forward to seeing the full story. more
Paul started his own company, Coastline Cyber. A boutique cyber security consulting firm. more
People loved Jason’s first live course. The next Bug Hunter’s Methodology takes place this weekend. more

🎉 Celebrate
Kuldeep was recognized as an SRT Hero and member of the Circle of Trust. Let’s go! more
ninetynine was invited to their first Live Hacking Event in Las Vegas no less. Good luck! more
Jane joined Meta to work on Threads. I can’t wait to see your influence! more
Ian left his job at Robinhood to work on Seats Aero full-time. Awesome! more
💰 Career
TIL there are severance package hunters. more
Corgi shared her fast food history with a surprising twist: Operation Big Mis-Steak. more
Renniepak shares his struggles with taking time off while being self-employed. more
Fletcher, the CIO of Cisco, shares his journey in the tech industry, emphasizing the importance of passion and attitude in succeeding in the constantly changing field. more
Starting a new job? Here are four actionable tips for new hires which you can implement in your first 90 days. more
⚡️ Community
If Twitter falls, the OSINT community needs a new home, says fs0c131y — I’m also concerned with fragmentation and losing the overview. more
A discussion around getting maximizing bounty payouts vs proving that actual security vulnerabilities are worth paying for. more
A collection of InfoSec handles on Meta’s Twitter clone, Threads. more
It became public that a hacker accessed HackerOne email addresses in a recent disclosed report. more| discussion
📰 Read
A Journey Into Hacking Google Search Appliance. more
CVE-2023-36934 Analysis: MOVEit Transfer SQL Injection. the focus at ProjectDiscovery is on enhancing their open-source solution, Nuclei, by incorporating templates for trending CVEs. more
Exploiting XXE with local DTD files. This little technique can force your blind XXE to output anything you want. more
Why ORMs and Prepared Statements Can’t (Always) Win. The Sonar Research team discovered several SQL injection vulnerabilities in Soko, a software deployed on the Gentoo Linux infrastructure. These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements. more

🙏 Support
Enjoy reading the Hive Five? You can treat me to a coffee!
You can also share the newsletter with your friends.
📚 Resources
A collection of public security research. more
A discussion around disclosing bug bounty reports reports and sharing methodologies. more
Whitecyberduck’s useful Cybersecurity Websites. more
Books that have significantly impacted how people do business. more
Sleuthcon 2023 videos have been posted. This conference is designed to highlight the work done by people and organizations to identify and explore cybercrime and financially-motivated cyber threats. more
🎥 Watch
JWT Authentication Bypass via jwk Header Injection. Learn about JSON Web Token (JWT) vulnerabilities. more
Top 3 bug bounty tips by NahamSec, who made $100K in 2 months. more
Generic HTML Sanitizer Bypass Investigation. LiveOverflow stumbled upon a weird HTML behavior on Twitter and started to investigate it. more
Ippsec takes on another HackTheBox box, Inject. more
Rana is back with Web Security Academy. This time she covers Authentication Vulnerabilities - Lab #1 Username enumeration via different responses. more
🎵 Listen
We Hack Purple Podcast 79 with Isabelle Mauny, where they discuss several of the challenges when creating secure APIs. more
Archwisp shared offline copies of all of the Defcon parties mixes and videos. more
Smashing Security 329: Pornhub, Barbie dolls, and can you trust a free TV? more
Critical Thinking - Bug Bounty Podcast Episode 26: Client-side Quirks & Browser Hacks. more
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.