🐝 Hive Five 136 - The Prompt Injection Primer for Engineers

Hi friends,

Greetings from the hive!

As a family, we spent a lot of time outside this week. Walking, hiking, playing, and being in nature. It was refreshing.

Yesterday, while unloading the car, a random person gave me a compliment on my fit. I was pleasantly surprised, and it made me feel good.

This got me thinking that we should compliment each other more often. It’s easy and can make someone’s day.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Bug bounty report writing is important. Therefore, Justin shares 4 tips on how to do it well. TWITTER

2. d3mondev on why he is not using serverless and what he’s doing instead. Here are their building blocks: Work distribution, Microservices, Message broker, and Storage. TWITTER

3. A Totally Tubular Lock Lesson, a DEF CON 31 presentation and workshop by Deviant Ollam. Learn about tubular locks, some fun history, and a couple of good stories. YOUTUBE

4. Lissy93/wapalyzer is a community fork of the now removed wappalyzer project, initially developed by AliasIO. The original author maintains a hosted instanced, available at wappalyzer[.]com. GITHUB

5. Rez0 announces PIPE: The Prompt Injection Primer for Engineers. Everyone loves talking about prompt injection, but the real impact to an application is often hard to understand. REZ0 | GITHUB

Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. The latest version of Hackvector (burp plugin) allows you to change the font size. TWITTER

2. Noir v0.5.2 is an attack surface detector form source code. GITHUB

3. Unimap v0.6.0 scans only once by IP address and reduce scan times with Nmap for large amounts of data. GITHUB

4. j3ssie/osmedeus v4.5.1 is a Workflow Engine for Offensive Security. GITHUB

📅 News

1. DownUnderCTF, Australia’s largest CTF, is almost here: 1-3 September. TWITTER

2. Jason announced new dates in November and December for his industry renowned course: The Bug Hunter’s Methodology Live. TWITTER

3. Zomato is running a campaign for Access-Control vulnerabilities for all of their assets on HackerOne. TWITTER

4. Rapid7 is trying to force infosec creators to remove educational content from YouTube. TWITTER

5. The Critical Thinking - Bug Bounty Podcast launched their new website. CRITICALTHINKINGPODCAST

🎉 Celebrate

1. Katie is one year wiser. Congrats! TWITTER

2. hg_real gives a shout out to all bug bounty triagers. I concur. Thank you! TWITTER

3. Gromak had an eventful summer diving into bug bounty on YesWeHack instead of vacationing, and they crushed it. Let’s go! TWITTER

4. Nathaniel is about to finish up after nearly 3 years at Canva. Salute! TWITTER

5. Todayisnew reached $4 million in bounty payouts. $1 million only feels like yesterday. Amazing! TWITTER

💰 Career

1. IT career advice: learn what you already own and master it. The tools you already have do a lot more than your company uses them for. TWITTER

2. d0nut on the importance of writing an agenda for meeting invites. It helps keep the meeting on track and to provide context. TWITTER

3. From Dev to AppSec! In this video, join Louis as he explores how developers can transition into the exciting world of AppSec Engineering. YOUTUBE

4. The creator of C++, Bjarne Stroustrup, shares some valuable life advice that, let’s face it, all developers, no matter their years of experience could use. YOUTUBE

5. If you knew you were gonna fail what would you do? In this clip, Seth Godin shares a great question we should be asking ourselves to get out of our own way. YOUTUBE

⚡️ Community

1. What if bug bounty platforms also became OAuth Providers? Renniepak mentions hunters can then “prove” their stats across platforms and other websites/communities. TWITTER

2. Alex shares the story of his daughter, who would have been 5 years old. TWITTER

3. If you had the opportunity, is there an industry other than cybersecurity that you would prefer to work in? Pomme asking the real questions. TWITTER

4. NahamSec’s DEFCON 31 VLOG covering his first ever Bug Bounty Meetup with STÖK, Jason Haddix, John Hammond, and more while covering some of his favorite villages like Red Team Village, Cloud Village, and Recon Village. YOUTUBE

📰 Read

1. CVE-2020-19909 is everything that is wrong with CVEs. This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. HAXX

2. PNG Steganography from First Principles. Steganography is experiencing a revival as a wrapper for delivering payloads. Like most things Red Teaming, what’s old is new again, and they’re closely following behind the trend of several threat actors out there using stego for payload hosting. XPNSEC

3. Using LLMs to reverse JavaScript variable name minification. This blog introduces a novel way to reverse minified Javascript using large language models (LLMs) like ChatGPT and llama2 while keeping the code semantically intact. THEJUNKLAND | TOOL

4. Exploiting HTTP Parsers Inconsistencies. Unveiling Vulnerabilities in HTTP Parsers: Exploiting Inconsistencies for Security Breaches. HASHNODE

5. CVE-2023-36844 And Friends: RCE In Juniper Devices. This is an interesting bug chain, utilising two bugs that would be near-useless in isolation and combining them for a ‘world ending’ unauthenticated RCE. WATCHTOWR

🙏 Support

Enjoy reading the Hive Five? You can treat me to a coffee!

You can also share the newsletter with your friends.

💡 Tips

1. Do you use gau? If so, Corben shares a fix in the config file. TWITTER

2. According to Paul, ProjectDiscovery’s fuzzing templates, are the most underrated and underdeveloped tool for web app fuzzing. TWITTER

3. Are you an avid user of text-to-speech on iOS? Use ChatGPT instead, it’s Whisper model is way better according to rez0. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @JakeDohm | Jake Dohm | “i would unfollow myself if I could”.

2. @init_string | initstring.

3. @robd4k | Robert.

🚀 Productivity

1. Do you write down everything that strikes you as interesting? Don’t. Try Sahil’s rule instead: You have to act on anything you write down within 24 hours. TWITTER

2. Romeen on the benefits from being in the trenches. In work and in life, it’s key that you don’t just watch from the sidelines, but get in the game. TWITTER

3. Beginner to Pro with ChatGPT in One Video. In this video Jeff shares the 3 levels of future-proofing yourself in a world of AI tools. YOUTUBE

4. 5 Lessons from building a second brain in Obsidian. YOUTUBE

5. Lesser known nvim plugins. PROSE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. Coca Cola apparently has a Chief Hype Officer. Pratik went from Metaverse Lead, to Head of NFT campaigns, to now Global Head of Generative AI. TWITTER

2. The Sustain podcast brings together practitioners, sustainers, funders, researchers and maintainers of the open source ecosystem. SUSTAINOSS

3. How Google helped destroy adoption of RSS feeds. OPENRSS

4. Making large language models work for you. A practical take on LLMs: what they are, how they work, what you can do with them and what kind of things you can build with them that could not be built before. SIMONWILLISON

5. Stop doing scrum. The result was always the same: It didn’t work. TWITTER

🧠 wisdom

1. Life hacks Ben knows at 30 he wish he knew at 20. twitter

2. How to deal with regret. when one avoids, denies or minimizes negative emotional experiences, they tend to come back with a vengeance. PSYCHE

3. Jason on scatter. scatter is the silent killer at work. hey

4. Give less fucks. So that when you really want to give a fuck, it matters. INSTAGRAM

5. “Give yourself a lot of shots to get lucky” is even better advice than it appears on the surface. TWITTER

💛 cross-pollination

1. Kevin shows off his magical two years of progress turning his normal suburban home into a productive homestead. TWITTER

2. The story of how kepano, the ceo of obsidian, designed the messenger bag for Dutch postal workers. Which is still being used today. TWITTER

3. Want to browse Reddit in peace at work? There are camouflaged versions out there, such as for Outlook and Excel. TWITTER | Outlook client | Excel client

4. Live Wildcams to spot your favorite animal. In the digital age, wildlife enthusiasts and nature lovers can now embark on extraordinary adventures from the comfort of their own homes. Onlinesafari. ONLINESAFARI

🐝 Fact

Australia’s native bees.

Australia has more than 1,500 species of native stingless bees, of which many are solitary. Others are social bees of the genus Trigona, small and dark-colored, often measuring as little as ¼ in (4 mm) from the head to the base of the abdomen. These bees produce wax and a thin honey; the Aboriginal peoples call them sugar-bag bees, and collect their honey for bush food.

In most countries, only men harvest the wild honey but in Australia the women do this.

Because bush fires have destroyed many of the trees, native bee nests can be found in low bushes or even in disused termite nests.

This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.