🐝 Hive Five 140 - A new recon source: DuckDuckGo Tracker Radar

Hi friends,

Greetings from the hive!

I couldn’t wait for the new iPhone to drop, so I could replace my current phone which has battery issues.

Why wait, you ask? Well, typically there are deals, however, this is also a common pitfall as they are often not worth it, which turned out to be the case.

Something else I didn’t think of is that the first batches of new products often have faults. In this case, pun intended. the latest iPhone appears to be extremely fragile.

So, I take this as a reminder to reflect on consumerism and step out of the rat race.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. A writeup for a challenge to demonstrate how the content-type header can be used to fool the browser into treating the HTTP response body in unexpected ways. GITHUB

2. A new recon source: DuckDuckGo Tracker Radar. This is not a block list, but a data set of the most common third party domains on the web with information about their behavior, classification and ownership. GITHUB

3. OFFZONE Moscow talk: HTTP Request Splitting vulnerabilities exploitation by Sergey Bobrov. YOUTUBE | SLIDES

4. Hacker Tweets Explained. LiveOverflow explains what you can learn from a Rhynorater tweet on exploiting tricky XSS. YOUTUBE

5. Testing the Limits of Prompt Injection Defence. Uncovering the unique complexities of securing LLMs from prompt injection attacks. MEDIUM

Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. mzap v1.3.1 introduces multiple target ZAP scanning. GITHUB

2. Noir v0.7.3 is an attack surface detector form source code. GITHUB

3. Mullvad successfully completed their migration to RAM-only VPN infrastructure. - Today we announce that we have completely removed all traces of disks being used by our VPN infrastructure! In early 2022 we announced the beginning of our migration to using diskless infrastructure with our bootloader known as “stboot”. MULLVAD

4. OpenAI’s cookbook now has a new home as a subdomain. TWITTER

📰 News

1. Wiz Research discovers a massive 38TB data leak by Microsoft AI researchers, including 30,000+ internal Teams messages. TWITTER

2. hextree[.]io shipped and sent out their first few updates. LiveOverflow and ghidraninja will help you grow your cybersecurity skills with concise and well-edited video courses. TWITTER

3. Corben launched certs io and wants to know who wants to try it. TWITTER

4. 38TB of data accidentally exposed by Microsoft AI researchers. WIZ

5. Malcore is doing a huge giveaway. Comment on the Tweet in order to win. TWITTER

🎉 Celebrate

1. NahamSec made 50G’s in just BXSS. Congrats! TWITTER

2. Codingo has been promoted to VP of Security Operations and Hacker Success. Well deserved! TWITTER

3. Tib3rius is joining TCM Security in a hybrid role as a pentester and content creator. Hooray! TWITTER

💰 Career

1. In a job interview, ensure you measure your own experience in qualitative terms. Not number of years. TWITTER

2. Meta is hiring a Product Security Engineer (web). TWITTER

3. The biggest mistake found on resumes is not including quantifiable metrics in your bullet points. Here’s how to address it using AI. YOUTUBE

4. Looking to earn while blogging? HackerContent will contact you if they like your stuff! TWITTER

5. GitLab is looking for a Senior Security Engineer, Vulnerability Management. GREENHOUSE

⚡️ Community

1. Jason is having a rough time with the stomach flu. Feel better soon! TWITTER

2. The kaeferjaegers landed in Germany to hack on some cool targets. TWITTER

📰 Read

1. AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp. HACKERONE

2. Account hijack for anyone using Google sign-in with , due to response-type switch + leaking href to XSS on login[.]redacted[.]co. GITHUB

3. Post Account Takeover? Account Takeover of Internal Tesla Accounts. GITHUB

4. Converting Tokens to Session Cookies for Outlook Web Application. As the adoption of Multi-Factor Authentication increases throughout organizations, so does the desire to bypass these protections. LARES

5. Can’t Be Contained: Finding a Command Injection Vulnerability in Kubernetes. Akamai security researcher Tomer Peled recently discovered a high-severity vulnerability in Kubernetes that was assigned CVE-2023-3676 with a CVSS score of 8.8. AKAMAI

💡 Tips

1. Renniepak encountered a challenging stored XSS case recently. Here is what he and 0xH4rmony came up with. TWITTER

2. Google updated the list of indexable file type to include CVS. TWITTER

3. Fisher reminds us that if you have a Burp Suite custom live audit task configuration, you can fine tune which type of checks will be run from your loaded extensions. TWITTER

4. How to Look For Virtual Hosts with NahamSec. YOUTUBE

5. You are probably overthinking API hacking. “It’s basically web hacking but with JSON” says InsiderPhD. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @engi_arp | Ashish Padelkar | Goa,India.

2. @piccalilli_ | Andy Bell.

3. @binitamshah | Binni Shah | Linux Evangelist, Malwares , Security Enthusiast , Philanthropist , Meditation.

4. @shailesh4594 | Shailesh Suthar | An independent security researcher.

5. @shanselman | Scott Hanselman | Code, OSS, STEM, Beyoncé, @Hanselminutes inclusive tech podcast! MSFT Developer Division Community.

🚀 Productivity

1. How to make a Map of Content (MOC) to get more out of your notes & ideas. YOUTUBE

2. vim + llm = 🔥 - If you don’t use vi/vim, you’re missing out! REZ0

3. Start atomic habit building with this ChatGPT prompt. CRITTER

4. Types of Notes in a PKM explained with a Gardening Analogy (Part I). NICKANG

5. Kagi now offers unlimited Kagi searches for $10 per month — I tried out Kagi a while ago and it was awesome, but stopped when they changed their pricing plan. This latest change sounds appealing! KAGI

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. A Hackers’ Guide to Language Models. In this deeply informative video, Jeremy Howard, co-founder of fast.ai and creator of the ULMFiT approach on which all modern language models (LMs) are based, takes you on a comprehensive journey through the fascinating landscape of LMs. YOUTUBE

2. Squish Meets Structure — Designing With Shoggoth with Maggie Appleton is a brilliant talk about designing products with language models. VIMEO

3. Sending large texts to ChatGPT? Text preprocessing can help reduce a text of up to 5,712 tokens down to one message with just a couple simple functions. Here’s how. VICTORIA

4. Tomas shares what his backup process looks like. VIKTOMAS

🧠 Wisdom

1. Kyle hit us with a truth bomb: “Reorganize society so we don’t use work as a proxy for community & friendship.” TWITTER

2. Aprilynne on self-belief and grit. After rejection, she set out to accomplish her goals herself. 74 days into her 3-month challenge she became an official YouTube Partner with a monetized YouTube channel. TWITTER

3. Adam on perseverance: “Bug bounty is not about how hard you hit. It’s about how hard you can get hit and keep moving forward.” TWITTER

4. Mason on trailblazing your own path. TWITTER

5. Rosie on stop seeking permission and feedback. When you experiment and try doing actual things you get real data. That is the most powerful feedback. TWITTER

💛 Cross-pollination

1. Find out which 15 conventional produce have the least pesticides. EWG

2. Rameerez unexpectedly won a green card and explores if the American dream still makes sense. RAMEEREZ

3. The Five Senses Quiz: Find out what your most neglected sense is. GRETCHENRUBIN

4. What Do You Want? Calvin offers advice and helps you avoid common traps, one of which is “Safety is an Illusion”. CALVINROSSER

🐝 Fact

Bees are also opportunists and try to steal honey from other colonies, particularly weak ones. Avoid leaving combs, brace comb, and sticky equipment around in the open. Make sure that there is only one way into a colony, the entrance, which can be effectively guarded by the resident colony. If you want to save a weak colony that is being robbed, move it to another location where there are no other bees.

If you open up a colony and bees from other colonies become interested, close up the colony immediately and abandon your inspection. Inspecting a colony as late as possible in the day, when there are fewer robber bees flying around, cuts down the opportunities for robbing.

This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.