- Hive Five
- Posts
- 🐝 Hive Five 140 - A new recon source: DuckDuckGo Tracker Radar
🐝 Hive Five 140 - A new recon source: DuckDuckGo Tracker Radar
Hi friends,
Greetings from the hive!
I couldn’t wait for the new iPhone to drop, so I could replace my current phone which has battery issues.
Why wait, you ask? Well, typically there are deals, however, this is also a common pitfall as they are often not worth it, which turned out to be the case.
Something else I didn’t think of is that the first batches of new products often have faults. In this case, pun intended. the latest iPhone appears to be extremely fragile.
So, I take this as a reminder to reflect on consumerism and step out of the rat race.
Let’s take this week by swarm!
🐝 The Bee’s Knees
A writeup for a challenge to demonstrate how the content-type header can be used to fool the browser into treating the HTTP response body in unexpected ways. GITHUB
A new recon source: DuckDuckGo Tracker Radar. This is not a block list, but a data set of the most common third party domains on the web with information about their behavior, classification and ownership. GITHUB
OFFZONE Moscow talk: HTTP Request Splitting vulnerabilities exploitation by Sergey Bobrov. YOUTUBE | SLIDES
Hacker Tweets Explained. LiveOverflow explains what you can learn from a Rhynorater tweet on exploiting tricky XSS. YOUTUBE
Testing the Limits of Prompt Injection Defence. Uncovering the unique complexities of securing LLMs from prompt injection attacks. MEDIUM
Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!
️💪 Sponsor
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
🔥 Buzzworthy
✅ Changelog
mzap v1.3.1 introduces multiple target ZAP scanning. GITHUB
Noir v0.7.3 is an attack surface detector form source code. GITHUB
Mullvad successfully completed their migration to RAM-only VPN infrastructure. - Today we announce that we have completely removed all traces of disks being used by our VPN infrastructure! In early 2022 we announced the beginning of our migration to using diskless infrastructure with our bootloader known as “stboot”. MULLVAD
OpenAI’s cookbook now has a new home as a subdomain. TWITTER
📰 News
Wiz Research discovers a massive 38TB data leak by Microsoft AI researchers, including 30,000+ internal Teams messages. TWITTER
hextree[.]io shipped and sent out their first few updates. LiveOverflow and ghidraninja will help you grow your cybersecurity skills with concise and well-edited video courses. TWITTER
Corben launched certs io and wants to know who wants to try it. TWITTER
38TB of data accidentally exposed by Microsoft AI researchers. WIZ
Malcore is doing a huge giveaway. Comment on the Tweet in order to win. TWITTER
🎉 Celebrate
💰 Career
In a job interview, ensure you measure your own experience in qualitative terms. Not number of years. TWITTER
Meta is hiring a Product Security Engineer (web). TWITTER
The biggest mistake found on resumes is not including quantifiable metrics in your bullet points. Here’s how to address it using AI. YOUTUBE
Looking to earn while blogging? HackerContent will contact you if they like your stuff! TWITTER
GitLab is looking for a Senior Security Engineer, Vulnerability Management. GREENHOUSE
⚡️ Community
📰 Read
AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp. HACKERONE
Account hijack for anyone using Google sign-in with , due to response-type switch + leaking href to XSS on login[.]redacted[.]co. GITHUB
Post Account Takeover? Account Takeover of Internal Tesla Accounts. GITHUB
Converting Tokens to Session Cookies for Outlook Web Application. As the adoption of Multi-Factor Authentication increases throughout organizations, so does the desire to bypass these protections. LARES
Can’t Be Contained: Finding a Command Injection Vulnerability in Kubernetes. Akamai security researcher Tomer Peled recently discovered a high-severity vulnerability in Kubernetes that was assigned CVE-2023-3676 with a CVSS score of 8.8. AKAMAI
💡 Tips
Renniepak encountered a challenging stored XSS case recently. Here is what he and 0xH4rmony came up with. TWITTER
Google updated the list of indexable file type to include CVS. TWITTER
Fisher reminds us that if you have a Burp Suite custom live audit task configuration, you can fine tune which type of checks will be run from your loaded extensions. TWITTER
How to Look For Virtual Hosts with NahamSec. YOUTUBE
You are probably overthinking API hacking. “It’s basically web hacking but with JSON” says InsiderPhD. TWITTER
🍯 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@engi_arp | Ashish Padelkar | Goa,India.
@piccalilli_ | Andy Bell.
@binitamshah | Binni Shah | Linux Evangelist, Malwares , Security Enthusiast , Philanthropist , Meditation.
@shailesh4594 | Shailesh Suthar | An independent security researcher.
@shanselman | Scott Hanselman | Code, OSS, STEM, Beyoncé, @Hanselminutes inclusive tech podcast! MSFT Developer Division Community.
🚀 Productivity
How to make a Map of Content (MOC) to get more out of your notes & ideas. YOUTUBE
vim + llm = 🔥 - If you don’t use vi/vim, you’re missing out! REZ0
Start atomic habit building with this ChatGPT prompt. CRITTER
Types of Notes in a PKM explained with a Gardening Analogy (Part I). NICKANG
Kagi now offers unlimited Kagi searches for $10 per month — I tried out Kagi a while ago and it was awesome, but stopped when they changed their pricing plan. This latest change sounds appealing! KAGI
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
🌐 Technology
A Hackers’ Guide to Language Models. In this deeply informative video, Jeremy Howard, co-founder of fast.ai and creator of the ULMFiT approach on which all modern language models (LMs) are based, takes you on a comprehensive journey through the fascinating landscape of LMs. YOUTUBE
Squish Meets Structure — Designing With Shoggoth with Maggie Appleton is a brilliant talk about designing products with language models. VIMEO
Sending large texts to ChatGPT? Text preprocessing can help reduce a text of up to 5,712 tokens down to one message with just a couple simple functions. Here’s how. VICTORIA
Tomas shares what his backup process looks like. VIKTOMAS
🧠 Wisdom
Kyle hit us with a truth bomb: “Reorganize society so we don’t use work as a proxy for community & friendship.” TWITTER
Aprilynne on self-belief and grit. After rejection, she set out to accomplish her goals herself. 74 days into her 3-month challenge she became an official YouTube Partner with a monetized YouTube channel. TWITTER
Adam on perseverance: “Bug bounty is not about how hard you hit. It’s about how hard you can get hit and keep moving forward.” TWITTER
Mason on trailblazing your own path. TWITTER
Rosie on stop seeking permission and feedback. When you experiment and try doing actual things you get real data. That is the most powerful feedback. TWITTER
💛 Cross-pollination
Find out which 15 conventional produce have the least pesticides. EWG
Rameerez unexpectedly won a green card and explores if the American dream still makes sense. RAMEEREZ
The Five Senses Quiz: Find out what your most neglected sense is. GRETCHENRUBIN
What Do You Want? Calvin offers advice and helps you avoid common traps, one of which is “Safety is an Illusion”. CALVINROSSER
🐝 Fact
Bees are also opportunists and try to steal honey from other colonies, particularly weak ones. Avoid leaving combs, brace comb, and sticky equipment around in the open. Make sure that there is only one way into a colony, the entrance, which can be effectively guarded by the resident colony. If you want to save a weak colony that is being robbed, move it to another location where there are no other bees.
If you open up a colony and bees from other colonies become interested, close up the colony immediately and abandon your inspection. Inspecting a colony as late as possible in the day, when there are fewer robber bees flying around, cuts down the opportunities for robbing.
This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- • Deep DISCOUNTS on paid content.
- • Experience continuously added NEW BENEFITS.