- Hive Five
- Posts
- 🐝 Hive Five 143 - The hacker’s guide to securing your organization
🐝 Hive Five 143 - The hacker’s guide to securing your organization
Hi friends,
Greetings from the hive!
28 years ago, on Oct 14th 1995, hackers of the world united to overload the Gibson, and prevent the Da Vinci virus from capsizing an oil fleet, designed to distract from “The Plague’s” worm stealing $25m.
Let’s take this week by swarm!
🐝 The Bee’s Knees
Data Exposure and ServiceNow: The Elephant in the ITSM Room. The purpose of this tutorial is to share their knowledge of how a built-in capability within ServiceNow could potentially be leveraged to extract data from records as an unauthenticated user. ENUMERATED
CVE-2022-4908: SOP bypass in Chrome using Navigation API. Last year, Johan discovered a Same-Origin Policy (SOP) bypass in Chrome that allowed an attacker to leak the full URLs of another window’s navigation history. JOAXCAR
Rails World 2023 Opening Keynote by David Heinemeier Hansson. Ruby on Rails creator and 37signals CTO David Heinemeier Hansson covered a lot of ground, including introducing 7 major tools: Propshaft, Turbo 8, Strada, Solid Cache, Solid Queue, Mission Control, and Kamal. YOUTUBE | HEY
Attacking Secondary Contexts in Web Applications by Sam Curry. This talk from 2020 explores attacking various ‘secondary contexts’ in web applications where data is being passed to an underlying internal HTTP server. YOUTUBE
RCE of Burp Scanner / Crawler via Clickjacking. Burp Suite utilizes an embedded Chrome browser for crawling and scanning web applications. The Chrome instance is launched in headless mode, with remote debugging enabled via the remote-debugging websocket port instead of remote-debugging-pipe. HACKERONE
Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)! 👉 Share on X
️💪 Sponsor
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
🔥 Buzzworthy
✅ Changelog
Patrik pushed a couple of features to Practical Bug Bounty which now has ~300 tools + 170 articles. TWITTER
HackerOne changed the expiration time on private invites from 7 to 14 days. TWITTER
RetireJS/retire.js 4.3.4 is a scanner detecting the use of JavaScript libraries with known vulnerabilities. GITHUB
jesseduffield/lazydocker v0.23.1 now honors the host specified in the current docker context (courtesy of @rajiv-k). GITHUB
ZAP 2.14.0 adds support for Host Header Manipulation, ZAPit, API File Transfers, Graal JS Add-on Access, Postman collections, SBOMs, and more. ZAPROXY
📅 News
🎉 Celebrate
💰 Career
Alex on what to persue: “Figure out what you want to DO. Then within that context, which version makes you money.” TWITTER
Stu is building a Red Team in Australia, specifically Sydney, to emulate adversaries that target Telco’s. DM him if interested. TWITTER
A Day in My Tech Life: Kayla B. 300k+ Enterprise Tech Sales at Microsoft. Step into the world of enterprise tech sales with Kayla B., an Enterprise Tech Sales Professional at Microsoft, host of Big Boss Energy Podcast, and content creator in this “Day in the Life” tech video. YOUTUBE
Chris was laid off…again. He shares his tech journey, useful tips, and what’s next. YOUTUBE
The Calm Business Encyclopedia—An A to Z guide on running a business that’s predictable, profitable, and peaceful. WANDERINGAIMFULLY
⚡️ Community
Bug bounty survey data with 664 votes ran by rez0. HackerOne is the overall winner. TWITTER
Rachel Tobac wrote an eBook in partnership with Bitwarden: The hacker’s guide to securing your organization. TWITTER
g0lden unveils his plan for future content. After DEFCON, he really wanted to continue to build, but he also wanted to change his content to better reflect that, as well as include more of his life. YOUTUBE
📰 Read
Finding a POP chain on a common Symfony bundle. The Symfony doctrine/doctrine-bundle package is one of the most common bundles installed along Symfony applications. At the time of this blogpost release, it has been downloaded 144 million times, making it an interesting target for unserialize exploitation. SYNACKTIV
2023 Microsoft Office XSS. In the server, when parsing a video from a link designated by an attacker, a malicious payload included in the video title can trigger an XSS (Cross-site Scripting) attack, allowing the execution of arbitrary Javascript code. PKSECURITY
On September 21, 2023, JetBrains publicly disclosed a critical security vulnerability with their CI/CD platform TeamCity. It was given a CVSS of 9.8 for the potential of bypassing authentication leading to a Remote Code Execution (RCE) attack. PROJECTDISCOVERY
Teaching iteration. That’s Jason’s initial idea to improve the educational system. Teach problem solving through iteration — I agree that it’s highly underrated. HEY
Multi-modal prompt injection image attacks against GPT-4V. GPT4-V is the new mode of GPT-4 that allows you to upload images as part of your conversations. SIMONWILLISON
💡 Tips
🍯 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@j0v0x0 | j0v | Software developer, ethical hacker and security researcher.
@act1vand0 | Walter Martín Villalba | Founder and ProdSec Consultant at @C13Security. Founder and Director at @InfoSecMap. SB Leader & @AppSecCali organizer at @OWASP. Leader at @AppSecBA.
@AletheDenis | ᗩᒪETᕼE | ‘Uh-Lee-th’ | Senior Security Consultant @bishopfox | BlackBadge @DefCon @tracelabs | Future Cat Lady | Followed by @ladygaga & @forbes - Yes, Really.
@Michael1026H1 | Michael Blake | H1: michael1026. Application Security Engineer Oregon.
@monicalent | Monica Lent | Dev founder of affilimate (Analytics SaaS for affiliate publishers). Courses & Community. Sharing as she goes.
🚀 Productivity
An acronym to help you keep on track. TWITTER
An interesting approach to energy levels and brain-intensive work. At the start of the day, James plans out his tasks in pseudocode. TWITTER
marcusolsson/obsidian-projects is a plugin for Obsidian that lets you manage and visualize notes for project management. GITHUB
The workspace of Channing Allen, co-founder of Indie Hackers. They helps share the stories, business ideas, strategies, and revenue numbers from the founders of profitable online businesses. WORKSPACES
One Task is an app that shows a single task on your Home Screen or Lock Screen. SINDRESORHUS
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
🌐 Technology
TIL The founder of Sony hired an outspoken critic of their products so they could make better products. 20 years later, he became the president of Sony. TWITTER
Daniel’s latest ExtWis extraction of a brilliant piece of content featuring Neri Oxman discussing her work at the intersection of computational design, digital fabrication, material science, and synthetic biology. TWITTER
10 key traits to be an effective software engineer. Ranging from caring about users and their need to being comfortable taking on new challenges. TWITTER
HEY is running No Build JavaScript for the main app. I’d never heard of this approach before but it looks interesting. 500kb of JS uncompressed. TWITTER
How to set your default speaker/audio/sound output on Windows, including power tools and tips for pros. YOUTUBE
🧠 Wisdom
A reminder from IppSec: “be more open to things you don’t think are valuable, experiment with life, and try things you think you’d dislike out.” TWITTER
What stops us from getting better. There’s no replacement for just doing the work. JFDI is Alex Hillman’s mantra and all credit for the concept goes to him. YOUTUBE
Something I’ve learned and try to get better at every day is to walk into every single interaction with the goal of adding as much value as possible. TWITTER
rez0 on that we’re living in the most comfortable, healthy, abundant time in the history of the universe: “There are near infinite interesting things to work on.” TWITTER
Daniel on the importance of the balance between creation and consumption. TWITTER
💛 Cross-pollination
Topics, insights, and quotes from the Neri Oxman and Lex Fridman Conversation. The importance of novelty in multiple disciplines to create something truly innovative. DANIELMIESSLER
There was a major breakthrough in the Vesuvius Challenge: they have read the first word from a unopened Herculaneum scroll. TWITTER
Elon Musk’s Twitter Takeover (full documentary). FRONTLINE traces Elon Musk’s long and often troubled relationship with Twitter, following his journey from being one of the platform’s most provocative users to becoming its owner. YOUTUBE
Breaking the Rules: The Young Entrepreneur Who Squatted at AOL. The saying “he lives at his office” has rarely been taken so seriously. For two months, 20-year-old Eric Simons worked on his start-up out of the AOL headquarters in Palo Alto, California. He also slept, ate, worked out, and bathed at AOL. INC
OpenStax offers free college textbooks for all types of students, making education accessible & affordable for everyone. OPENSTAX
🐝 Fact
The western honeybee (Apis mellifera) is the most geographically widespread bee on Earth . It has been domesticated, or at least exploited, by humans for so long that its origins are now unclear. Probably arose in Africa and then spread into Europe (recent studies of honeybee DNA have suggested that there may even have been three different prehistoric invasions of Europe, from Africa), and later, with colonial expansion, to North America (1620s) and Australia (1820s).
This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.
Subscribe to the Hive Five to read the rest.
Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In