🐝 Hive Five 145 - Using Discord Bots for OSINT Investigations

Hi friends,

Greetings from the hive!

Juggling a lot of stuff at home but we keep on moving forward. I hope you're well 🙏

Let's take this week by swarm!

🐝 The Bee's Knees

1. After Okta was breached, they recommended sanitizing all credentials and cookies/session tokens within HAR files—Cloudflare said: hold my beer, and released such a tool. CLOUDFLARE

2. The Beginner's Guide to Blind XSS (Cross-Site Scripting). YOUTUBE

3. Pieter Levels: The Indie Hacker’s Guide to AI Startups. He claims that "Indie Hacking is dead." Yet, Pieter runs several indie AI startups (and a few traditional ones), totaling $250,000 in revenue every month. YOUTUBE

4. HITB2023HKT D2T1 talk by Yassine Aboukir: Hunting For Amazon Cognito Security Misconfigurations. YOUTUBE

5. Citrix Bleed: Leaking Session Tokens with CVE-2023-4966. It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway. ASSETNOTE

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. lc/gau v2.2.0 fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. GITHUB

2. hahwul/noir v0.10.0 is an attack surface detector form source code. GITHUB

3. Detectify Crowdsource is enhancing its reward system with more continuous and lucrative payouts. TL;DR: Starting November 1, 2023, the reward for each time a submitted module is found in customers’ assets (pay-per-hit) will be doubled for critical, high, and medium severity modules, while fixed payouts will be phased out. DETECTIFY

📅 News

1. X Engineering shares their accomplishments in what they call a year full of engineering excellence. TWITTER

2. Semgrep launched Semgrep Secrets, their secrets detection solution that enables security teams to detect sensitive credentials in code that other solutions miss while integrating directly within the developer workflows. SEMGREP

🎉 Celebrate

1. kai has entered the arena. He soft launched his new cybersecurity firm: Protexity. Congrats! TWITTER

2. Back in August 2023, TESS took his brother to HackerOne's Live Hacking Event. Now, he's finding bugs all on his own on giant programs. Love it! TWITTER

3. Katie joined TraceableAI as an API security content creator. Woohoo! TWITTER

4. Mason says there's no better feeling than triaging someone's first crit. My favorite, uplift and celebrate! TWITTER

💰 Career

1. Day in My Tech Life with Teneika Askew GS-15 GovTech Data Engineer by 30. YOUTUBE

2. Blake was laid off. If anyone is needs a red teamer with 7 years of experience who loves what they do, DM them! TWITTER

3. What computer science majors should REALLY be doing, according to Beez: GovTech. YOUTUBE

4. An interview with Shenetworks: leveraging content creation to build a career in Cybersecurity. YOUTUBE

Jobs

1. Lance's team has 6 fully remote job openings for infosec analyst, engineer, and manager positions. TWITTER

2. Bugcrowd is hiring a Technical Pentest Manager (US). TWITTER

3. Zomato is hiring a Security Engineer and Analyst. TWITTER

⚡️ Community

1. How insiderPhD made her animated VTuber avatar. SUBSTACK

2. Allegedly, an intern at offsec is claiming others' exploits as his own. TWITTER

3. Meg did an AMA on Twitter. She's 27, worked in cybersecurity for 6 years, has her masters in cybersecurity, has traveled to nearly 30 countries, and has lost over 90 pounds of weight. TWITTER

4. Some delicious puns by Adam in the new Hacking Hub: Mega Bites for learning Blind XSS. TWITTER

5. enleak is looking for a OSCP study partner. Hit 'em up! TWITTER

📰 Read

1. Oh-Auth: Abusing OAuth to take over millions of accounts. Hackers could take over millions of accounts on Grammarly, Vidio and Bukalapak. SALT

2. Revisiting an Old Bug: File Upload to Code Execution CVE-2021-27198. SECURIFERA

3. CVE-2023-22515: Broken Access Control Vulnerability in Confluence Data Center and Server. S1R1US

4. Infra writeup of DownUnderCTF 4.0 which ran on the weekend of the 1-3 September. DOWNUNDERCTF

5. DOM-based race condition: racing in the browser for fun. RYOTAK

💡 Tips

1. Does Frans have a shell? DOESFRANSHAVEASHELL

2. Justin shares some takeaways from the past two live hacking events, which are unparalleled learning environments. TWITTER

3. Whenever you put something away in a new or different place, write it down. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @vict0ni | Viktor Vaughn | Said to James Bond my name is Viktor, Viktor Vaughn.

2. @notdan | genuinely flawed satire.

3. @JoshCGrossman | Josh Grossman (tghosth) | Your friendly AppSec Ghost | @OWASP_IL | @OWASP_ASVS.

4. @TheGrandPew | Pew | 18 Year Old Websec dude, plays ctf with @Water_PaddlerBlackhat and Defcon 22 speaker. Security / Vulnerability Researcher @assetnote, Blockchain @osec_io.

5. @timurguvenkaya | Timur Guvenkaya | Co-founder & CTO of (soon) | Building & Leading top engineering teams | Building and auditing protocols on EVM/@substrate_io/@NEARProtocol | Ex @HalbornSecurity.

🚀 Productivity

1. zidoro/pomatez is a free elegant multi-platform Pomodoro desktop app to boost your productivity released under the MIT license. GITHUB

2. Examine what puts and keeps you in flow. Now, set up systems to streamline it, says Dr. Julie. TWITTER

3. A beginners tutorial for one of my most used Obsidian plugin: Dataview. It's a high-performance data index and query language. YOUTUBE

4. Fireside Chat with @kepano, CEO of Obsidian. In this session, you will learn: How Kepano got involved with Obsidian, how the Obsidian team uses Obsidian, and more. YOUTUBE

5. The best way to use Obsidian Canvas: Hub Note Explained. YOUTUBE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. blame.email: a client-side one-way email generator. BLAME

2. homeport/termshot is a terminal screenshot tool, which takes the console output and renders an output image that resembles a user interface window. GITHUB

3. Astro Web Framework Crash Course. Astro is an all-in-one web framework for building fast, content-focused websites like landing pages, blogs, technical documentation, and more. YOUTUBE

4. denandz/sourcemapper extracts JavaScript source trees from Sourcemap files. GITHUB

5. openai/web-crawl-q-and-a-example teaches you how to crawl your website and build a Q/A bot with the OpenAI API. GITHUB

🧠 Wisdom

1. All voices matter: "We hope for a world where dialogue is encouraged, where diverse opinions are respected, and where justice is non-negotiable." TWITTER

2. Mark Manson on competence: "Competence is how good you are when there is something to gain. Character is..." TWITTER

3. Paul on superlinear returns. Teachers and coaches implicitly told us the returns were linear. "You get out," I heard a thousand times, "what you put in." They meant well, but this is rarely true... PAULGRAHAM

4. Dr. Julie wants you to ask yourself: "What is the one thing that would really level up your performance in this space?" and start doing that thing. TWITTER

5. On the importance of curation in the creative process: "You’re not lacking creativity, you’re overwhelmed." THEJORGEMEDINA

💛 Cross-pollination

1. An Illustrated Guide to Plastic Straws. If you don't know the exact location where your plastic is recycled, throw it in the regular garbage instead — I had no idea recycling was shipped to overseas...with devastating impact. SUBSTACK

2. Molding a Champion: Battle of the Baddest—Mike Tyson training Francis Ngannou. YOUTUBE

3. Map of the Best: Collection of the world's best restaurants and bars. MAPOFTHEBEST

4. Never overpay online again. Stores mark up their products. Spoken finds the same product elsewhere, for less. Stop paying more for the same thing. SPOKEN

🐝 Fact

This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.