🐝 Hive Five 152 - Never feed a beast you don't want to grow

Hi friends,

Greetings from the hive!

When you find yourself unable to start a task, tell yourself to accept the initial agitation.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Google OAuth is broken. TruffleSec released a Google OAuth vulnerability that allows employees at companies to retain indefinite access to applications like Slack and Zoom, after they’re off-boarded and removed from their company’s Google organization. TRUFFLESECURITY | YOUTUBE

2. Why Air Quality Matters. DHH's brand new house was making them sick. That lead him to study indoor air quality, and the findings were stunning. Besides the risk of making you physically sick, your mental capacity can take a serious hit. YOUTUBE

3. Apache Struts File Upload Exploit (CVE-2023-50164) analysis and POC. ALIYUN

4. Having some fun with JavaScript hoisting. Showing the usage and abuse of hoisting in JavaScript in XSS challenges posted on Twitter during November/December of 2023. JOAXCAR

5. Remote Code Execution on Ahold Delhaize, one of the biggest food retail groups. This critical CVSS 10 bug went unpatched for longer than 3.5 years after reporting it. MEDIUM

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. jswzl 2023.4.6 hotfix addressing numerous bugs. TWITTER

2. Caido released HTTPQL, a quick and easy way to filter through the noise. TWITTER

📅 News

1. vx-underground is giving away 12 Evilginx Master courses. This over $5,000 worth of educational material. TWITTER

2. IntelTechniques's Irish Exit to the podcast. INTELTECHNIQUES

3. Zoom unveils VISS: a revolutionary approach to vulnerability impact scoring. While traditional scoring systems like the Common Vulnerability Scoring System (CVSS) focus on an attacker's viewpoint and worst-case scenarios, VISS takes a different stance. ZOOM

🎉 Celebrate

1. sumgr0 received their 3rd challenge coin within the last two months. Amazing! TWITTER

2. James Kettle got married. Congrats you two! TWITTER

3. NahamSec found a crit and received a sweet bounty. Nice find! TWITTER

4. d0nut and his partner of 8 years are engaged. Woohoo! TWITTER

5. Jason trained over 500 students in his live courses. Awesome! TWITTER

💰 Career

1. JP Morgan's Jamie Dimon shares the best career advice they’ve received. YOUTUBE

2. Day In My Tech Life: From Military to DOD Cyber Threat Hunter ft Kajhon Soyini. YOUTUBE

3. Why and how Linear does work trials. They believe the only way to build a quality product and business is to hire people they can trust to make good judgments, across all functions and levels. LINEAR

⚡️ Community

2. Daniel shares his updated Vim and Terminal config — Coincidentally, I've also started using the LazyVim base. TWITTER

3. STÖK on the benefits of AI, when leveraged correctly, making us better hackers and creatives. TWITTER

4. XNL-h4ck3r on donating to the Internet Archive if you've ever used them, as they are a non-profit org. TWITTER

📰 Read

1. Cybergibbons breaks down what the Flipper Zero does and how it's doing it. They start with the Mifare Classic reading. TWITTER

2. Frans shares the solution to his XSS-challenge from last week. TWITTER

3. An introduction to fuzzing. Fuzzing, or fuzz testing, is a technique where invalid, unexpected, or random data is passed into a system to discover coding errors and security loopholes. SUBSTACK

4. CrushFTP - CVE-2023-43177 Unauthenticated Remote Code Execution. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands. PROJECTDISCOVERY

💡 Tips

1. 0xblackbird shares an underrated way to quickly find new vulnerabilities: "Right before you stop working, go to your proxy interceptor's history and..." TWITTER

2. sw33tLie shares that you can run a local LLM model for when you don't have access to the internet. TWITTER

3. Max improved his bug bounty skills by using these 12 simple rules. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @caffeinevulns | Sam (caffeine) | Just love coffee and finding vulnerabilities at @SynackRedTeam.

2. @TCMSecurity | TCM Security | Disrupting the education and hacking industry. Come learn to hack at TCM Security Academy! Veteran owned. Quality results.

3. @raymondcamden | Raymond Camden | Cats, adoption advocate, developer relations, Star Wars nerd, Jamstack, lover of good beer & good books. He/Him.

4. @stolinski | Scott Tolinski - Syntax.fm - LevelUpTuts | Creator of @leveluptuts.

5. @Sil3nt_4unt3r | $!|3nt_4unt3r | Bug hunter, coder, blockchain enthusiast.

🚀 Productivity

1. Flow Launcher allows for quick file search & app launcher for Windows with community-made plugins. GITHUB

2. logancyang brought CoPilot to Obsidian. Their goal is to make this AI assistant local-first and privacy-focused. It has a local vector store and can work with local models for chat and QA completely offline. GITHUB

3. Kevin Kelly's flow chart when deciding whether to work on something (or not). TWITTER

4. Two must-have macOS apps: Rectangle and Raycast — I'm with DHH on this one, except I use Magnet for the former. TWITTER

5. Note taking templates Nicole use in Obsidian (Obsidian Tour 2023). YOUTUBE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. DHH shares his primary mission for Rails 8: PWA, installable apps, and to embrace the full realization of progress in storage. In that order. TWITTER

2. This week I learned that there is a Microsoft Excel Championship. It's been won by Andrew "The Annihilator" Ngai for the 3rd straight time. YOUTUBE

3. linexjlin collects leaked GPT prompts. GITHUB

4. Office chair recommendations from the X hivemind. TWITTER

5. 4 Web Devs, 1 App Idea (Cassidy Williams, David Khourshid, Shaundai Person) build an app that has a leaderboard. YOUTUBE

🧠 Wisdom

1. Dr. Julie on fighting losing battles: "Never feed a beast you don't want to grow." TWITTER

2. Build your binge bank. Expand your luck by sharing publicly, without immediate success or views. TWITTER

3. Justin on playing to your strengths: "Don't look for a message that resonates with your audience..." TWITTER

4. Life lessons from a 44 year old — Here are some that resonated with me: "The small details of your day matter..." and "Put your phone down." ANNIEMACMANUS

5. Huberman shares his Yoga Nidra and NSDR meditations that he's done 1-7X per week since 2017. TWITTER

💛 Cross-pollination

1. After failing 24 times over the last 17 years, Casey Neistat ran a marathon under 3 hours. LFG! TWITTER

2. These prompt questions help you choose the right thinking tool for a problem, decision or a system. UNTOOLS

3. Visiting The Giants Strength Of Hawaii: Stone Lifting, Wrestling, and Climbing. YOUTUBE

4. Random League of Legends news that stood out to me, a world famous ADC, Rekkles, joined T1 — I applaud him for challenging himself with a new language, culture, team mates, and new role.

5. Watch the best short films. SHORTOFTHEWEEK

🐝 Fact

Melting beeswax. For all candlemaking, clean beeswax must be melted in a double boiler or a stainless steel container in a hot water bath. The wax should not come into direct contact with the water or the heat. The temperature of the wax can be checked with a meat thermometer: different candlemaking methods require different temperatures for the best results. The melting point range for beeswax is 144-147°F (62-64°C).

This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.