🐝 Hive Five 157 - LLM: Full Stack Bootcamp & Web Attacks

Hi friends,

Greetings from the hive!

Welcome to all the new subscribers and members of the Hive. It’s an honor to have you with us.

This weekend, I dropped my first non-newsletter post of the year, diving into my 2024 setup—unveiling the gear and software that keeps me going.

I even took it for a spin during a quick trip to Seattle last week.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Full Stack LLM Bootcamp. Learn best practices and tools for building LLM-powered apps, cover the full stack from prompt engineering to user-centered design, and get up to speed on the state-of-the-art. FULLSTACKDEEPLEARNING

2. Find out how you get started with OSINT in 2024. Micah Hoffman and Griffin Glynn share actionable resources. YOUTUBE

3. PortSwigger Web Security Academy now has a section dedicated to Web LLM attacks, including labs. PORTSWIGGER

4. Reversing and Tooling a Signed Request Hash in Obfuscated JavaScript. Brett was hacking on a bug bounty program recently and discovered that the website is signing every request, preventing you from modifying the URL, including GET parameter values. BUER

5. The best Hacking Courses & Certs? Phillip Wylie shares his 2024 roadmap to Pentester success. YOUTUBE

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Support the Hive

• Sponsor the Hive and connect with a vibrant community of cutting-edge engineers, bug bounty hunters, security researchers, and ethical hackers – your gateway to an exceptionally engaged audience at the forefront of the industry.

• Level up as a paid member and join the Hive! Support me directly and unlock exclusive perks, including a private community to delve into shared interests, full access to the Hive archive, exclusive content, and more.

🔥 Buzzworthy

✅ Changelog

1. pencode by ffuf release v0.4 is a complex payload encoder. GITHUB

2. In reconFTW v2.8.1 release, the web interface was removed, postman search was added, and there were various updates and fixes by different contributors. GITHUB

3. The latest bbscope release includes the restoration of Bugcrowd autologin functionality and now supports the new Intigriti API. GITHUB

4. Caido introduced HTTPQL: A new query language for hackers. CAIDO

📅 News

1. Jason now offers corporate custom trainings. TWITTER

2. NahamSec is working on a NahamCon rebrand. What do you think? TWITTER

3. Get All Parameters (GAP) is now available in the BApp Store. This extension helps find potential endpoints, parameters, and generate a custom target wordlist. PORTSWIGGER

🎉 Celebrate

1. Kaitlyn passed her OSCP. Woot! TWITTER

2. Jonathan and Felix launched Asymmetric Research, a web3 security venture. Congrats! TWITTER

3. NahamSec, John Hammond, and Adam Langley beta launched their educational platform Hacking Hub. Awesome! TWITTER

4. Alex reported 5 issues in the last 10 days. Let's go! TWITTER

5. Jason Haddix bet on himself and launched Arcanum Information Security. Exciting! TWITTER

💰 Career

1. Begin your journey into DFIR, Blue Team, Malware and Threat Hunting with Mary Ellen Kennel. YOUTUBE

2. DayInMyTechLife: From 40k to 6 Figures as a Technical Project Manager ft. Aysha Davis. YOUTUBE

3. Learn Application Security Testing in 2024. Tib3rius talks about how to build your foundation of knowledge and skills using free and paid resources. YOUTUBE

4. Jason on the dirty trick companies pull on us: "Companies can sometimes be like roach motels that make it REALLY hard for us to leave." YOUTUBE

5. If NahamSec started Bug Bounty Hunting in 2024, he'd do this. YOUTUBE

⚡️ Community

1. Fireside Chat with TomNomNom. Discover open source insights in cybersecurity and much more. YOUTUBE

2. Taelur put out her 3rd blog post of the month, wanting to leave a solid knowledge base for the community. TWITTER

3. Meg did (is doing?) an AMA: "I’m 28, have a masters in cybersecurity, have worked for both IBM’s x-force and crowdstrike doing proactive incident response consulting, am a gym rat who has lost 80+ pounds, have traveled to nearly 30 countries." TWITTER

4. What the "Hacker Mindset" means to the community. TWITTER

5. Find out what made full-time hackers leave their job to hunt for bug bounty. TWITTER

📰 Read

1. MyBB Admin Panel RCE CVE-2023-41362. This blog post explores a critical vulnerability in MyBB’s admin panel, leading to authenticated Remote Code Execution (RCE). MyBB is a popular forum software with a template system that utilizes eval() to render templates. SORCERY

2. Identify Slack Workspace Names from Webhook URLs. TruffleSec introduced whoamislack, a tool to enumerate Slack Workspace Names from Slack Webhook URLs. TRUFFLESECURITY

3. High Signal Detection and Exploitation of Ivanti's Pulse Connect Secure Auth Bypass & RCE. Ivanti disclosed two critical vulnerabilities affecting Ivanti Pulse Connect Secure - CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Remote Command Execution). ASSETNOTE

4. Learn more about Talkback, an infosec resource aggregator. Throughout 2023 they chipped away at adding new features, implementing bug-fixes, and also released an API. ELTTAM

5. Building a DigitalOcean OpenAI API Proxy. Liam recently took Daniel Miessler's Augmented course and thought he'd take a stab at implementing the OpenAI API proxy he discussed. SMALLSEC

💡 Tips

1. Dax shares his cable management approach, taking every single device and cable and thinking about how best to strap it to the desk to hide every detail. TWITTER

2. The Ship Fast stack for 2024 by Tibo — I'm already using screenstudio and beehiiv. TWITTER

3. TIL by xnl_h4ck3r that Katana has a -jsluice flag to enable jsluice parsing in JavaScript files. TWITTER

4. Cassie on accepting and leaning into when you work best, such as night owls. TWITTER

5. Steve Jobs: Asking for help is a superpower. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @freddyb | Frederik Braun | Now on mastodon as @freddy@security.plumbing / Dad in Berlin / Computer person at @MozillaSecurity / co-founder of @fluxfingers / he/him.

2. @ThePrimeagen | ThePrimeagen | Netflix | Vim | Twitch.

3. @beeamp_vicky | vicky zhao | Experimenting with the intersection of disciplines, ideas and cultures | Taking visual Zettelkasten notes (also on YouTube).

4. @carlospolopm | carlospolop | Pentester, Researcher & Developer

5. @tommyvedvik | tommy vedvik | Founder of Flatsome - The All-in-One WooCommerce Website Builder. Full-time Bootstrapper.

🚀 Productivity

1. Here's how Nicole's learning things in Obsidian in 2024, and the tools she uses in my information processing pipeline to read, listen, and watch content and turn that into ideas and output. YOUTUBE

2. Priming helps you to start each day of right. TONYROBBINS

3. Hiding Spam with uBlock Origins. YOUTUBE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. AI-Generated Fakes: How to spot them, how they're made, and how they have been used to mislead. YOUTUBE

2. Gaming laptop recommendations from the hivemind. TWITTER

3. Slashing Data Transfer Costs in AWS by 99%, (via) Brilliant trick by Daniel Kleinstein. If you have data in two availability zones in the same AWS region, transferring a TB will cost you $10 in ingress and $10 in egress at the inter-zone rates charged by AWS. But... SIMONWILLISON

4. How to do math in shell environments (bash, zsh, ...). STEFANJUDIS

5. How David Perell Uses ChatGPT to Write for Millions. YOUTUBE

🧠 Wisdom

1. Taelur on progressing as long as you put in effort and consistency. TWITTER

2. Over the last 5 years, Gary worked hard to remind themselves that responsibility isn't always their fault and to take aggressive action to prevent problems from recurring. TWITTER

3. Maggie on adopting a One Good Thing habit and its benefits — I currently have a highlight in my daily note, but not a daily highlight. Food for thought. TWITTER

4. Dr. Gurner on resolving conflict, and using "Us vs The Problem" instead of "Me vs You" positioning. TWITTER

5. Sketching shows us how messy the creative process really is. Writing is the same. Don't compare your initial draft to someone's final one. TWITTER

💛 Cross-pollination

1. Six books Adam revisits most as a founder: Radical Candor, No Rules Rules, The Great CEO Within, Shape Up, Rework, and Anything You Want. TWITTER

2. 'The Sopranos' Turns 25: How David Chase’s Series Changed the TV Rules — One of my all-time favorite shows. ROLLINGSTONE

3. Organize all your reference images in one place with Eagle — As an creative, this was quite exciting to find. For a one-time fee of 29.95, it seems like a steal. EAGLE

4. Sit in Shade helps you find the best bus seat to minimize sun exposure while traveling. SITINSHADE

5. Lifechanging items under $100 — Good pillows, supportive shoes, and socks are some of the comments.

🙏 Quote

"Wherever you go, there you are."

— Jon Kabat-Zinn

👇 Join the Hive! Upgrade to a membership and unlock exclusive content below, featuring valuable tools, essential resources, and must-watch/listen recommendations.

Subscribe to the Hive Five to read the rest.