🐝 Hive Five 159 – Using Data Science to win Bug Bounty

Hi friends,

Greetings from the hive!

I've added a new section to the newsletter called From the Hive. Here, I'll share happenings from the member-only Discord server and what's coming up next in the Hive Five.

In other news, I'm excited to dive into Steph Smith's Internet Pipes course. Whatever she puts out is an instant-buy. You can find it under Productivity.

What have you purchased that you’re excited about?

Let's take this week by swarm!

🐝 The Bee's Knees

1. Using Data Science to win Bug Bounty. Justin sits down with Mayonaise (Jon Colston) to discuss how his background in digital marketing and data science has influenced his hunting methodology. YOUTUBE

2. WishfulSearch by hrishioa is a natural language search module for JSON arrays. Take any JSON array you have (notifications, movies, flights, people) and filter it with complex questions. GITHUB | DEMO

3. Daniel Miessler released his highly anticipated AI framework Fabric — An open-source framework for augmenting humans using AI. GITHUB

4. CVE-2023-5480: Chrome new XSS Vector. Google evaluated it at $16,000. SLONSER

5. Executive Offense Issue #9: Mobile Application Hacking Part 2. Including an off-the-cuff technical chat with Joel (aka teknogeek), one of the world's best mobile hackers. BEEHIIV

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!️

🍯 From the Hive

1. Added a new channel dedicated to tips. I shared the first one which was a 75% discount on a book. (member-only)

2. We shared custom snippets for bebiksior's EvenBetter. (member-only)

3. Starting a running Q&A on Discord, where I'll answer questions that'll be available to all members. (member-only)

4. Working on several blog posts, including music to hack to and my Obsidian setup.

🔥 Buzzworthy

✅ Changelog

1. hahwul deadfinder 1.3.4: Find dead-links (broken links). GITHUB

2. xnl-h4ck3r/webpaste v2.2: Save your dorking results to the terminal. A modified version of TomNomNom's amazing tool. GITHUB

📅 News

1. Catch the March cohort of "The Bug Hunter's Methodology Live" before the prices go up! TWITTER

2. DEFCON has been canceled? After 25 years with Caesars, they canceled their contract. Uncanceled DEF CON 32 will now be held at the Las Vegas Convention Center. TWITTER

3. LocoMocoSec is Calling for Speakers. LocoMocoSec is a Hawaiʻi-based security conference and their motto is “one track, lots of flavor.” SESSIONIZE

🎉 Celebrate

1. Nagli won the Eradicator award at HackerOne's H1305. Woot! TWITTER

2. Tae'lur passed the PNPT. Let's go! TWITTER

3. Douglas was gunning for the MVH title in HackerOne's LHE in Miami. Spoiler alert: He did it. Big congrats! TWITTER

4. Mason is elevating his needs to the top of the list in 2024. I'm rooting for you! TWITTER

5. Chloe joined Hidden Layer as Head of Threat Intelligence. Nice one! TWITTER

💰 Career

1. Discover the life of a Test & Evaluation Lead Engineer with Beez's Dad, Raymond Berry Sr. With over 30 years of GovTech experience after joining the Air Force at 16 years old as a fighter jet mechanic. YOUTUBE

2. After you get a job in tech, how do you keep it? how do you grow? Jason shares his experience and thoughts in this almost 3 hour long video. YOUTUBE

⚡️ Community

1. Rhys and his firefighter station are raising money to support kids with life-changing burn injuries. TWITTER

2. Nick accused HackTricks of plagiarism and brought receipts. TWITTER

📰 Read

1. A writeup story for "The truth of Plain" a challenge that's part of the "Real World CTF 6th" CTF. KULKAN

2. ChatGPT Account Takeover using Wildcard Web Cache Deception. GITHUB

3. CVE-2023-22524: RCE Vulnerability in Atlassian Companion for macOS IMPERVA

4. Back to the (Clip)board with Microsoft Whiteboard and Excalidraw in Meta (CVE-2023-26140). SPACERACCOON

5. Ivanti's Pulse Connect Secure Auth Bypass Round Two. After an authentication bypass and command injection to kick off the year, Ivanti are following with a second authentication bypass and a privilege escalation. ASSETNOTE

💡 Tips

1. Mastering Burp Suite Pro tip: Hackvertor extension can display the most commonly used tags in a separate menu. TWITTER

2. Graham shares a vim keybinding to use leader + d to insert date. TWITTER

3. Howto: Use Burp Hackvertor Plugin to Re-sign Requests. PMNH

4. How to Learn Unfamiliar Software Tools with ChatGPT. JONUDELL

🏃‍♀️ Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @4n6lady | 4n6lady | DFIR & BlueTeam | IR & Threat Detection | OSINT enthusiast | lurker of spaces and breaker of things | waiting for HL3 | AWS.

2. @albinowax | James Kettle | Director of Research at PortSwigger aka Burp Suite.

3. @_justYnot | Vegeta | Curious. Hungry for knowledge. Just why not? Acknowledged by Apple security | eWPTXv2 |eCPPTv2 | eJPT | @Synackredteam member | Bug Bounty Hunter.

4. @shl | Sahil Lavingia | Building @gumroad and @flexile. Investing. Wrote a book.

5. @tabaahi_ | Mohsin Khan | 22y/o. Full-time BBH, Love & hate relationship with computers.

🚀 Productivity

1. Ultimate Notetaking: Neovim Zettelkasten Based on Obsidian. Build in Obsidian but mostly interacted with using Neovim. YOUTUBE

2. hahwul created a collection of Caido Tweaks. GITHUB

3. Obsidian on the Vision Pro. The future is here. TWITTER

4. How to list today's events from Google Calendar in Obsidian using gcalcli and Templater. REDDIT

5. Steph Smith's Internet Pipes course: Opportunity is everywhere. Get the tools and knowledge to see it better than anyone else. INTERNETPIPES

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. The most important programming language you need to learn, yet should never use: C. Free course available. YOUTUBE

2. The most useful Vision Pro info I've seen so far. Theo gives his review as a founder and dev. TWITTER| DURABILITY TEST

3. Using nTask to distribute tasks across multiple servers. nTask is a versatile program that uses API communications and WebSocket to distribute tasks, whether they are commands or programs, among different computers. R4ULCL

4. Golden Kitty Awards 2023. Unsurprisingly, the product of the year is GPT-4. PRODUCTHUNT

5. Kelsey on the importance of data. He states that if he started today, SQLite would be part of his learning journey. TWITTER

🧠 Wisdom

1. Why having a bedtime routine doesn't always work. YOUTUBE

2. How to Change your Life in a Year. Write down what you want and look at it every day. YOUTUBE

3. David Perell: "Profoundly change your life by publishing one screenshot essay per week." I want to give this a go... TWITTER

4. Kepano on the value of concise explanations to accelerate progress: "If you want to progress faster, write concise explanations. Explain ideas in simple terms, strongly and clearly, so that they can be rebutted, remixed, reworked — or built upon." TWITTER

5. What people do after a bad day to feel better. TWITTER

💛 Cross-pollination

1. Breaking the World Record for Most Pull-ups in 24 Hours. I can never fully understand these undertakings but they sure are impressive. YOUTUBE

2. Artist Bobby Fingers creates Drunk Mel Gibson Arrest Diorama. The craftsmanship and artistry are mind-blowing. YOUTUBE

3. Map of sunshine hours: Europe vs US. As Pieter stated, I also wasn't aware of the sunnyness of the US compared to Europe. TWITTER

4. The quietest places in the world’s loudest cities. Where to find peace and quiet near you. EARTH

5. If you have kids, the movie Chupa is a great watch. Premise: While visiting family in Mexico, a lonely boy befriends a mythical creature hiding on his grandfather's ranch... To me, it's like a modern version of The Gremlins. NETFLIX

🐝 Quote

Subscribe to the Hive Five to read the rest.