🐝 Hive Five 171 - The Power of Recon

Hi friends,

Greetings from the hive!

Tuesday morning I woke up to great pain in my shoulder. "Must've slept wrong", I thought, while shrugging it off.

However, the pain lasted and limited my mobility for 5 days. This reminded me of growing older and our fragility. It also made clear that I should invest in doing mobility training.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Relative Path File Injection (RPFI) is a technique that builds upon the Relative Path Overwrite (RPO) technique, allowing for injection of arbitrary files into the target application. MORE

2. Ngo on how how they discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability turned it into one of the most impactful bugs in GitHub’s bug bounty history. MORE

3. Godfather Orwa's "The Power of Recon" talk explores top intel gathering and vulnerability spotting techniques. MORE

4. Digging for SSRF in NextJS apps (CVE-2024-34351). The term 'static' might imply a lack of functionality and minimal risk. Yet, these frameworks often rely on numerous underlying APIs and logic, presenting a considerable attack surface. MORE

5. Hacking Apple: SQL Injection to Remote Code Execution. Exploring the source code of Masa/Mura CMS. MORE

Table of Contents

• 📰 Updates

• 💼 Work

• 🌎 Community

• ⬆️ Level up

• 🛠 Explore

📰 Updates

🍯 My work

➡️ Continue reading online to avoid email cutoff

✅ Changelog

1. DOMPurify 3.1.3 is a highly configurable, fast, and tolerant XSS sanitizer for HTML, MathML, and SVG. MORE

2. Gulp v5.0.0 is a major release that includes a high-level changelog, but the complete changes are available in the individual dependency changelogs. MORE

3. Waymore v4.3 release: Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan and VirusTotal. MORE

4. Obsidian 1.6.0, in early access, brings improved loading times, dozens of fixes, and sync improvements. MORE

📅 News

1. BetterHelp, a mental health platform, shared users' personal data with Meta and Snapchat for advertising purposes, raising privacy concerns. MORE

2. PentesterLab is launching a comprehensive security code review training with over 12 hours of content. MORE

3. Lupin unveils Depi, a novel approach to software supply chain security, promising to revolutionize the field. MORE

➡️ Continue reading online to avoid email cutoff

💼 Work

💰 Career

1. Chess.com has grown from a simple chess service to a thriving $150 million ARR business by focusing on making chess accessible to everyone. MORE

2. The Strategy That Skyrocketed Sahil's Career. MORE

3. Marcus J. Carey's journey from a small town to founding a successful cybersecurity company, Threatcare, which was acquired. He also authored multiple cybersecurity books, including "Tribe of Hackers". MORE

4. Scott Galloway shares a "Get-Rich" formula and hard-to-hear advice for building wealth in your 30s and 40s. MORE

5. Mikael's PARCE framework helps land your dream job by focusing on Portfolio, Applying, Recon, Common ground, and Evolving your skills. MORE

🚀 Productivity

1. Why Fatih prefers the iPad over a MacBook: it's more portable, has a better battery life, and is more convenient for media consumption and note-taking. MORE

2. Double-pressing hotkeys is a useful feature that can enhance productivity by quickly triggering frequently used workflows. MORE

3. An Apple productivity system leveraging shortcuts for quickly capturing and organizing notes, task management, and more. MORE

4. The anti-to-do list is a single tool for unlocking powerful life-changing productivity. MORE

5. In the absence of ROI measures, the percent of engineering time spent on value-add activities is a pretty good proxy for productivity. MORE

➡️ Continue reading online to avoid email cutoff

🌎 Community

🎉 Celebrate

1. Mert has achieved the top position on the Bugcrowd all-time P1 and P2 leaderboard. Congrats! MORE

2. Renniepak is a year older. Happy birthday! MORE

3. Adrian has been appointed as the Head of Triage at Immunefi. Nice one! MORE

⚡️ Community

1. Eldar shares their bug bounty journey and reflects on the past 4 months. MORE

2. Roy Davis, Security Engineer and Bug Bounty Manager at Zoom, shares his ALS battle to raise awareness and support efforts to find a cure for this devastating disease. MORE

3. HackerOne on their AI-driven hack agent with plans to expand its capabilities further. MORE

4. Ayub admires infosec video creators, as they make content creation seem effortless, despite its complexity. MORE

5. Ramsexy is planning a 3-week van trip on the US/Canada east coast. MORE

💛 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @rjgilbert | Ryan Gilbert | Head of Content sendwithloops. Publishing workspacesxyz.

2. @__biancat | bianca | infra at cruise. design, neurotech, homelab enthusiast. cat & corgi hugs.

3. @justinsteven | xchg justin,justin | 10x full-stack hacker.

4. @0xtavian | Octavian | OSCP | Cloud Red Team - Lead | Penetration Testing.

⬆️ Level up

📰 Read

1. Exploit Archeology, Alex exploits an old unknown Server Side Browser. MORE

2. Cross Window Forgery: Attackers can use the link rel="prerender" href= tag to prefetch and render a target page, enabling a stealthy attack. MORE

3. Even "phish-proof" MFA systems can be vulnerable to sophisticated attacks. MORE

4. Researchers found multiple security vulnerabilities in Microsoft's Azure Health Bot service, which could allow access to sensitive infrastructure and medical data. MORE

💡 Tips

1. You can use Image Capture on Mac to transfer images and video clips from various devices, and optionally delete them from the source device. MORE

2. Win a free DEFCON 2024 trip. MORE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🧠 Wisdom

1. When news breaks, many turn to open source accounts and experts to make sense of events, but beware of the "Seven Deadly Sins of Bad Open Source Research." MORE

2. The Unspoken Secret to Achieving Success in Any Endeavor — Insights from an elite CrossFit competitor on the power of compounding accountability. MORE

3. "No one is stealing your success, you are your only competitor." MORE

4. Shubs on confidence and faith being essential in source code auditing, as they help navigate the complexities and uncertainties involved. MORE

5. Trash Puppy suggests that finding one's ikigai, or life's purpose, is not everything. MORE

📚 Resources

1. PDF Investigator GPT summarizes and analyzes PDFs by extracting hidden Metadata that could be used in an investigation. MORE

2. Awesome Regex curates the best regular expression tools, tutorials, libraries, and other resources. MORE

3. A collection of links related to security vulnerabilities in Korean products. MORE

4. A collection of custom search engines curated by cqcore. MORE

5. The CKS Study Guide 2024 is a comprehensive resource to help you prepare for and pass the Certified Kubernetes Security Specialist exam. MORE

💭 Quote

🛠 Explore

Subscribe to the Hive Five to read the rest.