• Hive Five
  • Posts
  • 🐝 Hive Five 171 - The Power of Recon

🐝 Hive Five 171 - The Power of Recon

BetterHelp sharing personal data, iPad > MacBook, the Anti-To-Do list, and more...

Hi friends,

Greetings from the hive!

Tuesday morning I woke up to great pain in my shoulder. "Must've slept wrong", I thought, while shrugging it off.

However, the pain lasted and limited my mobility for 5 days. This reminded me of growing older and our fragility. It also made clear that I should invest in doing mobility training.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. Relative Path File Injection (RPFI) is a technique that builds upon the Relative Path Overwrite (RPO) technique, allowing for injection of arbitrary files into the target application. MORE

  2. Ngo on how how they discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability turned it into one of the most impactful bugs in GitHub’s bug bounty history. MORE

  3. Godfather Orwa's "The Power of Recon" talk explores top intel gathering and vulnerability spotting techniques. MORE

  4. Digging for SSRF in NextJS apps (CVE-2024-34351). The term 'static' might imply a lack of functionality and minimal risk. Yet, these frameworks often rely on numerous underlying APIs and logic, presenting a considerable attack surface. MORE

  5. Hacking Apple: SQL Injection to Remote Code Execution. Exploring the source code of Masa/Mura CMS. MORE

️πŸ’ͺ Sponsor

Every week, thousands of innovators immerse themselves in the Hive Five for the best infosec resources, tech optimizations, and productivity improvements. To hack a life they love.

From a reader: "The newsletter is always a highlight of my week!”

Table of Contents

πŸ“° Updates

🍯 My work

βœ… Changelog

  1. DOMPurify 3.1.3 is a highly configurable, fast, and tolerant XSS sanitizer for HTML, MathML, and SVG. MORE

  2. Gulp v5.0.0 is a major release that includes a high-level changelog, but the complete changes are available in the individual dependency changelogs. MORE

  3. Waymore v4.3 release: Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan and VirusTotal. MORE

  4. Obsidian 1.6.0, in early access, brings improved loading times, dozens of fixes, and sync improvements. MORE

πŸ“… News

  1. BetterHelp, a mental health platform, shared users' personal data with Meta and Snapchat for advertising purposes, raising privacy concerns. MORE

  2. PentesterLab is launching a comprehensive security code review training with over 12 hours of content. MORE

  3. Lupin unveils Depi, a novel approach to software supply chain security, promising to revolutionize the field. MORE

πŸ’Ό Work

πŸ’° Career

  1. Chess.com has grown from a simple chess service to a thriving $150 million ARR business by focusing on making chess accessible to everyone. MORE

  2. The Strategy That Skyrocketed Sahil's Career. MORE

  3. Marcus J. Carey's journey from a small town to founding a successful cybersecurity company, Threatcare, which was acquired. He also authored multiple cybersecurity books, including "Tribe of Hackers". MORE

  4. Scott Galloway shares a "Get-Rich" formula and hard-to-hear advice for building wealth in your 30s and 40s. MORE

  5. Mikael's PARCE framework helps land your dream job by focusing on Portfolio, Applying, Recon, Common ground, and Evolving your skills. MORE

πŸš€ Productivity

  1. Why Fatih prefers the iPad over a MacBook: it's more portable, has a better battery life, and is more convenient for media consumption and note-taking. MORE

  2. Double-pressing hotkeys is a useful feature that can enhance productivity by quickly triggering frequently used workflows. MORE

  3. An Apple productivity system leveraging shortcuts for quickly capturing and organizing notes, task management, and more. MORE

  4. The anti-to-do list is a single tool for unlocking powerful life-changing productivity. MORE

  5. In the absence of ROI measures, the percent of engineering time spent on value-add activities is a pretty good proxy for productivity. MORE

🌎 Community

πŸŽ‰ Celebrate

  1. Mert has achieved the top position on the Bugcrowd all-time P1 and P2 leaderboard. Congrats! MORE

  2. Renniepak is a year older. Happy birthday! MORE

  3. Adrian has been appointed as the Head of Triage at Immunefi. Nice one! MORE

⚑️ Community

  1. Eldar shares their bug bounty journey and reflects on the past 4 months. MORE

  2. Roy Davis, Security Engineer and Bug Bounty Manager at Zoom, shares his ALS battle to raise awareness and support efforts to find a cure for this devastating disease. MORE

  3. HackerOne on their AI-driven hack agent with plans to expand its capabilities further. MORE

  4. Ayub admires infosec video creators, as they make content creation seem effortless, despite its complexity. MORE

  5. Ramsexy is planning a 3-week van trip on the US/Canada east coast. MORE

πŸ’› Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @rjgilbert | Ryan Gilbert | Head of Content sendwithloops. Publishing workspacesxyz.

  2. @__biancat | bianca | infra at cruise. design, neurotech, homelab enthusiast. cat & corgi hugs.

  3. @justinsteven | xchg justin,justin | 10x full-stack hacker.

  4. @0xtavian | Octavian | OSCP | Cloud Red Team - Lead | Penetration Testing.

⬆️ Level up

πŸ“° Read

  1. Exploit Archeology, Alex exploits an old unknown Server Side Browser. MORE

  2. Cross Window Forgery: Attackers can use the link rel="prerender" href= tag to prefetch and render a target page, enabling a stealthy attack. MORE

  3. Even "phish-proof" MFA systems can be vulnerable to sophisticated attacks. MORE

  4. Researchers found multiple security vulnerabilities in Microsoft's Azure Health Bot service, which could allow access to sensitive infrastructure and medical data. MORE

πŸ’‘ Tips

  1. You can use Image Capture on Mac to transfer images and video clips from various devices, and optionally delete them from the source device. MORE

  2. Win a free DEFCON 2024 trip. MORE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🧠 Wisdom

  1. When news breaks, many turn to open source accounts and experts to make sense of events, but beware of the "Seven Deadly Sins of Bad Open Source Research." MORE

  2. The Unspoken Secret to Achieving Success in Any Endeavor β€” Insights from an elite CrossFit competitor on the power of compounding accountability. MORE

  3. "No one is stealing your success, you are your only competitor." MORE

  4. Shubs on confidence and faith being essential in source code auditing, as they help navigate the complexities and uncertainties involved. MORE

  5. Trash Puppy suggests that finding one's ikigai, or life's purpose, is not everything. MORE

πŸ“š Resources

  1. PDF Investigator GPT summarizes and analyzes PDFs by extracting hidden Metadata that could be used in an investigation. MORE

  2. Awesome Regex curates the best regular expression tools, tutorials, libraries, and other resources. MORE

  3. A collection of links related to security vulnerabilities in Korean products. MORE

  4. A collection of custom search engines curated by cqcore. MORE

  5. The CKS Study Guide 2024 is a comprehensive resource to help you prepare for and pass the Certified Kubernetes Security Specialist exam. MORE

πŸ’­ Quote


"The only man who never makes mistakes is the man who never does anything."

Theodore Roosevelt

πŸ›  Explore

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.