• Hive Five
  • Posts
  • ๐Ÿ Hive Five 172 - The Worst Website In The Entire World

๐Ÿ Hive Five 172 - The Worst Website In The Entire World

Exploring secret web hacking knowledge, Messy thinking > Clear thinking, NahamCon2024, The Rise Of The Generalist, and more ...

Hi friends,

Greetings from the hive!

Here's an interesting question to ask yourself that I heard in a podcast this week: How can I 10x what I'm doing?

This breaks the frame of the typical incremental improvements, pose yourself with a mind-bending question.

Forcing yourself to explore possibilities beyond the obvious ones pushes you to be creative.

Let's take this week by swarm!

๐Ÿ The Bee's Knees

  1. GitHub Actions cache poisoning is a new privilege escalation and lateral movement technique called "Actions Cache Blasting". MORE

  2. Exploring secret web hacking knowledge, focusing on techniques that are usually not disallowed by the rules. CTF authors hate these simple tricks. MORE | SLIDES

  3. This one blew my mind! TIL you can take photos of your bookshelves, let your phone's OCR index the text, and then search for any book title to find its exact location on the shelf. MORE

  4. Why clear thinking sets you up for unrealistic standards and how to be a messy thinker instead. So, while a clear thinker asks: "am I right?", a messy thinker asks: "what am I missing?". MORE

  5. Frontend-only live semantic search with transformers.js. right in your browser. Calculates the embeddings and cosine similarity client-side without server-side inferencing. Your data is private and stays in your browser. MORE

๏ธ๐Ÿ‘€ Beeโ€™s Pick: Products Worth Looking At

For makers of high-quality software and services used by tech professionals, bug hunters, and cybersecurity experts. If that's you, this is a great way to get eyes on your product from people who appreciate good design, simple utility, and things that just work.

From a reader: "The newsletter is always a highlight of my week!โ€

Table of Contents

๐Ÿ“ฐ Updates

โœ… Changelog

  1. Homebrew has added build provenance to its core, cryptographically attesting to all bottles built in its official CI. MORE

  2. The latest Lazygit release (v0.42.0) includes several minor improvements. The developers plan to have smaller, more frequent releases in the future. MORE

  3. Burp Suite Enterprise Edition spring update 2024 introduces new features and improvements, including cloud deployment, custom scan checks, CI-driven scans, and scanning performance enhancements. MORE

  4. Gau v2.2.3 fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. MORE

  5. xnLinkFinder v6.1 is a Python tool used to discover endpoints, potential parameters, and a target specific wordlist for a given target. MORE

๐Ÿ“… News

  1. NahamCon2024 returns on May 24-25 with 15+ talks and workshops. MORE

  2. The 2024 curl user survey, up during May 14-27, aims to gather insights from curl and libcurl users on various aspects of the software. MORE

  3. GPT-4o has new characteristics, including multi-modal capabilities across text, images, and audio. Its audio demos were impressive, though it may not be a significant leap in "intelligence" compared to GPT-4. MORE

๐Ÿ’ผ Work

๐Ÿ’ฐ Career

  1. CommaAI created a job page, including a tour of comma HQ. MORE

  2. Mischa has decided to transition from his DevOps job to become a full-time creator, weighing the pros and cons of this decision. He has previously established a community focused on DevOps, Kubernetes, note-taking, and productivity. MORE

  3. Codie shares 5 tips to increase your earnings: get reviews, create content, give away 90% for free, sell services first, and offer an upsell. MORE

  4. Cassie shares her approach and materials for preparing and passing the CRISC exam. MORE

  5. The Rise Of The Generalist: how to thrive with multiple interests. MORE

๐Ÿš€ Productivity

  1. Google's new Prompting Guide offers actionable tips to write better AI prompts, including multi-step workflows, templates, and more. MORE

  2. Watch how Neovim plugin Oil.nvim simplifies file system navigation and editing. MORE

  3. Weekly 1:1s in the tech industry are often inefficient and unproductive, as they can be used to micromanage employees and lack meaningful discussions. MORE

  4. Standardizing on one sock type can simplify life by reducing decision-making and ensuring a consistent, comfortable experience. MORE

๐ŸŒŽ Community

๐ŸŽ‰ Celebrate

  1. Hussein celebrated his 26th birthday. Congrats! MORE

  2. Nagli, zseano, et al celebrating Frans Rosen, arguably the best web app hacker in the world. Hear hear! MORE

โšก๏ธ Community

  1. Meg's beloved dog, Bella Marie West, passed away at the age of 8 after a life of adventure and unconditional love. My condolences. MORE

  2. Jason reminding us to put the oxygen mask on ourselves first. MORE

  3. STร–K and Sara sold their house and now live with their two dogs in a motor home, traveling around Sweden. MORE

  4. TESS on the importance of program ownersโ€™ rapport with hackers โ€” I'd dare to say that those with a collaborative relationship have a stronger security posture.

๐Ÿ’› Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @optionalctf | optional | Senior Cyber Security Consultant | HTB with @barctf | OSCP, CRT, CRTO.

  2. @hacker_ | Corben Leo | I hack stuff (legally). | founder @ boringmattress.

  3. @Th3G3nt3lman | Th3g3nt3lman | Risin' up out of the flames like a phoenix, Strainin' to carry the weight of my brain like a genius.

  4. @shaktavist | Shak The Hack | Security Architect, IT Pro, Jack of Infosec, Master of Disaster.

  5. @cure53berlin | Cure53.

โฌ†๏ธ Level up

๐Ÿ“ฐ Read

  1. Interesting features of iframes and windows from a security perspective. MORE

  2. Machine learning model files should be treated like binary executables. MORE

  3. Empowering long-running AI agents with timers and benefit from improved task management, resource optimization, and enhanced coherence. MORE

  4. Bypassing WAFs to Exploit Client Side Path Traversal (CSPT) Using Encoding Levels. Learn about CSPT , why it can be so impactful, and some advanced exploitation and WAF bypass techniques. MORE

  5. Cookie Theft in 2024: Chromium's remote debugging feature remains a risk to be aware of, manage and mitigate. MORE

๐Ÿ’ก Tips

  1. Justin reminding us that good vulns can be hidden behind paywalls. Together with his mentee they bought a service for $300 and made $25k+ off it. MORE

  2. Justin recommends that newer bug bounty hunters master Caido's match and replace tool, which can potentially help them earn a couple thousand dollars per month. MORE

  3. Using <s>asdf</s> instead of <script> when testing for XSS can be beneficial as it is small, easily searchable, and the strike-through text is more noticeable. MORE

  4. Godfather Orwa advises new bug bounty hunters to focus on GraphQL and utilize AI to enhance their abilities. MORE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

๐Ÿง  Wisdom

  1. In the age of AI, we must protect and nurture our core human skills like critical thinking, literacy, and creativity. Don't neglect these base skills or they'll become mere hallucinations. MORE

  2. Seth Godin argues that you don't need more time, but rather the ability to make decisions and take action. MORE

  3. How to Avoid a Life of Regret in 3 Steps: 1) Gather crucial info, 2) Create solid evidence, 3) Face your fear. MORE

  4. Nahamsec opens up about his mental health struggles, sharing his personal journey and encouraging others to prioritize their well-being. MORE

๐Ÿ“š Resources

  1. HackerOne LLM, Hai, was vulnerable to invisible prompt injection through Unicode tag characters, allowing potential exploitation. MORE

  2. FRAVIA: The Art of Searching derived from their searchlores.com work has been converted into a PDF. MORE

  3. Known Breaches is a compilation of breach information, with a client-side search tool and the option to search online. MORE

  4. Sandbox-iframe XSS challenge solution to Johan's Twitter XSS challenge from May 2024. MORE

  5. Techniques Learned from the XZ Backdoor: 1) The IFUNC feature of GLIBC, 2) Concealing characters using Radix Tree, 3) Obtaining all dependency information, 4) Hooking Functions from Other Dependency Libraries. MORE

๐Ÿ’ญ Quote

โ

"Figure out what youโ€™re good at without trying, then try."

Isabel

๐Ÿ›  Explore

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.