• Hive Five
  • Posts
  • 🐝 Hive Five 176 - Experts vs. Imitators

🐝 Hive Five 176 - Experts vs. Imitators

Career growth framework, .js Files Are Your Friends, What’s Going on With CVE-2024-4577, Roger Federer Commencement address, Exploiting ML models with pickle file attacks, and more...

Hi friends,

Greetings from the hive!

I had another super busy week but was able to recoup over the weekend. To this day, I'm still surprised by the healing powers of family, sun, and water.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. Career growth framework: Avoid performance review surprises by tracking accomplishments year-round. Get in the habit of consistently writing things down, your career depends on it. MORE

  2. NahamCon2024 talk by Zseano: .js Files Are Your Friends. Learn the importance of hunting through .js files to find more endpoints and interesting code that can lead to vulnerabilities. MORE

  3. Legendary tennis player Roger Federer delivered the Commencement address at Dartmouth, sharing insights on achieving success in life. MORE

  4. What’s Going on With CVE-2024-4577 (Critical RCE in PHP)? This CVE is a critical argument-injection vulnerability in PHP that affects Windows deployments and leads to remote code execution. MORE

  5. Exploiting ML models with pickle file attacks. An attack that uses malicious pickle files to stealthily compromise ML models and carry out sophisticated attacks against end users. MORE | PART 2

With a modest contribution of just $8.25 per month, you’re not only helping keep Hive Five going, but you're also getting access to a private Discord community, the complete Hive Archive, exclusive & bonus content, and a range of other benefits.

Hive Five is a weekly newsletter with the best of technology and security, thoughtfully curated, read by thousands of hackers. Do you have a product or service to promote? Find out more about advertising in Hive Five.

Hive Five is brought to you by:

tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal. Give it a try.

Table of Contents

πŸ“° Updates

🍯 My work

βœ… Changelog

  1. xnLinkFinder is a Python tool that discovers endpoints, potential parameters, and a target-specific wordlist for a given target. Release v6.3 is the latest version available. MORE

  2. SecLists v2024.3 release is a comprehensive collection of various lists used during security assessments. MORE

  3. WappalyzerGo v0.1.5 is a high performance go implementation of Wappalyzer Technology Detection Library. MORE

  4. RetireJS 5.0.1 is a scanner that detects the use of JavaScript libraries with known vulnerabilities. MORE

  5. v1.2 release of the 'xnldorker' tool allows gathering results from various search engines using dorks. MORE

πŸ“… News

  1. Gear up for the 2024 Google CTF (June 21-23), a captivating cybersecurity competition that offers a chance to showcase your skills and explore the world of ethical hacking. MORE

  2. Apple is introducing transcripts on Apple Podcasts, making it easier for anyone to access podcasts. MORE

  3. Apple's new "Private Cloud Compute" allows offloading complex tasks like AI to secure cloud devices, raising privacy and security questions. MORE

πŸ’Ό Work

πŸ’° Career

  1. Asking the right 6 questions during an AppSec interview can showcase your preparation and interest. MORE

  2. Deck gallery is a curated collection of well-designed decks, showcasing innovative and visually appealing outdoor living spaces. MORE

  3. Every conversation with your ideal customer is a chance to improve your product or service, especially when starting out. MORE

  4. Find out how freelancers find work, such as through a service company, networking, or becoming experts in a niche. MORE

  5. T'Vedt went from having no experience to becoming a Systems Engineer by completing a free web dev boot camp with the city of Atlanta, which led to her first tech role. MORE

πŸš€ Productivity

  1. Find out how hackers use Obsidian and other tools to take notes. MORE

  2. shpool can be thought of as a lighter weight alternative to tmux or GNU screen. Note, shpool only provides persistent sessions. MORE

  3. UnsubBot automates unsubscribing from marketing emails in GSuite by authenticating with Google Cloud credentials, finding and tagging relevant emails. MORE

  4. PDF to Podcast allows you to transform PDF documents into listenable podcasts, offering a unique and effective way to consume content. MORE

  5. Discover what macOS apps people recommend for daily use. MORE

🌎 Community

πŸŽ‰ Celebrate

  1. Niv obtained the OffSec Web Expert (OSWE) certification from OffSec after trying harder. Congrats! MORE

  2. Ringo collaborated with his son, who's new to bug bounty hunting. After 10 hours, the son submitted his first report on a target with a large incentive. LFG! MORE

⚑️ Community

  1. "We need to support our local content dealers. Content creators, newsletters and curators are essential for discovering 'the good stuff'." MORE

  2. Zseano has been injured while speed skating, resulting in damage to his wrist and knee. Get well soon! MORE

  3. As a full-time bug hunter, renniepak still asks "beginner questions" daily, such as how to stay focused, what to learn, and what tools to use. MORE

πŸ’› Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @djnemec | Nemec | Software dev, interested in programming and OSINT.

  2. @acut3hack | Nicolas Christin | Bug bounty hunter | Former C dev & expert in irrelevant technologies.

  3. @erbbysam | erbbysam | software, cryptography, etc. DEFCON black badge.

  4. @drunkrhin0 | Rami (drunkrhin0) | Hacker Success Manager Bugcrowd | Photographer.

  5. @shailesh4594 | Shailesh Suthar | An independent security researcher.

The Hive Five is for the curious ones. The rebels. The hackers. The ones who see life not as it is, but as it could be.

Share the newsletter with others like us who want to hack a life they love.

⬆️ Level up

πŸ“° Read

  1. The Wikimedia/svgtranslate 2.0.1 application is vulnerable to remote code execution due to improper input validation in the ApiController.php and Renderer.php files, allowing attackers to execute arbitrary code. MORE

  2. GitHub Copilot Chat: From Prompt Injection to Data Exfiltration. MORE

  3. Valentina Palmiotti, aka chompie, made history by becoming the first female to score a full win at Pwn2Own 2024. MORE

  4. GHSL-2024-001_GHSL-2024-003: Remote DoS and potential authentication bypasses in RubyGems.org - CVE-2024-35221. MORE

  5. Exfiltrating Data from Sandboxed Documents. MORE

πŸ’‘ Tips

  1. Unlock your potential by watching this transformative 3-day company offsite by Sahil. Dive deep into a life and business audit, uncover secrets to maximizing the next 365 days for massive growth. MORE

  2. TESS on the importance of note taking. MORE

  3. Four tips for aspiring code reviewers: 1) Focus on understanding, not just searching. 2) Regularly review for CVE updates. 3) Start with simpler codebases. 4) Prioritize thorough review over quick fixes. MORE

  4. When using ffuf, change the user agent string from the default "Fuzz Faster U Fool" as it is commonly blocked. MORE

  5. To become a successful bug bounty hunter, you should have deep domain expertise, develop a unique methodology, be persistent in your approach, and more. MORE

🧠 Wisdom

  1. You're fit but you're weak. You're strong but you're unfit. What's the answer? 100 squats. MORE

  2. True experts provide high-quality information, but many impostors claim expertise they lack: "The person with real expertise is often not the person who made the subject popular." MORE

  3. By consuming and supporting certain media, you signal the demand for more of that content and less of other alternatives. Your choices as a subscriber or member have a direct impact on the creation of future media. MORE

  4. Ursula Burns, the first African American woman to lead a Fortune 500 company, shares her story of success and the secrets that helped her achieve this milestone. MORE

  5. 7 thought-provoking questions to gain self-understanding and challenge one's worldview. MORE

πŸ“š Resources

  1. Memorable site for testing clients against bad SSL configs. MORE

  2. Exploring the impact of manipulating the Google search URL's &udm= parameter, which can potentially yield unexpected and curious search results. MORE

  3. Teach your kids how to code with Minecraft Hour of Code tutorials. MORE

  4. GoRedOps is a collection of Golang projects for red teamers and offensive security operations. MORE

  5. This course on security for Rails developers is currently in development. You can pre-purchase it to show support and get a discount, with a full refund available if you're unsatisfied. MORE

πŸ’­ Quote


"Be more concerned with your character than with your reputation, because your character is what you really are, while your reputation is merely what others think you are."

John Wooden

πŸ›  Explore

🧰 Tools

  1. CreepJS is a project that aims to expose weaknesses and privacy leaks in modern anti-fingerprinting extensions and browsers. MORE

  2. sw33tLie/uff is a custom fork of the ffuf tool that uses modified net/http and net/url libraries to bypass strict header and URL parsing, allowing for more flexible input. MORE

  3. Agentic is an open-source LLM vulnerability scanner. MORE

  4. SlackEnum is a tool for enumerating Slack workspaces and extracting valuable information. MORE

  5. Reset Tolkien is an unsecure time-based secret exploitation and sandwich attack implementation. MORE

WAF blocked your Netflix? Get $200 to try DigitalOcean β€” the go-to for all my recon, automation, and VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

πŸŽ₯ Watch

  1. Bugs on a Plane: Implementing a Bug Bounty in an Airline IT/OT Environment. MORE

  2. SchmooCon Firetalk: Metabolism Hacking for Fun and Longevity. MORE

  3. After nearly 40 years as an Adobe customer, Mike has finally decided to discontinue their subscription. MORE

  4. A walkthrough of the NahamCon2024 mission, a realistic bug bounty / web CTF challenge. MORE

  5. NahamCon2024 talk: Practical AI for Bounty Hunters by Jason Haddix. Learn how to use AI to streamline your bounty hunting, from reconnaissance to JavaScript analysis. MORE

🎡 Listen

  1. Anand Sanwal joins Sam Parr and Shaan Puri to reveal his playbook for building an insanely profitable data business. MORE

  2. Centre For Information Resilience's Sofia Santos talked about how to get into the industry, providing invaluable tips and resources for beginners. MORE

  3. Cal Newport discusses his planning system for note-taking and time management system. MORE

  4. Dan Abramov discusses his move from Meta to Bluesky, the decentralized social web, and the challenges of product vs framework work. MORE

🌐 Technology

  1. Alternatives to Adobe software. MORE

  2. Decap CMS, previously NetlifyCMS, is an open source content management system that integrates with your Git workflow, providing a static site with a convenient editing interface. MORE

  3. Search engine to find vetted software that Solopreneurs use. MORE

  4. The Microsoft FOSS Fund enables Microsoft engineers to nominate and select open-source projects they care about, providing direct support. MORE

  5. Refer is a Ruby on Rails gem that adds models to track referrals and referral codes, enabling referral system integration in your application. MORE

πŸ”‘ Visit

  1. Sofa is an app that allows you to be more intentional with your downtime. Create lists of things to watch, read, play, listen to, and more. MORE

  2. A great conversation requires active listening, finding common ground, and avoiding common pitfalls like dominating the talk. MORE

  3. Solopreneurs share one essential tool they cannot live without. MORE

Enjoy the newsletter? Please forward to a pal. It only takes 16 seconds. Making this one took 16 hours.

Until next week, take care of yourself and each other,

β€” Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.