- Hive Five
- Posts
- 🐝 Hive Five 116 - Creating with Git, CodeQL zero to hero, and Websocket are a pain
🐝 Hive Five 116 - Creating with Git, CodeQL zero to hero, and Websocket are a pain
Hi friends,
Greetings from the hive!
Happy Easter to those who celebrate. I hope you had a good weekend.
I found out that you can use Apple Shortcuts to create automation for when your battery runs low. Pretty cool!
What have you automated lately?
Let’s take this week by swarm!
🐝 The Bee’s Knees
Creating with Git: Launch to success - a free course on Git fundamentals offered through The Taggart Institute. more
CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research. Static analysis (static code analysis or static program analysis) is a process that allows you to analyze an application’s code for potential errors without executing the code itself. The technique can be used to perform various checks, verification, and to highlight issues in the code. more
Rule Writing for CodeQL and Semgrep. One common perception is that it is easier to write rules for Semgrep than CodeQL. Spaceraccoon shares his thoughts. more
WebSockets are a Pain: A Journey in Learning and Leveraging. more
InsiderPhD’s Hacking Setup and How to Use It (Firefox/Burp Community). This is probably one of the most common question she gets asked about Bug Bounty, right next to “do you take mentors” and “how to find a bug”. more
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
🔥 Buzzworthy
✅ Changelog
Octavian implemented a cool Axiom feature for DigitalOcean users: round-robin region distribution with automatic image transfers. more
Corben is starting a mattress company. more
s0md3v/uro 1.0.0-beta declutters url lists for crawling/pentesting. more
JSpector 2.4.6 is a simple Burp Suite extension to crawl JavaScript (JS) files in passive mode and display the results directly on the issues. more
📅 Events
BSides Nashville 2023: Saturday, April 15 (8am - 5pm CDT). more
🎉 Celebrate
💰 Career
AppSec co-op student and intern hiring thread. more
Matt is looking for a Sr. Security Engineer. You would be working on their detections, threat hunting, automation, siem/soar, etc. more
Resume tip for 2023: use a word cloud to identify most-used words. more
Actionable advice on what to do when you get laid off from a high-paying job and you used all of your money as a down payment for a home. more
⚡️ Community
Jason is bringing his big bag of stickers for BSidesSF and RSA. more
Corben was able to edit the website of a company with over 50M+ customers. more
Jason is looking for a better bookmarking and read it later workflow. I personally use Pocket and consume it in the CLI using its API. more
Soatok has written a lot on their blog over the past three years. They want you to keep in mind that they’re just some guy that does it for fun. more
📰 Read
Full Account Takeover on unibet[.]com due to crossdomain.xml and AkamaiPlayer loaderContext. more
69 Ways to F*** Up Your Deploy. We hear about all the ways to make your deploys so glorious that your pipelines poop rainbows and services saunter off into the sunset together. But what we don’t see as much is folklore of how to make your deploys suffer. more
Privilege escalation in AWS Elastic Kubernetes Service (EKS). The team at Calif Inc recently encountered an interesting scenario where they were trying to escalate privileges from a compromised pod in AWS Elastic Kubernetes Service (EKS) and struggled with NodeRestriction, a security mechanism enabled by default on all EKS versions. more
Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server. Pentaho Business Analytics Server is a business intelligence and data analytics platform written in Java. It’s used across a wide range of industries, including education, government and healthcare. more
How to Bring Down a Kubernetes Control Plane with a Single YAML. Kubernetes is a popular container orchestration platform used by developers to manage large-scale applications. more
🙏 Support
Enjoy reading the Hive Five? You can treat me to a coffee! You can also share the newsletter with your friends.
📚 Resources
THC’s favourite tips, tricks & hacks (Cheat Sheet). more
dair-ai/Prompt-Engineering-Guide contains guides, papers, lecture, notebooks and resources for prompt engineering. more
Google/fuzzing contains Tutorials, examples, discussions, research proposals, and other resources related to fuzzing. more
A huge list of OSINT resources. more
InfoSecMap maps out the best InfoSec events & groups. more
🎥 Watch
Broken Access Control - Lab #11 Insecure direct object references. more
HackTheBox - BroScience walkthrough. Featuring nmap, vulnerable-looking parameters, and more. more
We Hack Purple Streams: Digital Self-Defence Post-Roe World, with guest Abigail Dubiniecki. Covid lockdowns ushered in a rapid digital transformation as our lives moved online, and with it came a growing awareness of and unease with the copious amounts of personal data being captured, traded and re-purposed. more
HackerOne Hacker Interviews: Miguel (Fisher). Hear from Miguel on his experience at HackerOne’s live hacking event in Barcelona H1-3439. more
Cloud Hacking: Web3.0 Approach. more
🎵 Listen
Jack is back! Darknet Diaries Ep. 132: Sam the Vendor - Sam Bent, a.k.a. DoingFedTime. A story of Sam’s time making connections and money running drugs on darknet markets. more
Critical Thinking - Bug Bounty Podcast Episode 14: Mobile Hacking Dynamic Analysis w/ Frida + Random Hacker Stuff. They talk about Dynamic Analysis within Mobile Hacking and a bunch of random hacker stuff. more
Day[0] Bug Bounty Podcast 201 - Bamboozling Bing and a Curl Gotcha. A curl quirk that it might be useful to be aware of, Azure Pipelines vulnerability abusing attacker controlled logging, and more. more
Path to Citus Con: Working in public - The topic was “Working in public on open source”, and Citus developer (and pg-cron creator) Marco Slot and myself were interviewed by Claire Giordano and Pino de Candia. The full hour-long audio conversation is now available on YouTube. more
Securing Containers, First Steps in Docker and Kubernetes. Bret goes through his top recommendations for securing container images, Docker containers and Kubernetes pods. more
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- • Deep DISCOUNTS on paid content.
- • Experience continuously added NEW BENEFITS.